I'm In Your Cloud... Pwning Your Azure Environement
Conference: Defcon 27
2019-08-01
Summary
The presentation discusses the vulnerabilities and privileges of Azure environment and how attackers can gain access to it. It also explores the differences between on-premise and cloud security.
- Introduction to Azure AD and its architecture
- Compromising Azure AD Sync and vulnerabilities
- Cloud roles and privileges
- Backdooring Azure AD with service accounts
- Azure Resource Manager and its connection to Azure AD
- Integrations and Azure DevOps
- Importance of securing cloud environment
Abstract
After having compromised on-premise for many years, there is now also the cloud! Now your configuration mistakes can be accessed by anyone on the internet, without that fancy next-gen firewall saving you. With this talk I’ll share my current research on Azure privileges, vulnerabilities and what attackers can do once they gain access to your cloud, or how they can abuse your on-premise cloud components. We start with becoming Domain Admin by compromising Azure AD Sync, sync vulnerabilities that allow for Azure admin account takeover and insecure Single Sign On configurations. Up next is cloud roles and privileges, backdooring Azure AD with service accounts, escalating privileges as limited admin and getting past MFA without touching someone's phone. Then we finish with cloud integrations, also known as "how a developer can destroy your whole infrastructure with a single commit": Exploring Azure DevOps, backdooring build pipelines, dumping credentials and compromising Azure Resource Manager through connected services. Besides all the fun we'll also look into how this translates into the questions you should ask yourself before moving things to the cloud and how this differs from on-premise.
Materials:
Tags: