AWS - Codepipeline Privesc

Reading time: 2 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

codepipeline

For more info about codepipeline check:

AWS - DataPipeline, CodePipeline & CodeCommit Enum

iam:PassRole, codepipeline:CreatePipeline, codebuild:CreateProject, codepipeline:StartPipelineExecution

When creating a code pipeline you can indicate a codepipeline IAM Role to run, therefore you could compromise them.

Apart from the previous permissions you would need access to the place where the code is stored (S3, ECR, github, bitbucket...)

I tested this doing the process in the web page, the permissions indicated previously are the not List/Get ones needed to create a codepipeline, but for creating it in the web you will also need: codebuild:ListCuratedEnvironmentImages, codebuild:ListProjects, codebuild:ListRepositories, codecommit:ListRepositories, events:PutTargets, codepipeline:ListPipelines, events:PutRule, codepipeline:ListActionTypes, cloudtrail:<several>

During the creation of the build project you can indicate a command to run (rev shell?) and to run the build phase as privileged user, that's the configuration the attacker needs to compromise:

?codebuild:UpdateProject, codepipeline:UpdatePipeline, codepipeline:StartPipelineExecution

It might be possible to modify the role used and the command executed on a codepipeline with the previous permissions.

codepipeline:pollforjobs

AWS mentions:

When this API is called, CodePipeline returns temporary credentials for the S3 bucket used to store artifacts for the pipeline, if the action requires access to that S3 bucket for input or output artifacts. This API also returns any secret values defined for the action.

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks