During recent intrusion tests, we identified a practice exposing access credentials to Microsoft Azure Web Sites platforms – a service for developing and hosting web applications in the cloud. This practice can lead to the compromise of the associated FTP server and thus allow illegitimate read and write access to the source code, log files and underlying operating system.
The Microsoft Azure Web Sites service allows to generate and export a PublishSettings configuration file that can be imported into PowerShell or Visual Studio, in order to facilitate the application administration in a continuous development logic. It allows these applications to make requests to the Azure API without manual authentication procedures. This file content is very critical because it contains some sensitive data, including FTP server access and MSDeploy credentials.
The PublishSettings file can be downloaded from the Web application resource page on the Azure portal:
We then obtain a file named $siteName.PublishSettings containing credentials which allow to access to the MSDeploy deployment server (in orange) and the FTP server (in blue):
We could notice that the PublishSettings file is often added to the source code of the project so all the players in the development chain (development teams, cybersecurity auditor, quality engineers, etc.) will have it and be aware of its sensitive content. In the most critical cases, it is published on online services such as GitHub or in the website directory (although Azure, by default, forbids access to this file type from the browser), thus allowing an attacker to access and use the sensitive information stored there.
Let us suppose that we got the PublishSettings file presented in the previous part. All we have to do is follow the publishUrl links and enter the corresponding credentials.
For example, we can connect to the FTP server and access the source code:
We can also add or delete files. Below, we deleted index.html and added poc_ftp.html:
The poc_ftp.html file is actually available on the Web application:
It is possible to execute system commands by dropping a webshell:
Finally, we can access the application logs:
This log file contains the requests made to the Web server. Below we find the GET request we made to the server to access the poc_eval.html file:
Many other log files are stored on the FTP server: system logs that contain information about the operating system, application logs that contain the output of debug functions or extension logs displaying the name and version of installed plugins.
As this file content is particularly sensitive and unencrypted, special attention should be paid to the permissions applied to it and the opportunities of being read by an illegitimate third party.
Intrinsec recommends the following practices:
- Do not save the PublishSettings file in the project directory;
- Delete the file once it has been imported;
- Set up unit tests in the continuous integration chain to check the absence of PublishSettings files in published directories ;
- Include this check in the tests performed by your vulnerability scanners;
- Consider a specific use case in detection strategies for the different stakeholders in the development chain;
- Monitor the leakage or exposure of such documents;
- Communicate with development teams on the good practices outlined above.