From June to August, part of the McAfee Advanced Threat Research (ATR) team participated in the Microsoft Azure Sphere Research Challenge. Our research has resulted in reports on various vulnerabilities that have been identified by Microsoft as important or critical to the platform. So far, they have received more than $160,000 in awards from the ACLU ($100,000), St. Michael’s Children’s Research Hospital, St. Jude ($50,000) and PDX Hackerspace (about $20,000). With these contributions, we hope both to support and bring back our local hacker community, which indeed provided more help during the COVID crisis, and more broadly to recognise the importance of protecting and developing civil liberties and the welfare of those most in need.
This blog post is a high level overview of the program, the reasons why we decided to participate and a short description of our results. A detailed technical overview of our results can be found here.
In addition, Microsoft has published two blogs that summarize the entire Azure-Sphere Bounty program, including McAfee’s efforts and results. You can find them here:
FRSC Blog
Azure Ball Core Team Blog
What is the Côte d’Azur and the French Riviera Study?
At the end of May, Microsoft launched a new program for its Azure-Sphere platform. Azure Sphere is a robust IoT device with a secure connection to the cloud, which has been developed in recent years and will be widely available in early 2020. Microsoft designed and built it from the ground up to provide maximum security for every aspect of its security model. To test the theory, Microsoft invited several selected partners and hackers to do their best to overcome its security measures.
The Azure team has designed several scenarios that make it possible to test the aircraft’s security model and benefit from increased payments under the regular Azure Bug Bounty program. These scripts range from the ability to bypass certain security measures to running code in the hardware of a secure device kernel.
Specific research scenarios for the study of the azure-blue sphere.
Why was ATR included in the program?
There are several reasons why we were interested in participating in this program. Firstly, the Azure-Sphere platform is an exciting new research objective for security researchers, developed from scratch with safety in mind. It shows what the space of IoT can become in the coming years, when the old platforms will be dismantled. By being at the forefront of what is being done in IoT space, we ensure that our research remains relevant and that we are ready to take on new challenges in the future. Secondly, by detecting critical bugs in this new platform, we help make it safer and offer our support to make the space of the Internet of Things more resilient to cyber threats. After all, as this is a bug-fighting program, we decided from the outset to donate all the prizes received to a good cause, using our expertise to contribute to the social well-being of our local communities and to support issues that go beyond the technology sector.
Results
As a result of our research, we reported many bugs to Microsoft that were classified as important or critical:
- Important – Bypassing the security function ($3,300) : By inserting a symbolic link in an application package, you can point to files outside the mount point of the application package.
- The most decisive is the RCE ($48,000): The inclusion of a symbolic element in the application package allows direct interaction with part of the flash memory, which ultimately leads to the modification of critical system files and their subsequent exploitation.
- Important – EoP (USD 11,000) : There are many bugs in the way uid_map files are handled, which can increase the rights of system users.
- The most important is the Eop ($11,000): A user with system rights can entice the application administrator to disconnect azcore and install an unauthorized binary. When the kernel dump of the current process is executed, an unauthorized binary with full root capabilities and privileges is executed due to rights mismanagement in the LSM.
- The most decisive is the EDP ($48,000): Other problems related to resetting the privileges of Azcore result in a complete solution to the limits of the possibilities of the Azure Sphere.
- The most decisive is the EDP ($48,000): Due to poor certificate management, you can rehost the device on the Azure Sphere Pre-Prod server and obtain a valid function file that works in the Prod environment. This function file can be used to reactivate the development mode of the application on a finished device (claimed by a third party). Physical access to the device is required to implement the function file.
Conclusion
This study provided an excellent opportunity to look at a new platform for which little research has been done so far, while being in the familiar domain of ARM devices with a hardened Linux operating system.
Thanks to the bugs found, we were able to take full advantage of the chain from locked device to access with super-user privileges. However, the Azure-Sphere platform has many more security features, such as remote certification and a hardware security core that is still well established.
Finally, we would like to thank Microsoft for the opportunity to participate in this exciting program and for the rewards.
x3Cimg height=1 width=1 style=display:no src=https://www.facebook.com/tr?id=766537420057144&ev=PageView&noscript=1 />x3C/noscript>’) ;
Related Tags:
mozilla bounty program,azure sphere bug bounty,microsoft bug bounty hall of fame,azure sphere security research challenge,o365 bounty program,google vulnerability program,microsoft identity bounty program,microsoft bug bounty teams,msobb,microsoft bug bounty cloud,microsoft disclosure,windows mitigation bounty award,microsoft vulnerability research