Cloud computing may not be as secure as you would like to believe…Vulnerabilities in Azure Part 1

What is “Cloud Computing” you may ask… That is simple, it is using other people’s hardware!

You are renting space on their servers, using their internet connection, using their switches. There is nothing amazing about “The Cloud”, other than you do not own the equipment, you cannot control the physical servers, switches, etc.. Your “Cloud” is only as secure as the company you are hosting your servers/software/services with.

I forewarn you, this post is long. The first part of this article is about a white paper that I wrote about Azure possibly being susceptible to MITM/DOS attacks. The second part will show you how insecure Azure is… in the fact that You can see Virtual Machine Names, IP address and more, using common, easily obtained software…(SEE Part 2!)

Utilizing two free software programs, I was able to get information that anyone with time and inclination could use to do other attacks, not just the MITM / DOS attacks listed below.

How it all started…

Microsoft was giving away free 30 day trial of Windows Azure. I decided I would check Azure for vulnerabilities, so I ran a few test before my trial was up, and this is what I found.

The following white paper I sent to Microsoft at the end of June 2013. After almost two months, Microsoft emailed me back on 8-21-13 and stated “The team came back to me and confirmed that they have DHCP guards in place for v6 and v4 and confirmed that their IPv4 filtering prevents MiTM attacks started from arp spoofing.

So Windows Azure is NOT vulnerable to Man in the Middle attacks nor Denial of Service Attacks… WELL there Is another problem, which you will see in Part 2

___________________________________________The Paper _______________________________________________

Concept by:  Daniel Stinson                                    Date: 6-27-2013                               

Windows Azure may be susceptible to Man in the Middle attacks as well as IPv4/ IPv6 Denial of Service attacks from a Virtual Machine residing inside of Azure.

Please note that these attacks were not tested against any machines in Azure, I am showing that from within a virtual machine residing on Azure that it may be possible. No exploits have been run so this is merely a concept paper. This paper is to show that it may be possible, the attack is untested.

I created a clean Microsoft Server 2008R2 virtual machine using a 30 day Windows Azure trial. I installed free software called Evil Foca – on this virtual machine, to check to see if the program was able to see other servers in proximity to the new virtual machine.

I ran the software to see if there were any “Neighbors”, and I was amazed at how many connections that were discovered. The program showed other servers and routers (with IP & MAC address’) that were located near the virtual machine.

I DID NOT run the exploits, however I am certain that MITM (Man in the Middle) and IPv4 & IPv6 DoS (Denial of Service) attacks could be run against these other connections in Azure.

vulnerability in Azure

The below image shows active connections close to the virtual machine that were discovered. (full list is presented on the last page)

vulnerability in Azure5vulnerability in Azure6

As you can see in the above screenshot, other connections were discovered. If you add targets in any of the attacks, you are given the option to select your target from the list.

 Types of attacks that could be run against target connections:

 vulnerability in Azure1



-Neighbor Advertisement Spoofing

The attacker sends to their victims fake ICMPv6 Advertisement packets in order to cause that any traffice goes through your IP address.


The attacker sends to their victims fake ICMPv6 Advertisement packets in order to cause that any traffice goes through your IP address.


-The computer acts as a rogue DHCPv6 server, configuring IP Address and DNS Server from clients.

vulnerability in Azure2



The attacker sends to their victims fake ARP packets in order to cause that any traffic goes through your IP address.


-DHCP ACK Injection

The computer acts as a rogue DHCP Server, configuring the clients to connect to your IP address as gateway.

 vulnerability in Azure3


DoS IPv6


It consumes 100% of CPU creating network adapters through SLAAC protocol unit the computer is completely frozen

 vulnerability in Azure4


DoS IPv4

-Invalid MAC Spoofing

It assigns an invalid MAC address to an IP poisoning his ARP cashe, so the target will lose connection with any arbitrary computer


DNS hijacking or DNS redirection

Is the practice of redirecting the resolution of the Domain Name System names to other DNS servers.

Used in conjunction with MITM attack.


Connections discovered in Windows Azure from a freshly made clean Virtual Machine:

(MAC and IP Address)

00155D36C783 00155D36C78F 00155D36C79B 00155D36C7A9 008CFA0BA734
00155D36C782 00155D36C790 00155D36C79C 00155D36C7AC 008CFA0BCB42
A44C11350741 008CFA0BA0AC 00155D36C79D 008CFA0BC1E6 008CFA0BD456
00155D36C784 00155D36C791 00155D36C79F 008CFA0BEA18 008CFA0BDE8E
00155D36C785 00155D36C792 008CFA0BE584 008CFA0BD46A 00155D36C79E
00155D36C787 00155D36C793 008CFA0BC1F4 008CFA0BB28E 00155D36C7A0
00155D36C788 00155D36C795 008CFA0BD0AE 008CFA0BA0A0 00155D36C7A2
00155D36C786 00155D36C794 008CFA0BBEBC 00155D36C7A3 00155D36C7A1 fe80::8df1:61e7:666a:4236
00155D36C789 00155D36C796 008CFA0BC440 00155D36C7A4 00155D36C7AA fe80::99fb:133b:3fea:dd97
008CFA0BAD5C 00155D36C797 008CFA0BE0F0 008CFA0BD8A8
00155D36C78A 00155D36C798 008CFA0BDCD8 00155D36C7A5
00155D36C78C 00155D36C79A 008CFA0BDAD2 Routers 00155D36C7A6 A44C11350741
00155D36C78D 00155D36C799 008CFA0BE1EE 00155D36C7A7
00155D36C78E 008CFA0BB872 00155D36C7A8 008CFA0BC33C


Now I did not run these exploits, as I did not want to disrupt any Microsoft services, nor did I want a visit from any law enforcement agencies.

Was Windows Azure susceptible to these attacks? I’ll never know for certain, as the ticket was open for a almost 2 months… That was plenty of time to fix the issue.

Was I paid a “bounty” by Microsoft? Nope.

Would I let Microsoft know about another vulnerability if I found one? Probably not…

Would I put my companies data in Windows Azure? Probably not…

Would I use Azure for testing and penetration testing? YES, Yes I would…

See Part 2 for more about Windows Azure and “Cloud” computing…

  1. Phil Owens says:

    I tried your method, with similar results, great writeup!

  2. rttxaxkn8 says:

    I’m a d-bag comment spammer my IP is

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s