Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
DOING AWS
ZOO AUDIT
Denis Rybin@_ttffdd_
WHY?
2
Why?
• AWS has small coverage in the Russian IS community
• The most frequent question is, “I knock the metadata API, but can’t understand anything there.”
• False confidence in AWS being vulnerable to nothing but public S3 andSSRF to metadata API.
• Curiosity
3
What?• 30-45 min. of mish-mash
• Level: “introduction and selected aspects”
The talk DOES cover:
• AWS for 5 minutes or so
• AWS for a bughunter
• AWS for an auditor
• Helpful tips and tricks
What?• 30-45 min. of mish-mash
• Level: “introduction and selected aspects”
The talk DOESN’T cover:
• AWS EKS
• Google Compute Engine
• Microsoft Azure
• Anything interesting
WHAT IS AWS?A bunch of services
6
Simple and
intuitive
EC2, you’ve surely heard about it:
• A ready virtual server
• Equipped with virtual metadata API
• May be furnished with a user data script
• A part of the AWS ecosystem.
• Connected to VPC
Two words about VPC
VPC is a key AWS network unit:
• Subnetworks/IP
• Subnetworks and gateways
• Security GroupAWSVPC
Simple and
intuitive
Metadata API:
[ec2-user ~]$ curl http://169.254.169.254/
1.0
2012-01-12
2014-02-25
2014-11-05
2015-10-20
2016-04-19
2016-06-30
2016-09-02
latest
Simple and
intuitiveUser data and metadata sensitive part:
• http://169.254.169.254/latest/user-data
• http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
Fun fact about
metadata APIGoogle Cloud
• Header "Metadata-Flavor: Google" Required
Azure
• Header "Metadata: true" Required
AWS
• No Header Required
Dirty fix
https://github.com/stefansundin/ec2-metadata-filter
The program blocks any request with a User-
Agent that does not start with one of the
following prefixes:
aws-chalice/
aws-cli/
aws-sdk-
Boto3/
Botocore/
Cloud-Init/
Dirty fix
https://github.com/stefansundin/ec2-metadata-filter
In addition to whitelisting User-Agent
prefixes, the program also allows
requests that send the header
Metadata-Flavor: Amazon.
Dirty fix
https://github.com/stefansundin/ec2-metadata-filter
Like GCE, the program blocks requests
containing an X-Forwarded-For header.
COOOOOL STORY TIME
A story by @ninjazerooneabout
functionshieldAWS
Lambda
COOOOOL STORY TIME
COOOOOL STORY TIME
Context: There is a python sandbox with code execution. The code in it is executed for data processing, big data, etc.
We post python code in a website form → the code is parsed and ran on AWS Lambda.
AWSLambda
COOOOOL STORY TIME This is where the library jumps into
action. It serves 4 major tasks:
1. To block all tcp connections (udparen’t blocked)
2. Restrict all child processes
3. Forbids read/write to tmp
4. Forbids reading a handler script that contains the biggest amount of code
AWSLambda
COOOOOL STORY TIME
AWSLambda
COOOOOL STORY TIME
So everything, but read/write to tmp,
wasn’t allowed for us.
AWSLambda
COOOOOL STORY TIME
Было запрещено всё, кроме
читать/писать в tmp.
AWSLambda
COOOOOL STORY TIME
Было запрещено всё, кроме
читать/писать в tmp.
AWSLambda
COOOOOL STORY TIME
AWSLambda
COOOOOL STORY TIME
The more the merrier:
• The mechanism of blocking tmp on a
syscall blacklist
• Let’s look for something out of the
blacklistAWS
Lambda
COOOOOL STORY TIME
And we managed to find it:
• Read and write are forbidden
• Rename is NOTAWS
Lambda
WIN-WIN-WINBACK TO AWS…
26
Simple and
intuitive
Quite often, user data is a script executed when an
instance is ran.
For example:#!/bin/bash
yum update -y
amazon-linux-extras install -y lamp-mariadb10.2-php7.2 php7.2
yum install -y httpd mariadb-server
systemctl start httpd
systemctl enable httpd
usermod -a -G apache ec2-user
chown -R ec2-user:apache /var/www
chmod 2775 /var/www
find /var/www -type d -exec chmod 2775 {} \;
find /var/www -type f -exec chmod 0664 {} \;
echo "<?php phpinfo(); ?>" > /var/www/html/phpinfo.php
Pretty important
AWS Security Credentials
Access keys consist of two parts:
• an access key ID (for example, AKIAIOSFODNN7EXAMPLE)
• a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).AWS
IAM
Pretty important
The key to what?
There are 2 options to find out:
• Ask AWS directly and get screwed
• Bruteforce
AWSIAM
Pretty important The key to what?
There are 2 options to find out:
• https://github.com/elitest/RedDolphin/blob/master/checkAWSKey.py
• https://github.com/andresriancho/enumerate-iam
AWSIAM
Pretty important
https://github.com/elitest/RedDolphin/blob/master/checkAWSKey.py for those who prefer asking
AWSIAM
Pretty important
https://github.com/andresriancho/enumerate-iam time-consuming
AWSIAM
Pretty important
https://github.com/andresriancho/enumerate-iam time-consuming
AWSIAM
AWS101
ARN default format:
• arn:partition:service:region:account-id:resource-id
• arn:partition:service:region:account-id:resource-type/resource-id
• arn:partition:service:region:account-id:resource-type:resource-id
Example:
• arn:aws:iam::123456789012:user/Development/product_1234/*
AWScore
AWS101
Try guessing what the config does? Get the prize!
AWScore
AWS101
Try guessing what the config does? Get the prize!
AWScore
AWS101
Dungeon and dragons
Users and policies
AWScore
AWS101
Users:
• The AWS Account Root User
• IAM Users
• IAM Groups
• IAM RolesAWScore
AWS101
Policies:
• Identity-based policies • Managed policies
• Inline policies
• Resource-based policies AWScore
Escalation case
Escalation case from CloudGoat
Here is a simple case - iam_privesc_by_rollback
CloudGoat
Route Walkthrough - IAM User "Raynor"
1. Starting as the IAM user "Raynor,"
the attacker has only a few limited -
seemingly harmless - privileges
available to them.CloudGoat
Escalation case
Route Walkthrough - IAM User "Raynor"
2. The attacker analyzes Raynor's
privileges and notices the
SetDefaultPolicyVersion permission -
allowing access to 4 other versions of
the policy via setting an old version as
the default.CloudGoat
Escalation case
Route Walkthrough - IAM User "Raynor"
3. After reviewing the old policy
versions, the attacker finds that one
version in particular offers a full set of
admin rights.CloudGoat
Escalation case
Route Walkthrough - IAM User "Raynor"
4. Attacker restores the full-admin policy
version, gaining full admin privileges
and the ability to carry out any
malicious actions they wish.CloudGoat
Escalation case
Route Walkthrough - IAM User "Raynor"
5. As a final step, the attacker may
choose to revert Raynor's policy version
back to the original one, thereby
concealing their actions and the true
capabilities of the IAM user.CloudGoat
Escalation case
Route Walkthrough - IAM User "Raynor"
1. Starting as the IAM user "Raynor," the attacker has only a few limited - seemingly harmless - privileges available to them.
2. The attacker analyzes Raynor's privileges and notices the SetDefaultPolicyVersion permission - allowing access to 4 other versions of the policy via setting an old version as the default.
3. After reviewing the old policy versions, the attacker finds that one version in particular offers a full set of admin rights.
4. Attacker restores the full-admin policy version, gaining full admin privileges and the ability to carry out any malicious actions they wish.
5. As a final step, the attacker may choose to revert Raynor's policy version back to the original one, thereby concealing their actions and the true capabilities of the IAM user.
CloudGoat
Escalation case
AWS-CLI Walkthrough - IAM User «Raynor»
1. aws configure --profile raynor
2. aws iam list-attached-user-policies --user-name raynor --profile Raynor
3. aws iam list-policy-versions --policy-arn<generatedARN>/cg-raynor-policy --profile Raynor
4. aws iam get-policy-version --policy-arn<generatedARN>/cg-raynor-policy --version-id <versionID> --profile Raynor
5. aws iam set-default-policy-version --policy-arn<generatedARN>/cg-raynor-policy --version-id <versionID> --profile Raynor
CloudGoat
AWS-CLIIn action
Pretty important Escalation will be addressed later
But here is a couple of helpful links!
• https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation - 28 (!!!) techniques
• https://github.com/RhinoSecurityLabs/pacu- метасплоит мира AWS
AWSIAM
Best first step
ScoutSuite
Details
ScoutSuite
MOREDetails
ScoutSuite
What you need for
audit?
ScoutSuite
Permissions
The following AWS Managed Policies can be attached to the principal used to run Scout in order to grant the necessary permissions:
• ReadOnlyAccess
• SecurityAudit
You will also find a custom policy to run Scout
with minimal privileges here.
AWS Bloodhound
Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
Lyftcartography
AWS Bloodhound
Lyftcartography
OK, LAST PARTTWO GREAT CASES
55
COGNITOcase
The service allows for assigning limited rights to users in your AWS account.
The purpose of the service:
• Obtain identity ID
• Pass AWS Credentials
The service is used by mobile apps and websites
AWScognito
COGNITOcase
Q: Could obtained rights be unsafe?
A: Sure)
AWScognito
COGNITOcase
Original research:
internet-scale-analysis-of-aws-cognito-security
AWScognito
EBS case
AWSEBS
Amazon Elastic Block Store (EBS) – is a simple-to-use, highly performant cloud storage service designed to be used in combination with Amazon ElasticCompute Cloud (EC2).
EBS case
AWSEBS
It can be:
• Public/Private
• Encrypted/Non-encrypted
EBS case
AWSEBS
Q: Can public non-encrypted disks contain secrets?
A: Sure they can)
EBS case
AWSEBS
Original research:
Finding Secrets In Publicly Exposed EBS Volumes - Ben Morris
nehochy(Oh, come on:
• http://flaws.cloud/
• https://github.com/EdOverflow/can-i-take-over-xyz
• Hundreds of BB cases, thousands of articles on the same topAWS
S3
For defense
Asecurecloud
A
RESOURCES• AWS EC2 Security Strategy Guide
https://asecure.cloud/g/strategy_ec2_security/
• API Keys Now WhatTaking the Pen Test Into the Amazon Cloud Jim Shave
https://www.youtube.com/watch?v=vV7xN2JQNOU
• Finding Secrets In Publicly Exposed EBS Volumes - Ben Morris
https://www.youtube.com/watch?v=-LGR63yCTts
• CloudGoat
https://github.com/RhinoSecurityLabs/cloudgoat
• Blog RhinoSecurity
https://rhinosecuritylabs.com/blog/
• Blog Andres Riancho
https://andresriancho.com/blog
RESOURCES
Канал куда я планирую постить интересности связанные безопасностью AWS , прочих облаков и может k8s
https://t.me/cloud_sec
@author
THANKS FOR ATTENTION
@_TTFFDD_