Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Azure Cosmos DB is a fully managed NoSQL database. On top of this, Jupyter Notebooks is an web application that allows for live coding in Python in a graphical way.

By design in Jupyter Notebooks, you can run arbitrary code in the container. From looking at the ENV they were in, there is a non-sudo user named cosmosuser that is executing the notebook. Seems safe, right?

The Python code was running as a different user. However, when running C# code, it was running as root! It turns out that each programming language has its own host process responsible for executing user-supplied code. Root on the box has been achieved!

The second vulnerability was an unrestricted network access vulnerability. The IP tables had restricted access to specific IPs in the internal network. As root, it was possible to simply remove these items from the IP table. Damn, that was simple!

Let's access these forbidden addresses then! After doing some recon on the service, they found a few things. First, 169.254.169.254 contained the metadata for the currently running virtual machine. This was the IP on the $HOST machine.

The other interesting item was WireServer. WireServer holds about the endpoints that can be queried, extensions information and certificates. This is an open source project that can be found on Github.

After playing around with the WireServer for a while, they were able to find 25 Microsoft Certificates and Private Keys that they should NOT have. When using these credentials to access various things, they were able to retrieve logs and metadata information about Cosmos DBs internal workings. We are getting real close!

By accessing the local service fabric on port 19080 with the abric.westus1.cosmos.azure.com certificate, the sfctl CLI could be used to interact with these directly. This listed 500 Cosmos DB instances that were managed in the regional cluster, which did not belong to the account!

This demonstrated complete access to databases and they stopped at this point. This exploit all started from the privilege escalation. Once you get through the first wall, the security comes much worse! With the network misconfiguration and lack of authentication, this became real bad.