AWS - Route53 Privesc

Reading time: 3 minutes

For more information about Route53 check:

AWS - Route53 Enum

route53:CreateHostedZone, route53:ChangeResourceRecordSets, acm-pca:IssueCertificate, acm-pca:GetCertificate

Other permissions recommend but not required for the enumeration part: route53:GetHostedZone, route53:ListHostedZones, acm-pca:ListCertificateAuthorities, ec2:DescribeVpcs

Assuming there is an AWS VPC with multiple cloud-native applications talking to each other and to AWS API. Since the communication between the microservices is often TLS encrypted there must be a private CA to issue the valid certificates for those services. If ACM-PCA is used for that and the adversary manages to get access to control both route53 and acm-pca private CA with the minimum set of permissions described above, it can hijack the application calls to AWS API taking over their IAM permissions.

This is possible because:

• AWS SDKs не підтримують Certificate Pinning
• Route53 дозволяє створювати Private Hosted Zone і DNS-записи для доменних імен AWS API
• Private CA в ACM-PCA не можна обмежити лише підписуванням сертифікатів для певних Common Names

Potential Impact: Опосередкований privesc шляхом перехоплення конфіденційної інформації в трафіку.

Exploitation

Find the exploitation steps in the original research: https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/