Links

AWS - Route53 Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
For more information about Route53 check:

route53:CreateHostedZone, route53:ChangeResourceRecordSets, acm-pca:IssueCertificate, acm-pca:GetCertificate

To perform this attack the target account must already have an AWS Certificate Manager Private Certificate Authority (AWS-PCA) setup in the account, and EC2 instances in the VPC(s) must have already imported the certificates to trust it. With this infrastructure in place, the following attack can be performed to intercept AWS API traffic.
Other permissions recommend but not required for the enumeration part: route53:GetHostedZone, route53:ListHostedZones, acm-pca:ListCertificateAuthorities, ec2:DescribeVpcs
Assuming there is an AWS VPC with multiple cloud-native applications talking to each other and to AWS API. Since the communication between the microservices is often TLS encrypted there must be a private CA to issue the valid certificates for those services. If ACM-PCA is used for that and the adversary manages to get access to control both route53 and acm-pca private CA with the minimum set of permissions described above, it can hijack the application calls to AWS API taking over their IAM permissions.
This is possible because:
  • AWS SDKs do not have Certificate Pinning
  • Route53 allows creating Private Hosted Zone and DNS records for AWS APIs domain names
  • Private CA in ACM-PCA cannot be restricted to signing only certificates for specific Common Names
Potential Impact: Indirect privesc by intercepting sensitive information in the traffic.

Exploitation

Find the exploitation steps in the original research: https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: