Upgrade to Pro — share decks privately, control downloads, hide ads and more …

From ‘huh?’ to privilege escalation

From ‘huh?’ to privilege escalation

Security research is not something that’s only done by dedicated teams and companies. Sometimes it will be a developer or platform engineer that makes the jump from “that’s not how I expect it to work” to “that’s not how it’s supposed to work”.

In this talk we’ll walk through the process we took when we found strange behaviour in the AWS console, tried to debug what’s going wrong and ended up finding an API that didn’t check iam:PassRole correctly. We’ll see that in a lot of cases the needs of a person who’s debugging and a security researcher will overlap and that features like CloudTrail and documented APIs are useful resources for everyone.

Presentation given at fwd:cloudsec 2023 (https://fwdcloudsec.org/)

Ben Bridts

June 12, 2023
Tweet

More Decks by Ben Bridts

Other Decks in Technology

Transcript

  1. AWS Well- Architected Reviews AWS Professional Services AWS Architecture Design

    AWS 24/7 Managed Services AWS DevOps Best Practices AWS Migration Expertise & Guidance AWS Public Sector Solutions AWS Workshops & Training AWS Reselling & Cost Optimization
  2. AWS Directory Service AWS Directory Service Simple AD AD Connector

    AWS Managed Microsoft AD Amazon WorkSpaces Amazon WorkDocs Amazon QuickSight Amazon Chime Amazon Connect Amazon Relational Database Service (Amazon RDS) Amazon Elastic Compute Cloud (Amazon EC2) AWS Management Console
  3. Lessons CloudTrail is not a given, especially for console-only actions

    CloudTrail is extremly valuable for operations and defense
  4. Takeaways Race conditions will happen Nonpublic can still be usable

    (especially for attackers) client-side is untrusted
  5. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B Permissions Permissions Trust Relationship Trust Relationship
  6. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B Permissions Permissions Trust Relationship Trust Relationship
  7. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B Permissions Permissions https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_role.html [docs]/directoryservice/latest/admin-guide/UsingWithDS_IAM_ResourcePermissions.html
  8. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B Permissions Permissions https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_role.html Group C
  9. Existing Directory User Role ds-group-a Alice Bob Group A Permissions

    Permissions https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_role.html Group C New Directory
  10. Takeaways Nonpublic APIs makes IAM Policies harder to write Make

    ExternalIds as specific as possible Verify the negative too
  11. Please make me happy too Add auditing to your products

    Create documented, public APIs Use more specific ExternalIds