medium

Logic Apps privilege escalation to root

Published Wed, Mar 9th, 2022
Platforms

Summary

Azure Logic Apps use API Connections to authenticate actions to services. Having Contributor access to an Azure Resource Manager (ARM) API Connection would allow someone to create arbitrary role assignments as the connected user. This was supposed to be limited to actions at the Resource Group level, but an attacker could escape to the Subscription or Root level with a path traversal payload. The root cause of this behavior was that such a payload would meet the Swagger API definition, and it would be resolved by the server, resulting in a request to an unintended scope.

Affected Services

Azure Logic Apps

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Entry Status
Finalized
Disclosure Date
Tue, Mar 1st, 2022
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
6.21
(PI:1.5/A3:1.05/A4:1.05/A5:1.05/A6:8/A7:1.1/A8:0.9)
Discovered by
Josh Magri, NetSPI