A critical RCE (remote code execution) vulnerability has been discovered impacting multiple services related to Microsoft Azure, potentially allowing a malicious actor to completely take control of a targeted application.

The vulnerability was discovered by Israeli cloud infrastructure security firm Ermetic, who has dubbed it EmojiDeploy.

According to Ermetic, the vulnerability is achieved through cross-site request forgery (CSRF) on the widely used SCM service Kudu, the engine behind a number of features in Azure App Service related to source control based deployment, and other deployment methods like Dropbox and OneDrive sync.

By exploiting this vulnerability, attackers can deploy malicious ZIP files containing a payload to the victim’s Azure application, enabling the theft of sensitive data and lateral movement to other Azure services.

Ermetic has outlined a hypothetical attack chain in which an adversary could exploit the CSRF vulnerability in the Kudu SCM panel by issuing a specially crafted request to the /api/zipdeploy endpoint to deliver a malicious archive, such as a web shell, and gain remote access.

EmojiDeploy_v2.gif

Cross-site request forgery is an attack vector where a threat actor tricks an authenticated user of a web application into executing unauthorized commands on their behalf: in this case, the ZIP file is encoded in the body of the HTTP request, prompting the victim application to navigate to a domain controlled by the actor, bypassing the server’s same-origin policy.

Microsoft has fixed the vulnerability on December 6, 2022, following responsible disclosure on October 26, 2022.