AWS - Route53 Privesc
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
For more information about Route53 check:
AWS - Route53 Enumroute53:CreateHostedZone
, route53:ChangeResourceRecordSets
, acm-pca:IssueCertificate
, acm-pca:GetCertificate
To perform this attack the target account must already have an AWS Certificate Manager Private Certificate Authority (AWS-PCA) setup in the account, and EC2 instances in the VPC(s) must have already imported the certificates to trust it. With this infrastructure in place, the following attack can be performed to intercept AWS API traffic.
Other permissions recommend but not required for the enumeration part: route53:GetHostedZone
, route53:ListHostedZones
, acm-pca:ListCertificateAuthorities
, ec2:DescribeVpcs
Assuming there is an AWS VPC with multiple cloud-native applications talking to each other and to AWS API. Since the communication between the microservices is often TLS encrypted there must be a private CA to issue the valid certificates for those services. If ACM-PCA is used for that and the adversary manages to get access to control both route53 and acm-pca private CA with the minimum set of permissions described above, it can hijack the application calls to AWS API taking over their IAM permissions.
This is possible because:
AWS SDKs do not have Certificate Pinning
Route53 allows creating Private Hosted Zone and DNS records for AWS APIs domain names
Private CA in ACM-PCA cannot be restricted to signing only certificates for specific Common Names
Potential Impact: Indirect privesc by intercepting sensitive information in the traffic.
Find the exploitation steps in the original research: https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)