API Connections allow anyone to fully compromise any other Connection worldwide, giving full access to the connected Backend. This includes cross-tenant compromise of Key Vaults and Azure SQL databases, as well as any other externally connected service, such as Jira or SalesForce.
Readit Newshland commented on Azure's Weakest Link – Full Cross-Tenant Compromise binarysecurity.no/posts/2... · Posted by u/hland
hland commented on Finding SSRFs in Azure DevOps – Part 2 binarysecurity.no/posts/2... · Posted by u/hland
Binary Security was previously rewarded for three Server-Side Request Forgery (SSRF) vulnerabilities in Azure DevOps, which you can read about here. Now we have found another SSRF vulnerability that we also reported to Microsoft. We then bypassed Microsoft’s fix of the vulnerability using DNS rebinding. If you read the previous blogpost, some of this may feel a bit like deja-vu. This blog post outlines how these new SSRFs were identified by analyzing the Azure DevOps source code.
hland commented on Azure's Weakest Link? How API Connections Spill Secrets binarysecurity.no/posts/2... · Posted by u/hland
Suppose user U has read access to Subscription S, but doesn't have access to keyvault K.
If user U can gain access to keyvault K via this exploit, it is scary.
[Vendors/Contingent staff will often be granted read-level access to a subscription under the assumption that they won't have access to secrets, for example.]
(I'm open to the possibility that I'm misunderstanding the exploit)
Your take is spot on, sir.
hland commented on Azure's Weakest Link? How API Connections Spill Secrets binarysecurity.no/posts/2... · Posted by u/hland
Binary Security found the undocumented APIs for Azure API Connections. In this post we examine the inner workings of the Connections allowing us to escalate privileges and read secrets in backend resources for services ranging from Key Vaults, Storage Blobs, Defender ATP, to Enterprise Jira and SalesForce servers.