Microsoft Azure Bug Leaks Linux Source Code Repository

Azure App Service vulnerability exposed hundreds of source code repositories

Azure Leaks source code

A cloud security vendor, Wiz.io discovered a four years old bug in the Microsoft Azure App Service that exposed the source code of customer applications written in PHP, Python, Ruby, or Node, that were deployed using “Local Git”.

The vulnerability, dubbed as “NotLegit”, has existed since September 2017 and has probably been exploited in the wild. The issue resides in the Azure App Service, when users use the “Local Git” deployment method to deploy to the Azure App Service, the .git folder gets created in the content root, which puts their data and source code at risk for information disclosure. 

This behavior of Azure App Service via Local Git was known to Microsoft and the company added a “web.config” file to the .git folder within the public directory that restricted public access. However, only Microsoft's IIS web server handles "web.config" files.

What is Local Git?

Azure supports multiple methods to deploy source code and artifacts to the Azure App Service, one of which is using “Local Git”. With “Local Git”, users initiate a local Git repository within the Azure App Service container that enables developers to push their code straight to the server.

What is NotLegit Bug?

As mentioned above, all applications that use C# or ASP.NET were deployed in the IIS server, and in the IIS server, Microsoft adds the “web.config” file to the .git folder within the public directory that restricted public access. But when users deploy the applications developed in PHP, Ruby, Python, or Node via the Local Git method are deployed with different webservers (Apache, Nginx, Flask, etc), and these web servers do not handle "web.config" files, leaving them completely vulnerable. 

Who's affected with NotLegit Bug?

According to Microsoft all PHP, Node, Ruby, and Python applications deployed via this method were impacted. 

  • All PHP, Node, Ruby, and Python applications that were deployed using "Local Git” on a clean default application in Azure App Service since 2013
  • All PHP, Node, Ruby, and Python applications that were deployed in Azure App Service from 2013 onward using any Git source, after a file was created or modified in the application container. 
  • App Service Linux customers who deployed applications using Local Git after files were created or modified in the content root directory are impacted. 
  • PHP, Node, Python, Ruby, and Java applications coded to serve static content:
    • PHP: The images used for PHP runtime were configured to serve all static content in the content root folder. After this issue was brought to our attention, we updated all PHP images to disallow serving the .git folder as static content as a defense-in-depth measure. 
    • Node, Python, Java, and Ruby: For these languages since the application code controls whether it serves static content, we recommend customers review the code to make sure that only the relevant code is served out.

Not all users of Local Git were impacted. Users who deployed code to App Service Linux via Local Git after files were already created in the application were the only impacted customers.

Exploited In-Wild

As malicious attackers are continuously scanning the internet for exposed Git folders where the exposed source code contained a .git configuration file that, itself, contained passwords and access tokens for other customer systems. 
As this exploitation method is extremely easy, common, Wiz noted that the flaw is actively being exploited. It is recommended all affected users to overview their application’s source code and evaluate the potential risk: 

  • Users who deployed code via FTP or Web Deploy or Bash/SSH resulted in files getting initialized in the web app before any git deployment.
  • Users who enabled LocalGit on the web app  
  • Users who subsequent Git clone/push sequence to publish updates  
Read Also
Post a Comment