Azure Cloud Shell is an interactive, authenticated, browser-accessible shell for managing Azure resources. This post describes how I took over an Azure Cloud Shell trusted domain and leveraged it to inject and execute commands in other users’ terminals. Using the executed code, I accessed the Metadata service attached to the terminal and obtained the user’s access token. This access token provides an attacker the Azure permissions of the victim user and enables them to perform operations on its behalf.
The vulnerability was reported to Microsoft who subsequently fixed the issue.
- Aug 24, 2022: MSRC confirmed the issue and opened investigation. MSRC awarded a $10,000 bounty.
- Aug 29, 2022: Microsoft deployed the fix.
This post was created with our nice and easy submission form. Create your post!