AWS - Codestar Privesc

Codestar

You can find more information about codestar in:

iam:PassRole, codestar:CreateProject

With these permissions you can abuse a codestar IAM Role to perform arbitrary actions through a cloudformation template. Check the following page:

codestar:CreateProject, codestar:AssociateTeamMember

This technique uses codestar:CreateProject to create a codestar project, and codestar:AssociateTeamMember to make an IAM user the owner of a new CodeStar project, which will grant them a new policy with a few extra permissions.

If you are already a member of the project you can use the permission codestar:UpdateTeamMember to update your role to owner instead of codestar:AssociateTeamMember

Potential Impact: Privesc to the codestar policy generated. You can find an example of that policy in:

codestar:CreateProjectFromTemplate

1. Create a New Project:

   • Utilize the codestar:CreateProjectFromTemplate action to initiate the creation of a new project.

     • Upon successful creation, access is automatically granted for cloudformation:UpdateStack.

     • This access specifically targets a stack associated with the CodeStarWorker-<generic project name>-CloudFormation IAM role.

2. Update the Target Stack:

   • With the granted CloudFormation permissions, proceed to update the specified stack.

     • The stack's name will typically conform to one of two patterns:

       • awscodestar-<generic project name>-infrastructure

       • awscodestar-<generic project name>-lambda

       • The exact name depends on the chosen template (referencing the example exploit script).

3. Access and Permissions:

   • Post-update, you obtain the capabilities assigned to the CloudFormation IAM role linked with the stack.

   • Note: This does not inherently provide full administrator privileges. Additional misconfigured resources within the environment might be required to elevate privileges further.

Potential Impact: Privesc to cloudformation IAM role.