azure-custom-owner-role-unrestricted: Azure Custom Owner Role Available

日期: 2025-08-01 | 影响软件: Azure Custom Owner Role | POC: 已公开

漏洞描述

Ensure that there are no custom subscription owner roles available in your Azure account in order to adhere to cloud security best practices and implement the principle of least privilege - the practice of providing every user the minimal amount of access required to perform its tasks.

PoC代码[已公开]

id: azure-custom-owner-role-unrestricted
info:
  name: Azure Custom Owner Role Available
  author: princechaddha
  severity: medium
  description: |
    Ensure that there are no custom subscription owner roles available in your Azure account in order to adhere to cloud security best practices and implement the principle of least privilege - the practice of providing every user the minimal amount of access required to perform its tasks.
  impact: |
    Having custom owner roles can provide excessive permissions that exceed the requirements of the users, potentially leading to security vulnerabilities.
  remediation: |
    Remove any custom owner roles or modify their permissions to align with the principle of least privilege, ensuring users have only the necessary access rights to perform their duties.
  reference:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
  tags: cloud,devops,azure,microsoft,role-management,azure-cloud-config

flow: |
  code(1);
  for (let RoleData of iterate(template.roleList)) {
    set("roleName", RoleData);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az role definition list --custom-role-only true --query '[].{roleName:roleName}' --output json

    extractors:
      - type: json
        name: roleList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az role definition list --name "$roleName" --output json --query '[?(assignableScopes == `/` || assignableScopes == `/subscriptions/` && actions == `*`)].roleName'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'roleName'

    extractors:
      - type: dsl
        dsl:
          - 'roleName + " is a custom owner role with excessive permissions"'
# digest: 4b0a00483046022100883f4fde301ddae0afd388468a91c59ae8e08040397301bb796c36aa83a81fb2022100c53059b69e1e2e9ff9c9a3b76a8ea69ba5ccec02fdcea8f3a2908a56f05718d6:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/azure/accesscontrol/azure-custom-owner-role-unrestricted.yaml