Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
For more info about Cognito check:
As Cognito can grant IAM role credentials to both authenticated an unauthenticated users, if you locate the Identity Pool ID of an application (should be hardcoded on it) you can obtain new credentials and therefore privesc (inside an AWS account where you probably didn't even have any credential previously).
For more information check this page.
Potential Impact: Direct privesc to the services role attached to unauth users (and probably to the one attached to auth users).
cognito-identity:SetIdentityPoolRoles, iam:PassRoleWith this permission you can grant any cognito role to the authenticated/unauthenticated users of the cognito app.
If the cognito app doesn't have unauthenticated users enabled you might need also the permission cognito-identity:UpdateIdentityPool to enable it.
Potential Impact: Direct privesc to any cognito role.
cognito-identity:update-identity-poolAn attacker with this permission could set for example a Cognito User Pool under his control or any other identity provider where he can login as a way to access this Cognito Identity Pool. Then, just login on that user provider will allow him to access the configured authenticated role in the Identity Pool.
It's also possible to abuse this permission to allow basic auth:
Potential Impact: Compromise the configured authenticated IAM role inside the identity pool.
cognito-idp:AdminAddUserToGroupThis permission allows to add a Cognito user to a Cognito group, therefore an attacker could abuse this permission to add an user under his control to other groups with better privileges or different IAM roles:
Potential Impact: Privesc to other Cognito groups and IAM roles attached to User Pool Groups.
cognito-idp:CreateGroup | cognito-idp:UpdateGroup), iam:PassRoleAn attacker with these permissions could create/update groups with every IAM role that can be used by a compromised Cognito Identity Provider and make a compromised user part of the group, accessing all those roles:
Potential Impact: Privesc to other Cognito IAM roles.
cognito-idp:AdminConfirmSignUpThis permission allows to verify a signup. By default anyone can sign in Cognito applications, if that is left, a user could create an account with any data and verify it with this permission.
Potential Impact: Indirect privesc to the identity pool IAM role for authenticated users if you can register a new user. Indirect privesc to other app functionalities being able to confirm any account.
cognito-idp:AdminCreateUserThis permission would allow an attacker to create a new user inside the user pool. The new user is created as enabled, but will need to change its password.
Potential Impact: Direct privesc to the identity pool IAM role for authenticated users. Indirect privesc to other app functionalities being able to create any user
cognito-idp:AdminEnableUserThis permissions can help in. a very edge-case scenario where an attacker found the credentials of a disabled user and he needs to enable it again.
Potential Impact: Indirect privesc to the identity pool IAM role for authenticated users and permissions of the user if the attacker had credentials for a disabled user.
cognito-idp:AdminInitiateAuth, cognito-idp:AdminRespondToAuthChallengeThis permission allows to login with the method ADMIN_USER_PASSWORD_AUTH. For more information follow the link.
cognito-idp:AdminSetUserPasswordThis permission would allow an attacker to change the password of any user, making him able to impersonate any user (that doesn't have MFA enabled).
Potential Impact: Direct privesc to potentially any user, so access to all the groups each user is member of and access to the Identity Pool authenticated IAM role.
cognito-idp:AdminSetUserSettings | cognito-idp:SetUserMFAPreference | cognito-idp:SetUserPoolMfaConfig | cognito-idp:UpdateUserPoolAdminSetUserSettings: An attacker could potentially abuse this permission to set a mobile phone under his control as SMS MFA of a user.
SetUserMFAPreference: Similar to the previous one this permission can be used to set MFA preferences of a user to bypass the MFA protection.
SetUserPoolMfaConfig: Similar to the previous one this permission can be used to set MFA preferences of a user pool to bypass the MFA protection.
UpdateUserPool: It's also possible to update the user pool to change the MFA policy. Check cli here.
Potential Impact: Indirect privesc to potentially any user the attacker knows the credentials of, this could allow to bypass the MFA protection.
cognito-idp:AdminUpdateUserAttributesAn attacker with this permission could change the email or phone number or any other attribute of a user under his control to try to obtain more privileges in an underlaying application. This allows to change an email or phone number and set it as verified.
Potential Impact: Potential indirect privesc in the underlying application using Cognito User Pool that gives privileges based on user attributes.
cognito-idp:CreateUserPoolClient | cognito-idp:UpdateUserPoolClientAn attacker with this permission could create a new User Pool Client less restricted than already existing pool clients. For example, the new client could allow any kind of method to authenticate, don't have any secret, have token revocation disabled, allow tokens to be valid for a longer period...
The same can be be don if instead of creating a new client, an existing one is modified.
In the command line (or the update one) you can see all the options, check it!.
Potential Impact: Potential indirect privesc to the Identity Pool authorized user used by the User Pool by creating a new client that relax the security measures and makes possible to an attacker to login with a user he was able to create.
cognito-idp:CreateUserImportJob | cognito-idp:StartUserImportJobAn attacker could abuse this permission to create users y uploading a csv with new users.
(In the case where you create a new import job you might also need the iam passrole permission, I haven't tested it yet).
Potential Impact: Direct privesc to the identity pool IAM role for authenticated users. Indirect privesc to other app functionalities being able to create any user.
cognito-idp:CreateIdentityProvider | cognito-idp:UpdateIdentityProviderAn attacker could create a new identity provider to then be able to login through this provider.
Potential Impact: Direct privesc to the identity pool IAM role for authenticated users. Indirect privesc to other app functionalities being able to create any user.
This is a very common permission by default in roles of Cognito Identity Pools. Even if a wildcard in a permissions always looks bad (specially coming from AWS), the given permissions aren't super useful from an attackers perspective.
This permission allows to read use information of Identity Pools and Identity IDs inside Identity Pools (which isn't sensitive info). Identity IDs might have Datasets assigned to them, which are information of the sessions (AWS define it like a saved game). It might be possible that this contain some kind of sensitive information (but the probability is pretty low). You can find in the enumeration page how to access this information.
An attacker could also use these permissions to enroll himself to a Cognito stream that publish changes on these datases or a lambda that triggers on cognito events. I haven't seen this being used, and I wouldn't expect sensitive information here, but it isn't impossible.
Pacu, the AWS exploitation framework, now includes the "cognito__enum" and "cognito__attack" modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc.
For a description of the modules' functions see part 2 of the blog post. For installation instructions see the main Pacu page.
Sample cognito__attack usage to attempt user creation and all privesc vectors against a given identity pool and user pool client:
Sample cognito__enum usage to gather all user pools, user pool clients, identity pools, users, etc. visible in the current AWS account:
Cognito Scanner is a CLI tool in python that implements different attacks on Cognito including a privesc escalation.
For more information check https://github.com/padok-team/cognito-scanner
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
