Cloud computing may not be as secure as you would like to believe…Vulnerabilities in Azure Part 2

As promised this is Part 2… Otherwise known as “How to Hack Windows Azure”…

The information in this post was obtained through public sources, no computers were compromised nor hacked into to obtain this information. You too can obtain everything listed in this article in a matter of minutes using free software.

In this post I will show you how UNSECURE Windows Azure really is…

Using a freshly made Server 2008R2 server residing in Windows Azure, you can find everything you need to start gathering information!

I will give you a little background… When you spin up your fresh newly created Virtual Machine in Windows Azure, you are given the option to “Choose your Region”. These regions are where the server farms that comprise Windows Azure are located. You are given the options of : North Europe, West Europe, East US, West US, Southeast Asia and East Asia.

azurevm

What you need to realize is the following:

A. Whatever you name your new Virtual Machine becomes your VMs computer name. This also becomes “YourVMname.cloudapp.net”. I will show you why this is significant later…

B. The region that you select for your VM, those regions break down as follows:

North Europe = europenorth.internal.cloudapp.net
West Europe = europewest.internal.cloudapp.net
East US = useast.internal.cloudapp.net
West US = uswest.internal.cloudapp.net
Southeast Asia = asiasoutheast.internal.cloudapp.net
East Asia = asiaeast.internal.cloudapp.net

Internal.cloudapp.net = 70.37.50.25

azuredns

This isn’t too complicated to figure this out. If you are already inside of Windows Azure, then you would be able to use this information to gather more information about servers, connections and virtual machines that reside on these servers. (I showed you this in Part 1)

Now here comes what you have been waiting for…

Using a computer that was NOT connected to Windows Azure, I was able to run the program Foca 3.2 to gather information about Windows Azure.

foca32

FOCA Free 3.2 is a tool for performing fingerprinting processes and information gathering in web audit work. Free version performs search servers, domains, URLs and documents published, and the discovery of software versions on servers and clients. FOCA became famous for metadata extraction on public documents, but today is much more than that.

I used the domain name “cloudapp.net” for this Foca 3.2 search.

After an hour I had discovered IP Address’, Virtual Machine Names, and even vulnerabilities listed on virtual machines with very little effort.

What does this mean to a “hacker”? Well it gives the “hacker” a lot of information to exploit…

In an hour I found 444 Servers in Windows Azure with IP address, websites hosted in Windows Azure, virtual machine names, as well as vulnerabilities of some of those hosted servers in Windows Azure.

I will let the following screenshots speak for themselves…

foca1 foca2 foca3 foca4 foca5 foca6 foca7 foca8 foca9 foca10 foca11 foca12 foca13 foca14 foca15 foca16 foca17 foca18 foca19 foca20 foca21 foca22 foca23 foca24

cloudapp1 cloudapp2 cloudapp3 cloudapp4 cloudapp5 cloudapp6 cloudapp7 cloudapp8 cloudapp9 cloudapp10 cloudapp11 cloudapp12 cloudapp13 cloudapp14 cloudapp15 cloudapp16 cloudapp17 cloudapp18 cloudapp19 cloudapp20 cloudapp21 cloudapp22 cloudapp23 cloudapp24 cloudapp25 cloudapp26 cloudapp27 cloudapp28 cloudapp29 cloudapp30 cloudapp31 cloudapp32 cloudapp33 relateddomains4 relateddomains3 relateddomains2 relateddomains1roles1 roles2 roles3 roles4 roles5 roles6 roles7 vuln1 vuln2 vuln3 vuln4

As you can see in this article…Windows Azure is not safe from “hackers”… With one free program, and a little time, you can easily find targets to exploit.

In Part 1, I communicated with Microsoft for two months. Microsoft told me via email that my discovery was legitimate, then after two months (plenty of time to fix the issue) Microsoft stated that they have measures that prevent the MITM and DOS attacks. The tool shown in this article FOCA 3.2 on the other hand can not be patched by Microsoft.

This article is designed to show you how “UNSECURE” that Windows Azure actually is. Like I said in Post 1, I would not host my virtual machines in Windows Azure, except for “penetration testing or development”.

Imagine what would happen if someone had the “time & inclination” what they could actually exploit? Scary isn’t it!

Comments
  1. Charles says:

    Does Amazon EC2 have this same issue, or it strictly with Azure? – Just wondering how this is different that having a machine exposed to the internet. Obviously a machine that is accessible from the internet is vulnerable, regardless of the cloud service that is used.

  2. cloudguy says:

    Great article!

  3. Tyesha Bognuda says:

    I have learned so much from your blog, keep up the good work!

  4. manoj says:

    I tried it yesterday…. dint find any servers…but found some unallocated servers… did Microsoft come up with a patch…

    • XxSpOoKeYxX says:

      I believed they patched the IPv6 DDOS capabilities, after my white paper, but do not know. I no longer have an Azure account to play with. MS jerked me around after I sent them the whitepaper.

  5. manoj says:

    oh … ok thanks … 🙂

  6. Candra says:

    Thanks for your marvelous posting! I actually enjoyed reading it, you
    can be a great author. I will remember to bookmark your blog and will
    come back from now on. I want to encourage yourself to continue your great job, have a nice holiday weekend!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s