Threat Research

Mistaken Identity: Extracting Managed Identity Credentials from Azure Function Apps 

Netspi

Researchers found that Azure Linux Function Apps stored an encrypted startup context in Azure Storage while the Storage SAS URL and decryption key were available in container environment variables, allowing an attacker with command execution to decrypt the context and extract managed identity certificates. Using the extracted PFX certificates, an attacker could authenticate as the Managed Identity and persist; Microsoft has since encrypted the MSI payload and addressed the issue. #AzureFunctionApps #ManagedIdentity

Keypoints

  • Linux-based Azure Function Apps use an encrypted startup context file hosted in an Azure Storage Account and referenced by a SAS URL.
  • The container environment exposes CONTAINER_ENCRYPTION_KEY and CONTAINER_START_CONTEXT_SAS_URI, which can be read by processes with access to container environment variables.
  • Attackers able to execute commands in the container can download and AES-decrypt the startup context using the env vars to reveal sensitive data, including Function App keys.
  • The decrypted startup context contained an MSISpecializationPayload with Base64-encoded certificates for attached Managed Identities that can be exported as PFX files and used to authenticate as those identities.
  • Using the extracted certificate, researchers authenticated with Connect-AzAccount as the Managed Identity (valid account), enabling persistence and broader access within the tenant.
  • Microsoft responded by encrypting the MSI payload (renamed EncryptedTokenServiceSpecializationPayload) and removing the decryption key from the user container; however, the startup-context decryption technique still exposes Function App keys if container code execution is achieved.

MITRE Techniques

  • [T1552.001] Credentials in Files: Local files – Accessed container environment via proc filesystem to retrieve secrets: ‘…environmental variables (/proc/self/environ)…’
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Executed a PowerShell function inside the container to fetch and AES-decrypt the startup context: ‘…anyone with the ability to execute commands in the container…’
  • [T1078] Valid Accounts – Used the exported certificate to authenticate as the Managed Identity via Az PowerShell: ‘…were then able to use the certificate to authenticate to the Az PowerShell module as the Managed Identity.’
  • [T1537] Transfer Data to Cloud Account (or similar exfiltration to cloud storage) – Retrieved the encrypted startup blob from a SAS URL in Azure Storage (CONTAINER_START_CONTEXT_SAS_URI) to obtain sensitive configuration and keys: ‘…takes in the environmental variable for the SAS tokened URL and gathers the encrypted context…’
  • [T1083] File and Directory Discovery – Enumerated filesystem and procfs to locate environment variables and write decoded certificates to disk (e.g., C:tempmicert.pfx): ‘…decoded the Base64 data and wrote it to a file.’

Indicators of Compromise

  • [Environment Variables] container secrets – CONTAINER_START_CONTEXT_SAS_URI, CONTAINER_ENCRYPTION_KEY
  • [Certificate Thumbprints] managed identity certs – BC5C431024BC7F52C8E9F43A7387D6021056630A, B8E752972790B0E6533EFE49382FF5E8412DAD31
  • [Client / Application IDs] managed identity identifiers – b1abdc5c-3e68-476a-9191-428c1300c50c (Service Principal / ApplicationId)
  • [Domains / URLs] identity service endpoints and storage – https://control-centralus.identity.azure.net/subscriptions/[REDACTED]/, and SAS URL referenced by CONTAINER_START_CONTEXT_SAS_URI
  • [Files / Paths] local artifacts and procfs – /proc/self/environ (environment dump), C:tempmicert.pfx (exported PFX file)
  • [Base64 blobs] embedded certificates – Base64 certificate strings beginning with “MIIK…” found in MSISpecializationPayload

Researchers discovered that Linux-based Azure Function Apps retrieve an encrypted startup context blob from Azure Storage (referenced by CONTAINER_START_CONTEXT_SAS_URI) and use a per-container key (CONTAINER_ENCRYPTION_KEY) available in container environment variables. By accessing /proc/self/environ or otherwise reading the container environment, an attacker with command execution can download the encrypted blob and perform AES-CBC decryption (IV from blob, key from CONTAINER_ENCRYPTION_KEY) to obtain the cleartext startup context and Function App keys.

Within the decrypted context, an MSISpecializationPayload lists attached Managed Identities and includes Base64-encoded certificate blobs. Those blobs can be decoded to PFX files (no password observed), imported into a certificate store, and used to authenticate as the Managed Identity (e.g., via Connect-AzAccount -ServicePrincipal -CertificateThumbprint … -ApplicationId …), granting the attacker the identity’s privileges and persistence within the tenant for the certificate’s validity period.

Mitigations include limiting access to container filesystems and environment information, removing or protecting keys from within the user container, and ensuring startup MSI payloads are not accessible in plaintext; Microsoft mitigated the issue by encrypting the MSI payload (renamed EncryptedTokenServiceSpecializationPayload) and ensuring the decryption key is not present in the user container. Read more: https://www.netspi.com/blog/technical/cloud-penetration-testing/mistaken-identity-azure-function-apps/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint