
A CSRF vulnerability impacting the source control management service Kudu could be exploited to achieve remote code execution in multiple Azure services.
Kudu is the engine behind several Azure App Service features, supporting the deployment and management of code in Azure and extensively used by the Functions, App Service, Logic Apps, and other Azure services.
The SCM panel that uses Kudu is deployed by default by the App Service, Function Apps, and Logic Apps Azure services.
The CSRF vulnerability in Kudu could be exploited to deploy a malicious ZIP file to the victim’s Azure application, which could result in code execution and application takeover.
Successful exploitation could allow an attacker to run code and steal sensitive data, launch phishing campaigns, and even move laterally to other Azure services. This can be done only after exploiting the same site misconfiguration and its corresponding attributes.
This allows an attacker to create a wildcard DNS record for his own domain and send cross-origin requests with special characters that eventually will be accepted by the server origin check. The servers do not validate headers that are sent by the client, which bypasses existing CSRF mitigation while processing ZIP “deploy to application” feature
The EmojiDeploy attack can be performed via a browser, but exploitation of the vulnerability requires for the attacker to have SCM or Microsoft account cookies in their browser.
The vulnerability was reported to Microsoft in October 2022 and patched it in December through stronger origin checks on the server and by changing the same-site cookie value to ‘Lax’.
This research was documented by researchers from Ermetic