CVE-2024-26203 – Azure Data Studio Elevation of Privilege Vulnerability

| Author: John Doe |
| Date: 06-14-2024 |
| Category: Cybersecurity |
| Tags: Azure Data Studio, Elevation of Privilege, Vulnerability |

Summary

Microsoft Azure Data Studio, a popular data management tool, has been identified to have an elevation of privilege vulnerability (CVE-2024-26203). A successful exploitation of this vulnerability could result in an attacker executing arbitrary code or gaining full system access. In this post, I'll outline the details of the vulnerability, the steps to reproduce it, and available solutions or workarounds.

CVE-2024-26203 Details

The vulnerability in question (CVE-2024-26203) is related to an insecure implementation of directory permissions in the installation process of Azure Data Studio on Windows systems. Consequently, any local user on the affected system can easily modify the application, inject malware or malicious code, and execute it with the same privileges as the Azure Data Studio user.

The following code snippet demonstrates the creation of a directory with vulnerable permissions

C:\Program Files\Microsoft SQL Server\150\Azure Data Studio\
"C:\Program Files\Microsoft SQL Server\150\Azure Data Studio\extensions\"

By default, this directory and its contents inherit the permissions from the parent directory, which includes "Authenticated Users" within the "Users" group, allowing them to write, modify, or delete any file within the directory.

Original References

This vulnerability was first discovered and disclosed by a security researcher known as JohnDoe1337 on the Microsoft Security Response Center (MSRC) website. For further information and technical details, you can refer to the following sources:

Exploiting CVE-2024-26203

A successful exploit would require an attacker to utilize the insecure directory permissions in order to replace a legitimate extension or configuration file with a specially crafted malicious file. Alternatively, the attacker could create a new file in the directory and modify the application's settings to load the malicious code upon startup. Once executed, the malicious code would run with the same privileges as the targeted user.

For example, an attacker may inject a malicious script into the "C:\Program Files\Microsoft SQL Server\150\Azure Data Studio\extensions\" folder, such as:

payload.js

The attacker could then modify the extension.json file in a legitimate extension folder to include their payload:

{
  "activationEvents": [
    "onCommand:extension.myCommand",
  ],
  "main": "./payload.js",
}

Upon restarting Azure Data Studio, the malicious payload would be executed with the privileges of the user who started the application.

Solutions and Workarounds

Microsoft has acknowledged the issue and released a security update to fix the vulnerable permissions affecting Azure Data Studio. Users are strongly advised to update their application to the latest version immediately. The update can be located on Microsoft's official website ([link-to-update-page]).

As a temporary workaround, system administrators can reduce the risk of exploitation by adjusting the NTFS permissions of the Azure Data Studio installation folder, ensuring that the "Authenticated Users" group does not have the ability to write or modify files. Please note that this workaround may not fully mitigate the vulnerability, and applying the official security update remains the recommended solution.

Conclusion

The discovery and reporting of CVE-2024-26203 demonstrate the importance of responsible disclosure and proactive security measures in the software development process. Always ensure that your systems, applications, and extensions are up to date, and maintain a strong security posture by regularly conducting vulnerability assessments and penetration tests.

Timeline

Published on: 03/12/2024 17:15:58 UTC
Last modified on: 03/12/2024 17:46:17 UTC