Find and list Unsecured Azure Storage Blobs

Unsecured cloud storage are often the cause of breaches. It regularly makes the headlines when an Amazon S3 bucket is found with public access and contains tens of thousands or even  millions of records including PII (Personally Identifiable Information) such as addresses, phone numbers and email addresses. The same problem can beset Azure, or I guess, any cloud platform, and while defaults have improved it is still a common misconfiguration that can lead to a breach.  Recently I found myself needing to examine some Azure storage to check for misconfigured public access on some Azure storage accounts. A colleague suggested a script he'd come across Invoke-EnumerateAzureBlobs (thanks Stephen). The PowerShell script can be used to find storage accounts and then enumerate files within that storage account if the permissions allow it. The original article can be found here and the github repo here. I would recommend reading the original post. 

On this occasion I used the this tool and then use Burp Suite Pro to take it a little further. 

I started by using Invoke-EnumerateAzureBlobs to look for the target base name. 

As can be seen from the output above the storage account is found. The -Permutations option allows you to specify a file that contains a list of prefix/suffix that can be used to try to enumerate storage accounts by adding to the Base word then using DNS brute forcing. 
If you supply an Azure Search API key it will use it to search for storage accounts and containers that have been indexed. 
The -Folders option is used to give a list of container names to try with the storage accounts that are found.  As can be seen in the listing above on lines 19-22 a storage account is found and a container called container1. There are two files within the container but for some reason the names don't appear in the output. It's easy to correct this by pasting the URL shown at line at 22 into a browser or by using curl. 

Using an xmllint and an XPath query I get the file names in the storage account. This only works because the storage account has Container public access configured.

In the next example I changed the public access level to Blob. This does not allow Listing of the resources in the container but if you can guess the names of the files inside you can still access them unrestricted.

If I try to list the container now I get an error.


If I know the name of the resource I can still access it.


Using Burp Suite Pro send a request to Intruder and use and configure the payload positions as shown.
Creating a list of both filenames and file extensions for use in the payload positions. Here the filename will be replaced by each name in the list.
Next a list of file extensions for payload position 2.

Because this is Burp Intruder in cluster bomb mode each request for a payload in position 1 is undertaken with all of the payloads in position 2 in turn. The affect is that every filename is tried with every possible file extension. If we had not known the container name from the first example we could extend this technique to try a list of containers as well. 
Each time a status code 200 shows a file was found. If you are using Blob storage on Azure always ensure that the public access permissions are set appropriately and keep monitoring your own storage accounts for changes in public access. 
$accountName = "test1012"
$rgName = "test-store"
$storageAccount = Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName
$ctx = $storageAccount.Context
Get-AzStorageContainer -Context $ctx | Select-Object Name, PublicAccess -OutVariable strgAccResult
Name PublicAccess ------- --------------- container1 Blob PS /Users/andrewratcliffe/PowerShell Scripts>


I have heard it said recently there are few uses for the cluster bomb mode of Intruder but I have often found it be useful. 

Comments

Post a Comment

Popular posts from this blog

Squid Proxy with SOF-ELK Part 1

Image
In this post I wanted show how a Squid Proxy could be used with OpenDNS to provide a simple but effective security for home  or small business. This blog post was inspired by the SANS course SEC530 Security Architecture & Engineering  which leads to the GIAC Defensible Security Architecture (GDSA) certification. This is a great course for anyone looking to develop and improve their 'full stack' defensive posture.  Monitoring is by courtesy of SOF-ELK , one of the many tools by those nice people at SANS .  SOF-ELK is used in a few SANS course including FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response ,  and SEC555 SIEM with Tactical Analytics . OpenDNS Enterprise is now Cisco Umbrella , however, the OpenDNS Home service is available for free and small businesses can use the Prosumer services for a modest fee. The fist step is to install a CentOS 7 minimal and then apply the latest updates. In order to use the OpenDNS Home service I inst
Read more

Netflow analysis with SiLK - Part 1 Installation

Image
About netsa SiLK SiLK provides a way to capture netflow and interrogate flow data. It can be used for a variety of purposes including situational awareness, forensics and anomaly detection. Installing SiLK Prerequisites Before installing SiLK examine the perquisites for the build. I’m using CentOS 6.3 minimal install with a virtual machine disk of 100GB in total with a separate partition for /data of about 60GB. The virtual machine will be allocated 4GB of RAM and 2 virtual processors. Configure the network settings for your lab environment. In order to use YUM for installing software the the lab system will require access to the Internet. Download the following source code files from the netsa CERT project home page libfixbuf-1.2.0.tar.gz netsa-python-1.3.tar.gz silk-2.5.0.tar.gz yaf-2.3.2.tar.gz Copy the required packages to the /usr/local/src directory. If you are using scp to copy over the packages dont’ forget ‘yum install openssh-clients’ first on the serv
Read more

CI/CD Pipeline Security & Shifting Left

Image
Recently I have been doing far more AppSec work in Agile, Lean environment. I also took the SANS SEC 540 course Cloud Security and DevSecOps Automation  which has lots of really great exercises but I like to try to create some of my own examples.  In this one I wanted to create a CI/CD (Continuous Integration/Delivery) pipeline that integrates Static Analysis Software Testing (SAST) and Software Composition Analysis (SCA) and finally some Postman testing of API endpoints that include negative test (more on this later). To start with I needed some example code so I found an example and adapted it to my own needs. The code along with the other supporting files like the Jenkinsfile can found on my GitHub under Planetary-API . Please note, I don't claim to be the best coder in the world :-) I chose an API partly for simplicity of the examples and partly because there are things I wanted to explore further later in terms of bearer authentication and the use of JWTs (for another project
Read more