HackTricks CloudAWS - Route53 Privesc
Tip
Apprenez & pratiquez AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Apprenez & pratiquez GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Apprenez & pratiquez Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Soutenez HackTricks
- Consultez les subscription plans!
- Rejoignez le 💬 Discord group ou le telegram group ou suivez-nous sur Twitter 🐦 @hacktricks_live.
- Partagez des hacking tricks en soumettant des PRs aux HackTricks et HackTricks Cloud github repos.
For more information about Route53 check:
route53:CreateHostedZone, route53:ChangeResourceRecordSets, acm-pca:IssueCertificate, acm-pca:GetCertificate
Note
Pour réaliser cette attaque, le compte cible doit déjà avoir un AWS Certificate Manager Private Certificate Authority (AWS-PCA) configuré dans le compte, et les instances EC2 dans le(s) VPC(s) doivent déjà avoir importé les certificats pour lui faire confiance. Avec cette infrastructure en place, l’attaque suivante peut être effectuée pour intercepter le trafic des API AWS.
Other permissions recommend but not required for the enumeration part: route53:GetHostedZone, route53:ListHostedZones, acm-pca:ListCertificateAuthorities, ec2:DescribeVpcs
Assuming there is an AWS VPC with multiple cloud-native applications talking to each other and to AWS API. Since the communication between the microservices is often TLS encrypted there must be a private CA to issue the valid certificates for those services. If ACM-PCA is used for that and the adversary manages to get access to control both route53 and acm-pca private CA with the minimum set of permissions described above, it can hijack the application calls to AWS API taking over their IAM permissions.
This is possible because:
- AWS SDKs do not have Certificate Pinning
- Route53 allows creating Private Hosted Zone and DNS records for AWS APIs domain names
- Private CA in ACM-PCA cannot be restricted to signing only certificates for specific Common Names
Potential Impact: Indirect privesc by intercepting sensitive information in the traffic.
Exploitation
Find the exploitation steps in the original research: https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/
Tip
Apprenez & pratiquez AWS Hacking:
Apprenez & pratiquez GCP Hacking:
Apprenez & pratiquez Az Hacking:Soutenez HackTricks
- Consultez les subscription plans!
- Rejoignez le 💬 Discord group ou le telegram group ou suivez-nous sur Twitter 🐦 @hacktricks_live.
- Partagez des hacking tricks en soumettant des PRs aux HackTricks et HackTricks Cloud github repos.