AWS - Lambda Layers Persistence
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
A Lambda layer ni archive ya .zip ambayo inaweza kuwa na msimbo wa ziada au maudhui mengine. Layer inaweza kuwa na maktaba, runtime ya kawaida, data, au faili za usanidi.
Inawezekana kujumuisha hadi tabaka tano kwa kazi. Unapojumuisha tabaka katika kazi, maudhui yanachukuliwa hadi kwenye saraka ya /opt
katika mazingira ya utekelezaji.
Kwa kawaida, tabaka unayounda ni binafsi kwa akaunti yako ya AWS. Unaweza kuchagua kushiriki tabaka na akaunti nyingine au kufanya tabaka kuwa hadharani. Ikiwa kazi zako zinatumia tabaka ambalo akaunti tofauti ilichapisha, kazi zako zinaweza kuendelea kutumia toleo la tabaka baada ya kufutwa, au baada ya ruhusa yako ya kufikia tabaka kufutwa. Hata hivyo, huwezi kuunda kazi mpya au kuboresha kazi ukitumia toleo la tabaka lililofutwa.
Kazi zilizowekwa kama picha ya kontena hazitumii tabaka. Badala yake, unapakua runtime unayopendelea, maktaba, na utegemezi mwingine ndani ya picha ya kontena unapojenga picha hiyo.
Njia ya kupakia ambayo Python itatumia katika lambda ni ifuatayo:
Check how the second and third positions are occupy by directories where lambda layers uncompress their files: /opt/python/lib/python3.9/site-packages
and /opt/python
If an attacker managed to backdoor a used lambda layer or add one that will be executing arbitrary code when a common library is loaded, he will be able to execute malicious code with each lambda invocation.
Therefore, the requisites are:
Check libraries that are loaded by the victims code
Create a proxy library with lambda layers that will execute custom code and load the original library.
When abusing this technique I found a difficulty: Some libraries are already loaded in python runtime when your code gets executed. I was expecting to find things like os
or sys
, but even json
library was loaded.
In order to abuse this persistence technique, the code needs to load a new library that isn't loaded when the code gets executed.
With a python code like this one it's possible to obtain the list of libraries that are pre loaded inside python runtime in lambda:
Na hii ni orodha (hakikisha kwamba maktaba kama os
au json
tayari zipo)
Na hii ni orodha ya maktaba ambazo lambda inajumuisha zilizowekwa kwa chaguo-msingi: https://gist.github.com/gene1wood/4a052f39490fae00e0c3
Katika mfano huu hebu tuweke kuwa msimbo unaolengwa unatumia csv
. Tunakwenda kufanya backdoor kwenye uagizaji wa maktaba ya csv
.
Ili kufanya hivyo, tutaunda directory csv yenye faili __init__.py
ndani yake katika njia ambayo inapakuliwa na lambda: /opt/python/lib/python3.9/site-packages
Kisha, wakati lambda inatekelezwa na kujaribu kupakua csv, faili yetu ya __init__.py
itapakuliwa na kutekelezwa.
Faili hii lazima:
Itekeleze payload yetu
Ipakue maktaba ya csv asilia
Tunaweza kufanya yote mawili kwa:
Kisha, tengeneza zip na hii code katika njia python/lib/python3.9/site-packages/__init__.py
na uiweke kama lambda layer.
Unaweza kupata hii code katika https://github.com/carlospolop/LambdaLayerBackdoor
Payload iliyounganishwa it tuma IAM creds kwa seva WAKATI WA KWANZA inapoanzishwa au BAADA ya kurekebisha kontena la lambda (mabadiliko ya code au lambda baridi), lakini mbinu nyingine kama ifuatavyo zinaweza pia kuunganishwa:
AWS - Steal Lambda RequestsKumbuka kwamba inawezekana kutumia mifumo ya lambda kutoka kwa akaunti za nje. Aidha, lambda inaweza kutumia mfumo kutoka akaunti ya nje hata kama haina ruhusa. Pia kumbuka kwamba idadi ya juu ya mifumo ambayo lambda inaweza kuwa nayo ni 5.
Hivyo, ili kuboresha ufanisi wa mbinu hii mshambuliaji anaweza:
Kuingiza backdoor katika mfumo uliopo wa mtumiaji (hakuna chochote ni cha nje)
Kuunda safu katika akaunti yake, kumpa mtumiaji waathirika ruhusa kutumia safu hiyo, kuweka safu katika Lambda ya waathirika na kuondoa ruhusa.
Lambda bado itakuwa na uwezo wa kutumia safu na waathirika hata hawataweza kwa urahisi kupakua code za safu (kando na kupata rev shell ndani ya lambda)
Waathirika hataona mifumo ya nje inayotumika na aws lambda list-layers
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)