{
	"id": "d90d9553-1b19-400e-a905-7c2853d92b62",
	"created_at": "2026-04-06T01:30:59.042037Z",
	"updated_at": "2026-04-10T13:11:34.587291Z",
	"deleted_at": null,
	"sha1_hash": "9bd6c29953f2f07af34a3b65a849e114cc401c1e",
	"title": "Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 326315,
	"plain_text": "Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure\r\nBy Paul Litvak\r\nPublished: 2020-10-08 · Archived: 2026-04-06 01:15:44 UTC\r\nMain Findings\r\nWe discovered two vulnerabilities in Microsoft Azure. They existed in a popular cloud service called Azure App\r\nServices—specifically impacting Linux servers—and should be on the radar of enterprise organizations that use\r\ncloud resources.\r\nThe first vulnerability enabled an attacker with access to the server to take over the App Service’s git repository\r\nand implant phishing pages accessible through the Azure Portal. The second vulnerability allowed an attacker with\r\nan existing low-severity vulnerability on the application (SSRF) to upgrade to full code execution on the App\r\nService and trigger the first vulnerability. We created a video demonstrating this:\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nThe vulnerabilities were immediately disclosed to Microsoft and fixed prior to this publication.\r\nIntroduction\r\nMigration to the cloud has rendered old security practices largely obsolete, as system administrators must learn\r\nhow to adapt and defend this new platform. Cloud security is still relatively new, making it essential to research\r\nand document new attack surfaces that arise when using these services. The infrastructure underneath is somewhat\r\nhttps://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/\r\nPage 1 of 7\n\nundocumented in some areas, as opposed to plain Windows or Linux systems which have been largely scrutinized\r\nby security researchers.\r\nIn this post we’ll present two vulnerabilities we have found in Azure App Services, specifically in the Linux App\r\nServices administration component called KuduLite, and cover technical details regarding how Azure App Service\r\nworks.\r\nAzure App Services\r\nAzure App Services is an HTTP-based service for hosting web applications and is available in both Microsoft\r\nAzure Cloud and on-premise installations. We will be referring to the cloud version specifically.\r\nApp Services is useful as it allows developers to simply write an application to serve HTTP and then push it to git.\r\nFrom there Azure will handle all pesky deployment details and provide an Azure-managed domain name.\r\nTo start using App Services, the user must first create an App Service Plan, which is the machine that App\r\nServices will use. This machine’s main purpose is to host App Service containers.\r\nOnce a user creates an App Service, Azure creates a new Docker environment consisting of two container nodes: a\r\nmanager node and application node.\r\nTwo domains are then registered:\r\napp.azurewebsites.net – pointing to the application’s HTTP web server.\r\napp.scm.azurewebsites.net – pointing to the App Service’s administration page provided by Azure.\r\nhttps://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/\r\nPage 2 of 7\n\nThe administration page is provided by a Microsoft open-source project called Kudu. For Linux, it’s a lesser-known sibling project called KuduLite. The Kudu instance is hosted on the manager node, while the application\r\nitself is hosted on the application node. We will focus on the KuduLite variant.\r\nThe KuduLite instance offers the user diagnostic information about the system, including Docker logs, settings,\r\nand other environment information. If the user chooses to host the app’s git with Azure, it is managed by this\r\nKudu service.\r\nAnother useful feature is a web interface that runs interactive bash on the Kudu instance and an additional web\r\ninterface to SSH into the application node (a separate Azure project named webssh).\r\nThe application inside the app node runs as root and we can SSH into it as root. When accessing the Kudu\r\ninstance, however, we are given a low-privileged user:\r\nhttps://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/\r\nPage 3 of 7\n\nThis user is only meant to interact with /home and is unable to write to files in other directories. Interestingly,\r\nClamAV is installed in this instance.