Upgrade to Pro — share decks privately, control downloads, hide ads and more …

From ‘huh?’ to privilege escalation

Ben Bridts
June 12, 2023
Technology
0
12

From ‘huh?’ to privilege escalation

Security research is not something that’s only done by dedicated teams and companies. Sometimes it will be a developer or platform engineer that makes the jump from “that’s not how I expect it to work” to “that’s not how it’s supposed to work”.

In this talk we’ll walk through the process we took when we found strange behaviour in the AWS console, tried to debug what’s going wrong and ended up finding an API that didn’t check iam:PassRole correctly. We’ll see that in a lot of cases the needs of a person who’s debugging and a security researcher will overlap and that features like CloudTrail and documented APIs are useful resources for everyone.

Presentation given at fwd:cloudsec 2023 (https://fwdcloudsec.org/)

Ben Bridts

June 12, 2023
Tweet

More Decks by Ben Bridts

See All by Ben Bridts
re:Invent re:Cap 2023: Evolving your architecture
benbridts
0
31
A closer look at new ways to manage access - EKS Pod Identiy and S3 Access Grant
benbridts
0
3
re:Invent re:Cap - Removing Heavy Lifting
benbridts
0
64
Policy as Code: Putting best practices in your repository
benbridts
0
140
(Don't) try this at work - Lightning Talk
benbridts
0
91
AWS Systems Manager
benbridts
1
88
Do(n’t) try this at work - Technically, you _can_ do this
benbridts
0
140
Mistakes I made when writing Infrastructure as Code, and how to avoid them
benbridts
0
55
~$ aws help # things you might not know about the AWS CLI
benbridts
1
180

Other Decks in Technology

See All in Technology
リテール金融(キャッシュレス・ネット銀行・ネット証券)の競争環境と経済圏
8maki
0
1.5k
One engineer company with Ruby on Rails
rstankov
2
400
Google Cloud Next '24でブログを10本書いた方法と勉強会を沸かせた方法
yasumuusan
0
320
今日からできる!簡単 .NET 高速化 Tips -2024 edition-
xin9le
7
3.4k
require(ESM)とECMAScript仕様
uhyo
4
940
Python と Snowflake はズッ友だょ!~ Snowflake の Python 関連機能をふりかえる ~
__allllllllez__
2
140
Azure犬駆動開発の記録/GlobalAzureFukuoka2024_20240420
nina01
1
230
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
4
17k
2024春 注目のWeb系 OSS & SaaS 3選
makies
0
170
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
2.1k
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
3
610
R3のコードから見る実践LINQ実装最適化・コンカレントプログラミング実例
neuecc
3
1.4k

Featured

See All Featured
Building an army of robots
kneath
300
41k
Clear Off the Table
cherdarchuk
85
310k
A Philosophy of Restraint
colly
197
16k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Facilitating Awesome Meetings
lara
43
5.6k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
22
1.6k
Building a Scalable Design System with Sketch
lauravandoore
457
32k
A Tale of Four Properties
chriscoyier
152
22k
Art, The Web, and Tiny UX
lynnandtonic
290
19k
Building Applications with DynamoDB
mza
88
5.6k
Build The Right Thing And Hit Your Dates
maggiecrowley
25
2k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.1k

Transcript

  1. From ‘huh?’ to privilege escalation Finding vulnerabilities from a bug

    in the AWS console Ben Bridts

  2. who are we building for?

  3. Huh?

  4. AWS Well- Architected Reviews AWS Professional Services AWS Architecture Design

    AWS 24/7 Managed Services AWS DevOps Best Practices AWS Migration Expertise & Guidance AWS Public Sector Solutions AWS Workshops & Training AWS Reselling & Cost Optimization

  5. AWS Directory Service AWS Directory Service Simple AD AD Connector

    AWS Managed Microsoft AD Amazon WorkSpaces Amazon WorkDocs Amazon QuickSight Amazon Chime Amazon Connect Amazon Relational Database Service (Amazon RDS) Amazon Elastic Compute Cloud (Amazon EC2) AWS Management Console

  6. AWS Directory Services Console

  7. None
  8. None

  9. Investigation

  10. None

  11. https://docs.aws.amazon.com/directoryservice/latest/admin-guide/UsingWithDS_IAM_ResourcePermissions.html

  12. Lessons CloudTrail is not a given, especially for console-only actions

    CloudTrail is extremly valuable for operations and defense

  13. who are we building for?

  14. Reproducing the issue

  15. None
  16. None

  17. https://botocore.amazonaws.com/v1/documentation/api/latest/reference/loaders.html

  18. None

  19. Takeaways Race conditions will happen Nonpublic can still be usable

    (especially for attackers) client-side is untrusted

  20. who are we building for?

  21. Privilege escalation

  22. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B

  23. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B Permissions Permissions Trust Relationship Trust Relationship

  24. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B Permissions Permissions Trust Relationship Trust Relationship

  25. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B Permissions Permissions https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_role.html [docs]/directoryservice/latest/admin-guide/UsingWithDS_IAM_ResourcePermissions.html

  26. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B Permissions Permissions https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_role.html Group C

  27. Existing Directory User Role ds-group-a Alice Bob Group A Permissions

    Permissions https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_role.html Group C New Directory

  28. Takeaways Nonpublic APIs makes IAM Policies harder to write Make

    ExternalIds as specific as possible Verify the negative too

  29. who are we building for?

  30. Conclusion

  31. we can’t claim shared responsibility without the right tools

  32. there is still low-hanging fruit

  33. who are we building for?

  34. Please make me happy too Add auditing to your products

    Create documented, public APIs Use more specific ExternalIds

  35. https://fwdcloudsec.org/speakers.html#evading-logging-cloud-aws https://fwdcloudsec.org/speakers.html#ground-shifts-underneath-us https://github.com/benbridts/aws-undocumented-api-models https://github.com/Frichetten/aws-api-models https://www.youtube.com/watch?v=R039RTcy6_w Learn more https://cloudar.be/awsblog/cloudsec2023

  36. Thank you! Ben Bridts [email protected] @BenBridts | @WeAreCloudar www.cloudar.be