diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md index 79152797d3..9c0822272f 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md @@ -10,7 +10,94 @@ For more information check: ../az-services/az-servicebus-enum.md {{#endref}} -### Send Messages. Action: `Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action` OR `Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action` +### Microsoft.ServiceBus/namespaces/authorizationrules/listKeys/action OR Microsoft.ServiceBus/namespaces/authorizationrules/regenerateKeys/action + +These permissions allow you to get or regenerate the keys for local authorization rules within a Service Bus namespace. Using this keys is possible to authenticate as the Service Bus namespace, enabling you to send messages to any queue or topic, receive messages from any queue or subscription, or potentially interact with the system in ways that could disrupt operations, impersonate valid users, or inject malicious data into the messaging workflow. + +Note that by default the **`RootManageSharedAccessKey` rule has full control** over the Service Bus namespace and it's used by the `az` cli, however, other rules with other key values may exist. + +```bash +# List keys +az servicebus namespace authorization-rule keys list --resource-group --namespace-name --authorization-rule-name RootManageSharedAccessKey [--authorization-rule-name RootManageSharedAccessKey] + +# Regenerate keys +az servicebus namespace authorization-rule keys renew --key [PrimaryKey|SecondaryKey] --resource-group --namespace-name [--authorization-rule-name RootManageSharedAccessKey] +``` + +### Microsoft.ServiceBus/namespaces/AuthorizationRules/write + +With this permission it's possible to **create a new authorization rule** with all permissions and its own keys with: + +```bash +az servicebus namespace authorization-rule create --authorization-rule-name "myRule" --namespace-name mynamespacespdemo --resource-group Resource_Group_1 --rights Manage Listen Send +``` + +>[!WARNING] +>This command doesn't respond with the keys, so you need to get them with the previous commands (and permissions) in order to escalate privileges. + +Moreover, with that command (and `Microsoft.ServiceBus/namespaces/authorizationRules/read`) if you perform this action through the Azure CLI, it's possible to update an existing authorization rule and give it more permissions (in case it was lacking some) with the following command: + +```bash +az servicebus namespace authorization-rule update \ + --resource-group \ + --namespace-name \ + --name RootManageSharedAccessKey \ + --rights Manage Listen Send +``` + +### Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/ListKeys/action OR Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/regenerateKeys/action + +Specific topics and queues inside a Service Bus namespace can have their own authorization rules, which can be used to control access to the entity. By having these permissions, you can **retrieve or regenerate the keys for these local authorization rules**, enabling you to authenticate as the entity and potentially send or receive messages, manage subscriptions, or interact with the system in ways that could disrupt operations, impersonate valid users, or inject malicious data into the messaging workflow. + +```bash +# List keys (topics) +az servicebus topic authorization-rule keys list --resource-group --namespace-name --topic-name --name + +# Regenerate keys (topics) +az servicebus topic authorization-rule keys renew --key [PrimaryKey|SecondaryKey] --resource-group --namespace-name --topic-name --name + +# List keys (queues) +az servicebus queue authorization-rule keys list --resource-group --namespace-name --queue-name --name + +# Regenerate keys (queues) +az servicebus queue authorization-rule keys renew --key [PrimaryKey|SecondaryKey] --resource-group --namespace-name --queue-name --name +``` + +### Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/write + +With this permission it's possible to **create a new authorization rule** with all permissions and its own keys with: + +```bash +# In a topic +az servicebus topic authorization-rule create --resource-group --namespace-name --topic-name --name --rights Manage Listen Send + +# In a queue +az servicebus queue authorization-rule create --resource-group --namespace-name --queue-name --name --rights Manage Listen Send +``` + +>[!WARNING] +>This command doesn't respond with the keys, so you need to get them with the previous commands (and permissions) in order to escalate privileges. + +Moreover, with that command (and `Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/read`) if you perform this action through the Azure CLI, it's possible to update an existing authorization rule and give it more permissions (in case it was lacking some) with the following command: + +```bash +# In a topic +az servicebus topic authorization-rule update --resource-group --namespace-name --topic-name --name --rights Manage Listen Send + +# In a queue +az servicebus queue authorization-rule update --resource-group --namespace-name --queue-name --name --rights Manage Listen Send +``` + +### Microsoft.ServiceBus/namespaces/write (& Microsoft.ServiceBus/namespaces/read if az cli is used) + +With these permissions **an attacker can re-enable "local authentication"** with the following command and therefore all the keys from sahred policies will work. + +```bash +az servicebus namespace update --disable-local-auth false -n --resource-group +``` + + +### Send Messages with keys (Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action OR Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action) You can retrieve the `PrimaryConnectionString`, which acts as a credential for the Service Bus namespace. With this connection string, you can fully authenticate as the Service Bus namespace, enabling you to send messages to any queue or topic and potentially interact with the system in ways that could disrupt operations, impersonate valid users, or inject malicious data into the messaging workflow. @@ -83,7 +170,7 @@ print("----------------------------") ``` -### Recieve Messages. Action: `Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action` OR `Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action` +### Recieve with keys (Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action OR Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action) You can retrieve the PrimaryConnectionString, which serves as a credential for the Service Bus namespace. Using this connection string, you can receive messages from any queue or subscription within the namespace, allowing access to potentially sensitive or critical data, enabling data exfiltration, or interfering with message processing and application workflows. @@ -131,17 +218,7 @@ print("Message Receiving Completed") print("----------------------------") ``` -### `Microsoft.ServiceBus/namespaces/authorizationRules/read` & `Microsoft.ServiceBus/namespaces/authorizationRules/write` - -If you have these permissions, you can escalate privileges by reading or creating shared access keys. These keys allow full control over the Service Bus namespace, including managing queues, topics, and sending/receiving messages, potentially bypassing role-based access controls (RBAC). -```bash -az servicebus namespace authorization-rule update \ - --resource-group \ - --namespace-name \ - --name RootManageSharedAccessKey \ - --rights Manage Listen Send -``` ## References diff --git a/src/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md b/src/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md index c6b54864a9..f70dd4beac 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md +++ b/src/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md @@ -54,18 +54,6 @@ sku, authrorization rule, {{#tabs }} {{#tab name="az cli" }} ```bash -# Queue Enumeration -az servicebus queue list --resource-group --namespace-name -az servicebus queue show --resource-group --namespace-name --name - -# Topic Enumeration -az servicebus topic list --resource-group --namespace-name -az servicebus topic show --resource-group --namespace-name --name - -# Susbscription Enumeration -az servicebus topic subscription list --resource-group --namespace-name --topic-name -az servicebus topic subscription show --resource-group --namespace-name --topic-name --name - # Namespace Enumeration az servicebus namespace list az servicebus namespace network-rule-set list --resource-group --namespace-name @@ -79,6 +67,23 @@ az servicebus namespace authorization-rule list --resource-group --namespace-name --queue-name az servicebus topic authorization-rule list --resource-group --namespace-name --topic-name az servicebus namespace authorization-rule keys list --resource-group --namespace-name --name + +# Get keys +az servicebus namespace authorization-rule keys list --resource-group --namespace-name [--authorization-rule-name RootManageSharedAccessKey] +az servicebus topic authorization-rule keys list --resource-group --namespace-name --topic-name --name +az servicebus queue authorization-rule keys list --resource-group --namespace-name --queue-name --name + +# Queue Enumeration +az servicebus queue list --resource-group --namespace-name +az servicebus queue show --resource-group --namespace-name --name + +# Topic Enumeration +az servicebus topic list --resource-group --namespace-name +az servicebus topic show --resource-group --namespace-name --name + +# Susbscription Enumeration +az servicebus topic subscription list --resource-group --namespace-name --topic-name +az servicebus topic subscription show --resource-group --namespace-name --topic-name --name ``` {{#endtab }}