AWS - Codepipeline Privesc

Reading time: 3 minutes

codepipeline

For more info about codepipeline check:

AWS - DataPipeline, CodePipeline & CodeCommit Enum

iam:PassRole, codepipeline:CreatePipeline, codebuild:CreateProject, codepipeline:StartPipelineExecution

When creating a code pipeline you can indicate a codepipeline IAM Role to run, therefore you could compromise them.

Apart from the previous permissions you would need access to the place where the code is stored (S3, ECR, github, bitbucket...)

I tested this doing the process in the web page, the permissions indicated previously are the not List/Get ones needed to create a codepipeline, but for creating it in the web you will also need: codebuild:ListCuratedEnvironmentImages, codebuild:ListProjects, codebuild:ListRepositories, codecommit:ListRepositories, events:PutTargets, codepipeline:ListPipelines, events:PutRule, codepipeline:ListActionTypes, cloudtrail:<several>

During the creation of the build project you can indicate a command to run (rev shell?) and to run the build phase as privileged user, that's the configuration the attacker needs to compromise:

?codebuild:UpdateProject, codepipeline:UpdatePipeline, codepipeline:StartPipelineExecution

It might be possible to modify the role used and the command executed on a codepipeline with the previous permissions.

codepipeline:pollforjobs

AWS mentions:

이 API가 호출되면, CodePipeline은 파이프라인의 아티팩트를 저장하는 S3 버킷에 대해 해당 액션이 입력 또는 출력 아티팩트에 접근해야 하는 경우 그 S3 버킷에 대한 임시 자격 증명을 반환합니다. 이 API는 또한 해당 액션에 정의된 모든 secret 값을 반환합니다.