Dec 25, 2021
93 Views
0 0

4-Year-Old Microsoft Azure Zero-Day Exposes Web App Source Code

Written by

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
The security vulnerability could expose passwords and access tokens, along with blueprints for internal infrastructure and finding software vulnerabilities.
The Microsoft Azure App Service has a four-year-old vulnerability that could reveal the source code of web apps written in PHP, Python, Ruby or Node, researchers said, that were deployed using Local Git.
The bug has almost certainly been exploited in the wild as a zero-day, according to an analysis from Wiz. The firm dubbed the vulnerability “NotLegit,” and said it has existed since September 2017.
The Azure App Service (aka Azure Web Apps) is a cloud computing-based platform for hosting websites and web applications. Local Git meanwhile allows developers to initiate a local Git repository within the Azure App Service container in order to deploy code straight to the server. After deployment, the application is accessible for anyone on the internet under the *.azurewebsites.net domain.

The issue arises because when using Local Git, the Git folder is also uploaded and publicly accessible on unpatched systems; it’s placed in the “/home/site/wwwroot” directory, which anyone could access.
This has serious ramifications from a security perspective, according to the firm.
“Besides the possibility that the source contains secrets like passwords and access tokens, leaked source code is often used for further sophisticated attacks like gathering intel on the R&D division, learning the internal infrastructure, and finding software vulnerabilities,” researchers noted in a posting this week. “Finding vulnerabilities in software is much easier when the source code is available.”
They added, “basically, all a malicious actor had to do was to fetch the ‘/.git’ directory from the target application, and retrieve its source code.”
Microsoft did originally deploy a mitigation, in the form of adding a “web.config” file to the Git folder within the public directory that restricted public access; it turns out this is an incomplete fix though.
“Only Microsoft’s IIS webserver handles web.config files,” according to Wiz. “But [if] you use PHP, Ruby, Python or Node…these programming languages are deployed with different webservers (Apache, Nginx, Flask, etc.), which do not handle web.config files, leaving them unimpacted by the mitigation and therefore completely vulnerable.”
Wiz reported the lingering bug to Microsoft in October and was awarded a $7,500 bounty for the discovery; and the computing giant deployed fixes between the Dec. 7-15 via email to affected users.
Git folders are often mistakenly exposed through misconfiguration (not just vulnerabilities, as in this case), and as such, cybercriminals are on the lookout for them, researchers warned.
“An exposed Git folder is a common security issue that users make without even realizing it,” they said. “Malicious actors are continuously scanning the internet for exposed Git folders from which they can collect secrets and intellectual property.”
Wiz deployed a vulnerable Azure App Service application and linked it to an unused domain to see if there would be any exploitation.
“[We] waited patiently to see if anyone tried to reach the Git files,” they said. “Within four days of deploying, we were not surprised to see multiple requests for the Git folder from unknown actors….this exploitation method is extremely easy, common and is actively being exploited.”
The following users should evaluate the potential risk, according to Wiz, and make sure to update their systems:
“Because the security issue was in an Azure service, cloud users were exposed on a big scale, and without them knowing or having any control over it,” researchers noted.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
Share this article:
Attackers use the Telegram handle “Smokes Night” to spread the malicious Echelon infostealer, which steals credentials for cryptocurrency and other user accounts, researchers said.
The origin of the Monero cryptominer file has been traced to a Russian torrent website, researchers report.
A critical privilege-escalation vulnerability could lead to backdoors for admin access nesting in web servers.


This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
1 week ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Cloud Security

Comments are closed.