突破 Azure 服务中的托管身份壁垒.pdf

1、#BHASIA BlackHatEventsBreaking Managed Iden-ty Breaking Managed Iden-ty Barriers in Azure ServicesBarriers in Azure ServicesDavid Fiser,Nitesh Surana#BHASIA BlackHatEvents From Sikkim,India Senior Threat Researcher(Cloud)Presented at Black Hat USA,HITB,HackInParis.VulnerabiliBes in cloud services vi

2、a Zero Day IniBaBve X:_niteshsurana|Web:#BHASIA BlackHatEvents#BHASIA BlackHatEventsThe ArtAzure FunctionsAzure Machine LearningManaged Identities#BHASIA BlackHatEventsThe Ar(sts#BHASIA BlackHatEventsEPISODE I:Azure Functions#BHASIA BlackHatEventsAzure Func(ons Serverless plaNorm User code inside CS

3、P#BHASIA BlackHatEventsAzure Functions Running user codeAny user code!?import azure.functions as funcimport osdef main(req:func.HttpRequest)-func.HttpResponse:val=req.params.get(msg)return check_output(echo 0.format(val),shell=True)#BHASIA BlackHatEventsAzure Functions AuthenBcaBon Triggers#BHASIA B

4、lackHatEventsResearch Simulation of compromise Analysis of environment Configuration changes#BHASIA BlackHatEventsAuthentication Tokens Client certificate Custom logic#BHASIA BlackHatEventsTriggers HTTP(s)request Events#BHASIA BlackHatEventsTimeouts4.5 m5 m#BHASIA BlackHatEventsEnvironment analysis

5、whoami mount,capsh env#BHASIA BlackHatEventsEnvironment variables Popular pracBce in DevOps OWen stores secrets References as a!VAULT!#BHASIA BlackHatEventsEnvironment variables Fundamentalsunless a new table passed as arguments#BHASIA BlackHatEvents#BHASIA BlackHatEventsIs this some debugger magic?

6、Environment variableshttps:/ BlackHatEventsAzureWebJobsStorageCONTAINER_ENCRYPTION_KEYCONTAINER_START_CONTEXT_SAS_URI#BHASIA BlackHatEventsAzureWebJobsStorageAzure FunctionStorage Accountsource code#BHASIA BlackHatEvents encryptedContext:Lk8nHZ/2m+6TGuK0pfhtNA=./cYdq+AnpWjICTECMSDgT5SsgFPGm6ouZFtlY7