-
Notifications
You must be signed in to change notification settings - Fork 267
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #112 from JaimePolop/patch-13
Create az-queue-privesc.md
- Loading branch information
Showing
1 changed file
with
118 additions
and
0 deletions.
There are no files selected for viewing
118 changes: 118 additions & 0 deletions
118
pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,118 @@ | ||
| # Az - Queue Privesc | ||
|
|
||
| {% hint style="success" %} | ||
| Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">\ | ||
| Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte) | ||
|
|
||
| <details> | ||
|
|
||
| <summary>Support HackTricks</summary> | ||
|
|
||
| * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** | ||
| * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. | ||
|
|
||
| </details> | ||
| {% endhint %} | ||
|
|
||
| ## Queue | ||
|
|
||
| For more information check: | ||
|
|
||
| {% content-ref url="../az-services/az-queue-enum.md" %} | ||
| [az-queue-enum.md](../az-services/az-queue-enum.md) | ||
| {% endcontent-ref %} | ||
|
|
||
| ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/read` | ||
|
|
||
| An attacker with this permission can peek messages from an Azure Storage Queue. This allows the attacker to view the content of messages without marking them as processed or altering their state. This could lead to unauthorized access to sensitive information, enabling data exfiltration or gathering intelligence for further attacks. | ||
|
|
||
| {% code overflow="wrap" %} | ||
| ```bash | ||
| az storage message peek --queue-name <queue_name> --account-name <storage_account> | ||
| ``` | ||
| {% endcode %} | ||
|
|
||
| **Potential Impact**: Unauthorized access to the queue, message exposure, or queue manipulation by unauthorized users or services. | ||
|
|
||
| ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action` | ||
|
|
||
| With this permission, an attacker can retrieve and process messages from an Azure Storage Queue. This means they can read the message content and mark it as processed, effectively hiding it from legitimate systems. This could lead to sensitive data being exposed, disruptions in how messages are handled, or even stopping important workflows by making messages unavailable to their intended users. | ||
|
|
||
| {% code overflow="wrap" %} | ||
| ```bash | ||
| az storage message get --queue-name <queue_name> --account-name <storage_account> | ||
| ``` | ||
| {% endcode %} | ||
|
|
||
| ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action` | ||
|
|
||
| With this permission, an attacker can add new messages to an Azure Storage Queue. This allows them to inject malicious or unauthorized data into the queue, potentially triggering unintended actions or disrupting downstream services that process the messages. | ||
|
|
||
| {% code overflow="wrap" %} | ||
| ```bash | ||
| az storage message put --queue-name <queue-name> --content "Injected malicious message" --account-name <storage-account> | ||
| ``` | ||
| {% endcode %} | ||
|
|
||
| ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/write` | ||
|
|
||
| This permission allows an attacker to add new messages or update existing ones in an Azure Storage Queue. By using this, they could insert harmful content or alter existing messages, potentially misleading applications or causing undesired behaviors in systems that rely on the queue. | ||
|
|
||
| {% code overflow="wrap" %} | ||
| ```bash | ||
| az storage message put --queue-name <queue-name> --content "Injected malicious message" --account-name <storage-account> | ||
|
|
||
| #Update the message | ||
| az storage message update --queue-name <queue-name> \ | ||
| --id <message-id> \ | ||
| --pop-receipt <pop-receipt> \ | ||
| --content "Updated message content" \ | ||
| --visibility-timeout <timeout-in-seconds> \ | ||
| --account-name <storage-account> | ||
| ``` | ||
| {% endcode %} | ||
|
|
||
| ### Action: `Microsoft.Storage/storageAccounts/queueServices/queues/write` | ||
|
|
||
| This permission allows an attacker to create or modify queues and their properties within the storage account. It can be used to create unauthorized queues, modify metadata, or change access control lists (ACLs) to grant or restrict access. This capability could disrupt workflows, inject malicious data, exfiltrate sensitive information, or manipulate queue settings to enable further attacks. | ||
|
|
||
| {% code overflow="wrap" %} | ||
| ```bash | ||
| az storage queue create --name <new-queue-name> --account-name <storage-account> | ||
|
|
||
| az storage queue metadata update --name <queue-name> --metadata key1=value1 key2=value2 --account-name <storage-account> | ||
|
|
||
| az storage queue policy set --name <queue-name> --permissions rwd --expiry 2024-12-31T23:59:59Z --account-name <storage-account> | ||
| ``` | ||
| {% endcode %} | ||
|
|
||
| ### Actions: `Microsoft.Storage/storageAccounts/queueServices/queues/setAcl/action` | ||
|
|
||
| With this permission, an attacker can modify the access control list (ACL) of an Azure Storage Queue, that can be used with shared access signatures. This allows them to grant or revoke permissions for other users or services, potentially enabling unauthorized access or blocking legitimate access to the queue. Such actions could disrupt workflows, lead to unauthorized data exposure, or allow malicious actors to misuse the queue. | ||
|
|
||
| {% code overflow="wrap" %} | ||
| ```bash | ||
| az storage queue policy create \ | ||
| --queue-name <QUEUE_NAME> \ | ||
| --account-name <STORAGE_ACCOUNT_NAME> \ | ||
| --account-key <STORAGE_ACCOUNT_KEY> \ | ||
| --name <POLICY_NAME> \ | ||
| --permission <PERMISSIONS> \ | ||
| --start <START_TIME> \ | ||
| --expiry <EXPIRY_TIME> | ||
| ``` | ||
| {% endcode %} | ||
|
|
||
| ## References | ||
|
|
||
| * https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues | ||
| * https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api | ||
| * https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes | ||
|
|
||
| * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** | ||
| * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. | ||
|
|
||
| </details> | ||
| {% endhint %} |