Researchers have detailed the discovery of a previously unknown vulnerability in Microsoft Azure called Super FabriXss that allowed hackers to undertake remote code execution.
The vulnerability was showcased in BlueHat 2023, showing how they could escalate a reflected cross-site scripting vulnerability in Azure Service Fabric Explorer. An unauthenticated Remote Code Execution could abuse the metrics tab and enable a specific option in the console, the ‘Cluster Type’ toggle.
This XXS vulnerability affects Azure Service Fabric Explorer. The vulnerability enables unauth remote attackers to execute code on a container hosted on a Service Fabric node without the need of any authentication
The XSS vulnerability goes further, becoming a full RCE vulnerability after clicking on a crafted malicious URL and toggling the “Cluster” Event Type setting under the Events tab.
Vulnerability Exploitation Steps
- Using an embedded iframe that triggers a fetch request.
- The attacker’s code then takes advantage of the upgrade process to overwrite the existing deployment with a new malicious deployment
- The new deployment includes a CMD instruction in its Dockerfile to download a remote .bat file.
- The .bat file is downloaded, executed, and retrieves a second file that contains an encoded reverse shell.
- The reverse shell allows the attacker to gain remote access to the target system and potentially take control of the cluster node where the container is hosted.
Researchers reported the vulnerability to the Microsoft Security Response Center. Microsoft investigated the issue and assigned it CVE-2023-23383, with a CVE of 8.2, and released a fix in its recent March 2023 Patch Tuesday release.
Organizations using Service Fabric Explorer version 9.1.1583.9590 or earlier are vulnerable.
This research was documented by researchers from Orca who recommend that users, if they have not done so yet, update their Service Fabric Explorer install to avoid exposure.