Azure Function Apps privilege escalation
Published Thu, Mar 23rd, 2023
Platforms
Summary
Undocumented APIs used by the Azure Function Apps Portal could have allowed an attacker with existing access to a Reader role on a Function App to escalate their privileges and gain write permissions through arbitrary file reads on Function App containers. For Windows containers, this would only grant an attacker the ability to extract ASP.NET encryption keys (the impact of which remains unclear), but for Linux containers it would have allowed an attacker to read environmental variables containing information that ultimately granted access to Function master keys. This in turn would have allowed overwriting Function App code and gaining remote code execution within the container.
Affected Services
Azure Function Apps
Remediation
None required.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/mer-b
Entry Status
Finalized
Disclosure Date
Tue, Aug 2nd, 2022
Exploitability Period
-
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
-
Discovered by
Karl Fosaaen, NetSPI
