EmojiDeploy: Smile! Your Azure Web Service Got RCE’d ._. ($30,000 USD)

We discussed this vulnerability during Episode 197 on 20 March 2023

A few vulnerabilities in Azure Web Services via Kudu Git repo manager used for git deployments. Kudu exports a source control management (SCM) portal that can be accessed if you’re authenticated into the instance through Azure Active Directory (AAD), which allows you to manage your web app. The first vuln is the fact that all cookies (including the session cookie) have the same-site attribute set to ‘None’, allowing cross-origin attacks.

The second and more serious vuln was the origin header check was able to be subverted via passing an ._. as a subdomain. Typically it would only accept requests with a validated origin of https://<my-webapp>.scm.azurewebsites.net. But by passing a ._. after the domain (https://<my-webapp>.scm.azurewebsites.net._.<attacker-site>./), you could set up a wildcard DNS on an attacker site and get your attacker site passed as a valid origin. They did have to find an endpoint that was vulnerable though to be abused in a CSRF context, and for RCE the main one of interest was the api/zipdeploy endpoint for uploading and deploying code via a zip file.

Another issue is the fact that while api/zipdeploy expects an x-webform-urlencoded;charset UTF-8 request, it also accepts text/plaintext requests, which doesn’t require preflights. Exploiting these issues will allow an attacker to leverage a victim to upload a web-shell and obtain RCE.