From listKeys to Glory: Abusing Azure Storage Account Keys

We discussed this vulnerability during Episode 205 on 24 April 2023

Orca Security presents a privilege escalation method in Azure environments, its nothing to crazy, but atleast worth taking note of. the first concept to understand are Azure Storage Account keys, when you first create a storage account, by default Azure generates a couple 512-bit storage account access keys that can be used to access the account. While it is the default action, the security best practice is to disable shared key access and use Azure AD authorization instead.

So, whats the danger? Well besides the fact that it is simple a key that gives complete access, its rather easy to mistakenly allow access to reading these keys. They point out the Storage Account Contirbutor role, exists, has access to listKeys but no access to any data actions so you might believe its a sort of “read-only” access. It is not, as listKeys can list the storage account access keys, an attacker could use that key to access and data actions they want.

From there its a matter of finding a useful target, to which they point out Azure Functions will create a dedicated storage account to store their source code, so with the listKeys permissions one could modify the source code of a Function, gaining ode execution with the Function’s privileges.

It does have a few dependencies, but nothing that seems terribly unlikely if you find yourself in such a position this is a vulnerable design and not something Microsoft intends to patch.