
Acquiring administrative access to Azure's RedHat Update infrastructure - imduffy15
http://ianduffy.ie/blog/2016/11/26/azure-bug-bounty-pwning-red-hat-enterprise-linux/
======
matt_wulfeck
> _Given no gpgcheck is enabled, with full administrative access to the Red
> Hat Enterprise Linux Appliance REST API one could have uploaded packages
> that would be acquired by client virtual machines on their next yum update._

And given how hard it is to detect backdoor software, this is a HUGE security
blunder. This could have literally installed a rootkit on every rhel instance
on Azure.

~~~
imduffy15
That is correct..... I've another post I'll do in a few days that details how
you can become storage account admin from being root on an instance.

------
imduffy15
Follow up post for anyone that is interested... You've got root, can you get
more access to the users azure account? The answer is yes.
[http://ianduffy.ie/blog/2016/11/27/azure-bug-bounty-root-
to-...](http://ianduffy.ie/blog/2016/11/27/azure-bug-bounty-root-to-storage-
account-administrator/)

------
colinbartlett
I'm curious to know if a bounty was paid for this and how much.

~~~
imduffy15
The bounty was paid out, leaving the amount as undisclosed but it was under
3500 USD.

~~~
NateyJay
That seems super low

~~~
niij
Here we go.

------
matthiasb
There was a thread yesterday where lots of people were complaining about HSMs
([https://news.ycombinator.com/item?id=13031155](https://news.ycombinator.com/item?id=13031155)).
I think this is an example where it would have helped to secure the private
key in an HSM instead of the server itself.

Now the author states the keys have been rotated but now the next hacker know
where to look.

~~~
imduffy15
I'm not fully confident that they have actually been rotated....

~~~
Anthony-G
Hi Ian. That was a very well-written account of a very serious vulnerability.
I just thought I’d let you know that there's a typo in the closing sentence
(being discussed here), “they claim to of rotated all secrets”. That should be
“have” rather than “of”. It kind of threw me a little as I read it. Le gach
dea ghuí.

~~~
imduffy15
Perfect! Thank you Anthony, colloquialism slipping into my English.

------
joneholland
So, it seems that the attack vector was that Microsoft was running RHUI Log
Collector open to the public internet for some reason.

Considering that's from Redhat, and not Microsoft, I do wonder if this is a
non sensible default setup issue and there may be many enterprises running
this out in the open.

~~~
imduffy15
That is very interesting @joneholland. Can you tell me more about the RHUI log
collector? I thought it was something hand rolled.

------
ChargingWookie
Am I misreading this or does this really allow arbitrary packages to
masquerade as legitimate packages?!

~~~
imduffy15
That would be correct since GPG checking is disabled. Would just be a case of
bumping the version number and releasing a package under the same name.

------
shshhdhs
It sounds like they fixed the RHEL Update infrastructure, but they didn't fix
this:

"Additionally, if you duplicated a Red Hat Enterprise Linux virtual hard disk
and created a new instance from it all billing association seemed to be lost
but repository access was still available"

~~~
imduffy15
Debatable @shshhdhs, I can confirm they locked down access but I'm not
confident the certificates were actually rotated. It would have meant they
would have needed to push new SSL client certs out to every customer Red Hat
Enterprise Linux Virtual Machine.

I'm confident that duplicating the virtual disk, certificates or installing
the documented RPMs will result in repository access without being billed
accordingly. It is considered fraud and I would imagine if one took large
advantage of one would be disciplined accordingly.

------
bhaisaab
Another reason to be away from MS cloud. Good work man.

