AWS - S3 Privesc

Support HackTricks

S3

s3:PutBucketNotification, s3:PutObject, s3:GetObject

Mshambuliaji mwenye ruhusa hizo juu ya mifuko ya kuvutia anaweza kuwa na uwezo wa kuiba rasilimali na kupandisha mamlaka.

Kwa mfano, mshambuliaji mwenye ruhusa hizo juu ya mfuko wa cloudformation unaoitwa "cf-templates-nohnwfax6a6i-us-east-1" ataweza kuiba uanzishaji. Ufikiaji unaweza kutolewa kwa sera ifuatayo:

{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:PutBucketNotification",
"s3:GetBucketNotification",
"s3:PutObject",
"s3:GetObject"],
"Resource":[
"arn:aws:s3:::cf-templates-*\/*",
"arn:aws:s3:::cf-templates-*"]
},
{
"Effect":"Allow",
"Action":"s3:ListAllMyBuckets",
"Resource":"*"
}]
}

Na hijack inapatikana kwa sababu kuna dirisha dogo la muda kutoka wakati template inapoupoaded kwenye bucket hadi wakati template inatekelezwa. Mshambuliaji anaweza tu kuunda lambda function katika akaunti yake ambayo itakuwa inachochewa wakati arifa ya bucket inatumwa, na hijacks maudhui ya bucket hiyo.

Moduli ya Pacu cfn__resouce_injection inaweza kutumika kuendesha shambulio hili. Kwa maelezo zaidi angalia utafiti wa asili: https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/

s3:PutObject, s3:GetObject

Hizi ni ruhusa za kupata na kupakia vitu kwenye S3. Huduma kadhaa ndani ya AWS (na nje yake) hutumia hifadhi ya S3 kuhifadhi faili za usanidi. Mshambuliaji mwenye ufikiaji wa kusoma kwao anaweza kupata taarifa nyeti juu yao. Mshambuliaji mwenye ufikiaji wa kuandika kwao anaweza kubadilisha data ili kutumia huduma fulani na kujaribu kupandisha mamlaka. Hizi ni baadhi ya mifano:

  • Ikiwa mfano wa EC2 unahifadhi data za mtumiaji kwenye bucket ya S3, mshambuliaji anaweza kuibadilisha ili kutekeleza msimbo wa kiholela ndani ya mfano wa EC2.

s3:PutBucketPolicy

Mshambuliaji, ambaye anahitaji kuwa kutoka kwenye akaunti hiyo hiyo, ikiwa sivyo kosa Njia iliyoainishwa hairuhusiwi itasababisha, kwa ruhusa hii ataweza kujipa ruhusa zaidi juu ya bucket(s) akimruhusu kusoma, kuandika, kubadilisha, kufuta na kufichua buckets.

# Update Bucket policy
aws s3api put-bucket-policy --policy file:///root/policy.json --bucket <bucket-name>

## JSON giving permissions to a user and mantaining some previous root access
{
"Id": "Policy1568185116930",
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123123123123:root"
},
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::somebucketname"
},
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123123123123:user/username"
},
"Action":"s3:*",
"Resource":"arn:aws:s3:::somebucketname/*"
}
]
}

## JSON Public policy example
### IF THE S3 BUCKET IS PROTECTED FROM BEING PUBLICLY EXPOSED, THIS WILL THROW AN ACCESS DENIED EVEN IF YOU HAVE ENOUGH PERMISSIONS
{
"Id": "Policy1568185116930",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1568184932403",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::welcome",
"Principal": "*"
},
{
"Sid": "Stmt1568185007451",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::welcome/*",
"Principal": "*"
}
]
}

s3:GetBucketAcl, s3:PutBucketAcl

Mshambuliaji anaweza kutumia ruhusa hizi kumpatia ufikiaji zaidi juu ya makundi maalum. Kumbuka kwamba mshambuliaji hatahitaji kuwa kutoka kwenye akaunti ile ile. Zaidi ya hayo, ufikiaji wa kuandika

# Update bucket ACL
aws s3api get-bucket-acl --bucket <bucket-name>
aws s3api put-bucket-acl --bucket <bucket-name> --access-control-policy file://acl.json

##JSON ACL example
## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
{
"Owner": {
"DisplayName": "<DisplayName>",
"ID": "<ID>"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
},
"Permission": "FULL_CONTROL"
}
]
}
## An ACL should give you the permission WRITE_ACP to be able to put a new ACL

s3:GetObjectAcl, s3:PutObjectAcl

Mshambuliaji anaweza kutumia ruhusa hizi ili kumpatia ufikiaji zaidi juu ya vitu maalum ndani ya ndoo.

# Update bucket object ACL
aws s3api get-object-acl --bucket <bucekt-name> --key flag
aws s3api put-object-acl --bucket <bucket-name> --key flag --access-control-policy file://objacl.json

##JSON ACL example
## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
{
"Owner": {
"DisplayName": "<DisplayName>",
"ID": "<ID>"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
},
"Permission": "FULL_CONTROL"
}
]
}
## An ACL should give you the permission WRITE_ACP to be able to put a new ACL

s3:GetObjectAcl, s3:PutObjectVersionAcl

Mshambuliaji mwenye haki hizi anatarajiwa kuwa na uwezo wa kuweka Acl kwa toleo maalum la kitu.

aws s3api get-object-acl --bucket <bucekt-name> --key flag
aws s3api put-object-acl --bucket <bucket-name> --key flag --version-id <value> --access-control-policy file://objacl.json
Support HackTricks

Last updated