February 23, 2024

Microsoft not too long ago patched three vulnerabilities in its Azure API Administration service, two of which enabled server-side request forgery (SSRF) assaults that would have allowed hackers to entry inside Azure property. The proof-of-concept exploits serve to focus on frequent errors that builders may make when making an attempt to implement blacklist-based restrictions for their very own APIs and companies.

Internet APIs have turn into an integral a part of fashionable software growth, particularly within the cloud. They permit companies to speak and trade knowledge, non-browser shoppers reminiscent of cell apps and IoT units to securely entry knowledge and carry out operations on behalf of customers, and firms to summary older server backends and rapidly interconnect them with fashionable apps and companies. APIs are standardized and straightforward to work together with reasonably than counting on customized and legacy protocols that weren’t constructed for the net.

With firms pushing out APIs in manufacturing at a speedy tempo in recent times, the variety of assaults concentrating on them has spiked as attackers more and more notice that insecure APIs may supply a backdoor into databases and inside infrastructure. In accordance with world content material supply community supplier Akamai, the variety of assaults concentrating on APIs and net functions grew 2.5 occasions in 2022 in comparison with 2021. One of many emergent assault vectors over the previous two years has been SSRF. The ProxyLogon, ProxyNotShell, and OWASSRF flaws in Microsoft Change servers are notable examples which have seen large exploitation.

Over the previous two years, Akamai has seen a gentle enhance in each assault makes an attempt and approved vulnerability-scanning site visitors in search of SSRF vulnerabilities in software program apart from Microsoft Change,” Akamai mentioned in a recent report. “‘As well as, we noticed a each day common of 14 million SSRF makes an attempt probing our App & API Protector prospects’ net functions and APIs, suggesting the rising prevalence of this vector. It’s price noting this development and the potential influence that SSRF exploitation poses to organizations.”

SSRF by way of Azure API Administration proxies

Microsoft’s Azure API Administration is a service that permits firms to show companies hosted on Azure or inside their non-public networks as APIs and to watch them. It is a service geared toward API builders that consists of an API gateway, a administration airplane, and a developer portal.

In an SSRF assault, the attacker should discover a approach to make use of the appliance’s performance as a proxy to entry inside assets, piggybacking on the server’s privileged place and entry to the interior community. In different phrases, if an software or API permits customers to provide an URL and can then crawl that URL and return the response, an SSRF assault is feasible if extra safety measures will not be taken.

Azure API Administration has such a characteristic. It permits customers to specify a schema for the construction of JSON or XML knowledge that is anticipated to be exchanged by means of the API they deploy. Nonetheless, according to researchers from security firm Ermetic, the service may also be instructed to find out the schema routinely by making a request to a user-supplied URL, this characteristic being known as “Import from URL.” “Upon getting specified the URL of the schema, the Azure API Administration CORS proxy retrieves the schema from the required URL by sending it an HTTP request,” the researchers mentioned of their report.

Cross-origin useful resource sharing (CORS) is a mechanism primarily based on HTTP headers that permits an internet server to point to browsers different origins (servers) from the place assets reminiscent of scripts are allowed to be loaded. The CORS proxy on this case intercepts requests and modifies the CORS headers to make it possible for cross-domain requests between portal.azure.com and different servers are allowed.

As soon as they discovered this characteristic, the Ermetic researchers thought to supply http://localhost or http://127.0.1.1 (the loopback tackle) because the distant URL for fetching a schema to see if the CORS proxy would attain out internally to the server itself, attaining SSRF. This resulted in a HTTP 403 error (Forbidden), suggesting there was a blacklist in place.

Then the researchers registered a site known as localhost.me after which edited its DNS data to level to 127.0.1.1. So, when the CORS proxy tried to entry http://localhost.me, it will first resolve the DNS and attempt to entry the returned IP tackle, which factors again to itself bypassing the blacklist. This labored. The response mirrored again by the CORS proxy was HTTP error 404 (Web page not discovered), which means the server not refused the request however did not have a web page to serve.

The researchers additionally discovered that they may add customized headers to their requests and these can be proxied by the CORS proxy to the goal server, opening the door to much more advanced assaults. Then they tried to entry the interior server on completely different port numbers, not the default 80 to probe if different companies may be operating on customized ports and observed that after they tried port numbers that included “300,” reminiscent of 300, 3000, or 30000, they acquired error 403 Forbidden once more.

“We understood that if a regex [regular expression] exists particularly for these ports, some necessary companies have to be listening on these ports,” the researchers mentioned.

A regex is a search-and-match rule that can be utilized to construct blacklists. For instance, the rule may match any URL that features the time period localhost and a port quantity fashioned from 300 within the request. The researchers inferred that if a regex exists, it should apply to a price known as “Ocp-Apim-Url” within the request headers that defines the URL the CORS proxy reaches out to. Due to this fact, they used a URL to a site they managed which then redirected the proxy again to http://localhost:30001 for instance.

This labored and bypassed the blacklist but once more, permitting the researchers to find and entry inside companies on completely different port numbers: 30001 – Authenticated view of the developer portal, 30004 – Azure’s Administration API, 30005 – Azure’s Kudu API administration, 30006 – Unpublished developer website (unauthenticated). Kudu is the engine that powers some administration options of the Azure App Service, a service for internet hosting and deploying net functions on Azure.

SSRF vulnerabilities reveal blacklisting weaknesses as a protection

This SSRF vulnerability by way of CORS proxy is similar to one found by researchers from Orca Security in the identical service again in November. Ermetic reported its findings to Microsoft in December and thought that it may be the identical vulnerability. Nonetheless, their exploit bypassed the fixes Microsoft put in place after Orca reported the unique flaw, making it a separate vulnerability. This highlights the difficulties in counting on blacklisting methods reminiscent of regex as a protection mechanism for these kind of options, as there are at all times a number of methods to bypass them.

The Ermetic researchers did not cease their evaluation there and located a second SSRF, this time within the Azure API Administration Internet hosting Proxy — a special proxy that is used to dynamically configure the backend service URL for an API when creating it.

“When a request is distributed from the frontend that the person specifies, the request can be despatched to the inbound processing proxy after which to the required backend,” the researchers mentioned. Within the course of, the proxy will make modifications to the request primarily based on insurance policies outlined by the person for inbound and outbound processing.

The researchers discovered {that a} person may configure the set-backend-service coverage to level to http://localhost as a substitute of their actual API backend service URL, due to this fact tricking the proxy to direct requests obtained from the API frontend to itself.

“Since we had management over the frontend and inbound processing insurance policies, we may ship the SSRF with an HTTP verb/methodology and customized headers of our selecting,” they mentioned. “We have been capable of entry an inside HTTP port 80 for a POC [proof-of-concept].”

For each vulnerabilities, the researchers stopped their investigation to keep away from hurt to inside companies and infrastructure or danger accessing delicate knowledge by means of the SSRF probing that usually would require authentication.

Path traversal vulnerability in API Administration Developer Portal

Lastly, the researchers have been additionally capable of finding an unrestricted file add characteristic within the API Administration Developer Portal that resulted in path traversal. This had the potential to influence any self-hosted API Administration developer portals deployed by finish customers as properly on their very own infrastructure.

“We discovered that Azure doesn’t validate the file sort and path of the information uploaded,” the researchers mentioned. “Authenticated customers can traverse the trail specified when importing the information, add malicious information to the developer portal server and presumably execute code on it utilizing DLL hijacking, iisnode config swapping or every other related assault vector.”

Copyright © 2023 IDG Communications, Inc.