AWS - Codestar Privesc
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
You can find more information about codestar in:
iam:PassRole
, codestar:CreateProject
With these permissions you can abuse a codestar IAM Role to perform arbitrary actions through a cloudformation template. Check the following page:
codestar:CreateProject
, codestar:AssociateTeamMember
This technique uses codestar:CreateProject
to create a codestar project, and codestar:AssociateTeamMember
to make an IAM user the owner of a new CodeStar project, which will grant them a new policy with a few extra permissions.
If you are already a member of the project you can use the permission codestar:UpdateTeamMember
to update your role to owner instead of codestar:AssociateTeamMember
Potential Impact: Privesc to the codestar policy generated. You can find an example of that policy in:
codestar:CreateProjectFromTemplate
Create a New Project:
Utilize the codestar:CreateProjectFromTemplate
action to initiate the creation of a new project.
Upon successful creation, access is automatically granted for cloudformation:UpdateStack
.
This access specifically targets a stack associated with the CodeStarWorker-<generic project name>-CloudFormation
IAM role.
Update the Target Stack:
With the granted CloudFormation permissions, proceed to update the specified stack.
The stack's name will typically conform to one of two patterns:
awscodestar-<generic project name>-infrastructure
awscodestar-<generic project name>-lambda
The exact name depends on the chosen template (referencing the example exploit script).
Access and Permissions:
Post-update, you obtain the capabilities assigned to the CloudFormation IAM role linked with the stack.
Note: This does not inherently provide full administrator privileges. Additional misconfigured resources within the environment might be required to elevate privileges further.
For more information check the original research: https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/. You can find the exploit in https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py
Potential Impact: Privesc to cloudformation IAM role.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)