\r\nTo recap, this figure describes the Linux App Services environment:\r\nhttps://lh4.googleusercontent.com/ZzT_Hhskx4Q44VO5ypRVWPioICkyD4EacWCf54DYNokP4CwmYBcTtoDlR\r\nVulnerability 1: KuduLite Takeover/EoP\r\nWhile investigating how webssh connects the web interface to the application node’s SSH service, we noticed it\r\nuses hardcoded credentials “root:Docker!” to access the application node:\r\nwebssh credentials\r\nThis poses no danger since the application node’s SSH port is not accessible from the internet.\r\nWe observed earlier the KuduLite instance also ran SSH, so we used the same credentials on the KuduLite\r\ninstance and were able to log in as root:\r\nhttps://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/\r\nPage 4 of 7\n\nAs a reminder, the developers of the App Service KuduLite made sure admins were only able to log into it as a\r\nlow privileged user, therefore we knew this was unintended.\r\nSince we now controlled the KuduLite box, we had complete control over the SCM web server. We could listen to\r\na user’s HTTP requests to the SCM web page, add our own pages, and inject malicious Javascript into the user’s\r\nweb page.\r\nInitially, we attempted to steal the SCM user’s cookies from their requests to the server, however, we quickly\r\nfound out there is an nginx intermediate that strips the cookies from the request before they arrive to KuduLite.\r\nFurthermore, the cookies had an HttpOnly attribute, which meant we weren’t able to steal them with Javascript on\r\nthe client’s browser. These mitigations by Microsoft were very effective in limiting this vulnerability’s potential\r\ndamage.\r\nDespite the mitigations, an attacker could still inflict damage with this vulnerability and we presented such a\r\nscenario in the video in the Main Findings section, where an attacker uses the vulnerability to implant a phishing\r\npage in what is supposed to be the SCM web page.\r\nThe user may also choose to let App Services manage the git server, in which this will be handled by KuduLite.\r\nThe attacker could then add malicious code to the repository to achieve persistence and spread to other instances\r\nusing the same git server.\r\nVulnerability 2: Lack of Access Checks in KuduLite Allow Local File Inclusion or\r\nRemote Code Execution (LFI/RCE) to Attacker with SSRF\r\nhttps://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/\r\nPage 5 of 7\n\nThe second vulnerability resides in the KuduLite API, which is very similar to Kudu’s API. The application node\r\nis able to send requests to the KuduLite API without requiring any access validation. This is especially\r\nproblematic when considering a web app with an SSRF vulnerability.\r\nAn attacker who manages to forge a GET request may access the application node’s file system via the KuduLite\r\nVFS API:\r\nThis would enable an attacker to easily steal source code and other assets on the application node.\r\nAn attacker who manages to forge a POST request may achieve remote code execution on the application node via\r\nthe command API:\r\nBy contrast, in Windows (where Kudu is used), packets sent from the application node to the manager node are\r\ndropped.\r\nhttps://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/\r\nPage 6 of 7\n\nFinally, these two vulnerabilities can be chained together, since once an attacker achieves code execution with the\r\nsecond vulnerability—provided they have an SSRF vulnerability—they can exploit the first one.\r\nConclusion\r\nThe cloud enables developers to build and deploy their applications at great speed and flexibility, however, often\r\nthe infrastructure is susceptible to vulnerabilities out of their control. In the case of App Services, applications are\r\nco-hosted with an additional administration container and as we’ve seen in this post, additional components can\r\nbring additional threats.\r\nWe reached out to Microsoft with our findings as part of the responsive disclosure process and the vulnerabilities\r\nwere quickly acknowledged and fixed.\r\nAs a general best practice, runtime cloud security is an important last line of defense since it detects malicious\r\ncode injections and other in-memory threats that take place after a vulnerability has been exploited by the attacker.\r\nSource: https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/\r\nhttps://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/"
	],
	"report_names": [
		"kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure"
	],
	"threat_actors": [],
	"ts_created_at": 1775439059,
	"ts_updated_at": 1775826694,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9bd6c29953f2f07af34a3b65a849e114cc401c1e.pdf",
		"text": "https://archive.orkl.eu/9bd6c29953f2f07af34a3b65a849e114cc401c1e.txt",
		"img": "https://archive.orkl.eu/9bd6c29953f2f07af34a3b65a849e114cc401c1e.jpg"
	}
}