Critical XSS vulnerabilities found in Microsoft Azure Bastion and Container Registry

Two “high-risk” security vulnerabilities have been revealed in Microsoft Azure Bastion and Azure Container Registry. These vulnerabilities could have been exploited to carry out cross-site scripting (XSS) attacks, posing potential risks such as unauthorized data access and modifications within the compromised Azure service iframe.

What’s an XSS attack?

XSS attacks occur when malicious individuals inject arbitrary code into a trusted website, executed when unsuspecting individuals visit the site.

Source: AVI network

The Orca security researcher, Lidor Ben Shitrit, discovered these two flaws, “which exploit a weakness in the postMessage iframe. This weakness allows cross-origin communication between Window objects.”

What is postMessage?

“postMessages are used by applications to send messages from one window to another. However, there have been many security implications in postMessages and they can pose a serious security risk if they’re not implemented correctly.”

Modus operandi if attacked

Exploiting these vulnerabilities would require threat actors to 

1. conduct reconnaissance on various Azure services to identify vulnerable endpoints embedded within the Azure portal. These endpoints may lack X-Frame-Options headers or have weak Content Security Policies (CSPs).
2. Once the attacker successfully embeds the iframe in a remote server, they exploit the misconfigured endpoint by targeting the postMessage handler, which is responsible for handling remote events like postMessages.

Source: Orca

3. By analyzing legitimate postMessages sent to the iframe from portal.azure[.]com, the attacker can craft appropriate payloads and deliver them through a postMessage handler on an actor-controlled server. 

This manipulates the compromised endpoint, triggering the XSS vulnerability and executing the attacker’s code within the victim’s context.

Related: Microsoft Azure hijacking tricks, virtual machines taken over

Orca’s take

Orca demonstrated a proof-of-concept (PoC) where a specially crafted postMessage manipulated the Azure Bastion Topology View SVG exporter or Azure Container Registry Quick Start to execute an XSS payload.

Microsoft promptly addressed these vulnerabilities after responsible disclosure by Orca and released security fixes to remediate them. Azure users do not need to take any further action.

Our team of researchers continually push the limits to find #securityrisks before bad actors do.🔎 Learn how we discovered a critical exploitation path, utilizing Microsoft #Azure shared key authorization, and how to mitigate this: https://t.co/MzgHxSKzNU

— Orca Security (@orcasec) April 11, 2023

This disclosure follows Microsoft’s recent efforts to address three vulnerabilities in the Azure API Management service, which could have allowed malicious actors to access sensitive information or backend services.

Moving forward

Microsoft is implementing robust security development in its systems. Using advanced monitoring and logging capabilities, input validations, and CSPs, it proved ahead in security technology. Through secure coding, developer practices have also been securely modified. Still, room for vulnerabilities remains, which could be exploited if not patched.

Companies work to be secure for their goodwill in the market, but what must you do? It’s simple and easy to do. Learn, implement, and prevent!