AWS - Lambda Persistence

Reading time: 6 minutes

Lambda

Kwa maelezo zaidi angalia:

AWS - Lambda Enum

Lambda Layer Persistence

Inawezekana introduce/backdoor a layer to execute arbitrary code wakati lambda inapotekelezwa kwa njia ya kujificha:

AWS - Lambda Layers Persistence

Lambda Extension Persistence

Kwa kutumia Lambda Layers pia inawezekana kutumiwa extensions na kudumu ndani ya lambda, lakini pia kuiba na kubadilisha requests.

AWS - Abusing Lambda Extensions

Via resource policies

Inawezekana kutoa ufikiaji kwa vitendo mbalimbali vya lambda (kama invoke au update code) kwa akaunti za nje:

Versions, Aliases & Weights

Lambda inaweza kuwa na matoleo tofauti (kila toleo lina msimbo tofauti).
Kisha, unaweza kuunda aliases tofauti zenye matoleo tofauti ya lambda na kuweka uzito tofauti kwa kila moja.
Kwa njia hii mshambuliaji angeweza kuunda backdoored version 1 na version 2 yenye msimbo halali tu na kuitekeleza version 1 tu katika 1% ya requests ili kubaki kwa siri.

Version Backdoor + API Gateway

1. Nakili the original code of the Lambda
2. Create a new version backdooring the original code (or just with malicious code). Publish and deploy that version to $LATEST
3. Piga the API gateway related to the lambda to execute the code
4. Create a new version with the original code, Publish and deploy that version to $LATEST.
5. Hii itaficha the backdoored code in a previous version
6. Nenda kwenye API Gateway na create a new POST method (au chagua any other method) itakayotekeleza the backdoored version of the lambda: arn:aws:lambda:us-east-1:<acc_id>:function:<func_name>:1
7. Tambua the final :1 of the arn indicating the version of the function (version 1 itakuwa the backdoored one in this scenario).
8. Chagua the POST method uliyounda na katika Actions chagua Deploy API
9. Sasa, unapoitisha the function via POST your Backdoor itaendeshwa

Cron/Event actuator

Kwamba unaweza kufanya lambda functions ziendesheke wakati jambo linapotokea au baada ya muda fulani kupita hufanya lambda kuwa njia nzuri na ya kawaida ya kupata persistence na kuepuka kugunduliwa.
Hapa kuna mawazo ya kufanya uwepo wako katika AWS uwe wa siri zaidi kwa kuunda lambdas.

• Kila mara user mpya anapo undwa lambda inazalisha user key mpya na kuituma kwa mshambuliaji.
• Kila mara role mpya inapo undwa lambda inawapa compromised users ruhusa za assume role.
• Kila mara logs mpya za cloudtrail zinapotengenezwa, zifute/zirudishe

RCE abusing AWS_LAMBDA_EXEC_WRAPPER + Lambda Layers

Abuse the environment variable AWS_LAMBDA_EXEC_WRAPPER to execute an attacker-controlled wrapper script before the runtime/handler starts. Deliver the wrapper via a Lambda Layer at /opt/bin/htwrap, set AWS_LAMBDA_EXEC_WRAPPER=/opt/bin/htwrap, and then invoke the function. The wrapper runs inside the function runtime process, inherits the function execution role, and finally execs the real runtime so the original handler still executes normally.

AWS - Lambda Exec Wrapper Persistence

AWS - Lambda Function URL Public Exposure

Tumia vibaya Lambda asynchronous destinations pamoja na the Recursion configuration ili kufanya function iite tena yenyewe mara kwa mara bila external scheduler (bila EventBridge, cron, n.k.). Kwa default, Lambda inakata recursive loops, lakini kuweka recursion config kuwa Allow inawawezesha tena. Destinations zinatoa upande wa service kwa async invokes, hivyo invoke moja ya seed inaunda channel ya heartbeat/backdoor isiyokuwa na code na isiyojulikana. Kwa hiari, punguza kwa reserved concurrency ili kuweka noise chini.

AWS - Lambda Async Self Loop Persistence

AWS - Lambda Alias-Scoped Resource Policy Backdoor

Tengeneza toleo la Lambda lililofichwa lenye mantiki ya mshambuliaji na pangia resource-based policy kwa toleo maalum hilo (au alias) kwa kutumia parameter --qualifier katika lambda add-permission. Toa pekee lambda:InvokeFunction kwenye arn:aws:lambda:REGION:ACCT:function:FN:VERSION kwa attacker principal. Invocation za kawaida kupitia jina la function au primary alias hazibadiliki, wakati mshambuliaji anaweza directly invoke the backdoored version ARN.

Hii ni ya siri zaidi kuliko kufanya expose Function URL na haibadilishi primary traffic alias.

AWS - Lambda Alias Version Policy Backdoor

Freezing AWS Lambda Runtimes

Mshambuliaji aliye na ruhusa za lambda:InvokeFunction, logs:FilterLogEvents, lambda:PutRuntimeManagementConfig, na lambda:GetRuntimeManagementConfig anaweza kubadilisha runtime management configuration ya function. Shambulio hili ni hasa madhubuti pale lengo likiwa ni kuweka Lambda function kwenye toleo la runtime lenye udhaifu au kuhifadhi compatibility na malicious layers ambazo zinaweza kuwa incompatible na runtimes mpya.

Mshambuliaji hubadilisha runtime management configuration ili kuweka pin runtime version:

# Invoke the function to generate runtime logs
aws lambda invoke \
--function-name $TARGET_FN \
--payload '{}' \
--region us-east-1 /tmp/ping.json

sleep 5

# Freeze automatic runtime updates on function update
aws lambda put-runtime-management-config \
--function-name $TARGET_FN \
--update-runtime-on FunctionUpdate \
--region us-east-1

Thibitisha usanidi uliotumika:

aws lambda get-runtime-management-config \
--function-name $TARGET_FN \
--region us-east-1

Hiari: Weka kwenye toleo maalum la runtime

# Extract Runtime Version ARN from INIT_START logs
RUNTIME_ARN=$(aws logs filter-log-events \
--log-group-name /aws/lambda/$TARGET_FN \
--filter-pattern "INIT_START" \
--query 'events[0].message' \
--output text | grep -o 'Runtime Version ARN: [^,]*' | cut -d' ' -f4)

Weka kwenye toleo maalum la runtime:

aws lambda put-runtime-management-config \
--function-name $TARGET_FN \
--update-runtime-on Manual \
--runtime-version-arn $RUNTIME_ARN \
--region us-east-1