ScoutSuite icon indicating copy to clipboard operation
ScoutSuite copied to clipboard

Published 20 hours ago verified publisher icon nccgroup

Basic Azure China support

Open lowSoA opened this issue 3 years ago • 0 comments

When running ScoutSuite v5.10.2 against an Azure account in Azure China, the execution fails with the following message: msrestazure.azure_exceptions.CloudError: Azure Error: AuthenticationFailed.

The endpoints used should be changed to their respective Azure China endpoints. As an example, the following snippet is from site-packages\azure\mgmt\compute\compute_management_client.py which is used to retrieve virtual machine details. The base_url defaults to the Azure Resource Manager global URI, which should be changed when creating a new object specifying https://management.chinacloudapi.cn as the base_url.

def __init__(
            self, credentials, subscription_id, base_url=None):

    if credentials is None:
        raise ValueError("Parameter 'credentials' must not be None.")
    if subscription_id is None:
        raise ValueError("Parameter 'subscription_id' must not be None.")
    if not base_url:
        base_url = 'https://management.azure.com'
    <SNIPPED>

Following the example, the following change should be made in ScoutSuite\providers\azure\facade\virtualmachines.py:

def get_client(self, subscription_id: str):
    client = ComputeManagementClient(self.credentials.get_credentials('arm'),
    							subscription_id=subscription_id,
							base_url="https://management.chinacloudapi.cn")
    client._client.config.add_user_agent(get_user_agent())
    return client

Currently supported services that need changes:

  • ScoutSuite\providers\azure\facade\aad.py
  • ScoutSuite\providers\azure\facade\appservice.py
  • ScoutSuite\providers\azure\facade\keyvault.py
  • ScoutSuite\providers\azure\facade\network.py
  • ScoutSuite\providers\azure\facade\rbac.py
  • ScoutSuite\providers\azure\facade\securitycenter.py
  • ScoutSuite\providers\azure\facade\sqldatabase.py
  • ScoutSuite\providers\azure\facade\storageaccounts.py
  • ScoutSuite\providers\azure\facade\virtualmachines.py

Other files related to authentication that need changes:

  • ScoutSuite\providers\azure\facade\base.py
  • ScoutSuite\providers\azure\authentication_strategy.py

All fixes have been implemented in https://github.com/nccgroup/ScoutSuite/tree/tmp/basic_azure_china_support as a temporary solution.

Related issue #836.

Related PR #550.

References:

lowSoA avatar May 31 '21 11:05 lowSoA