Understanding AWS attacks using CloudGoat Kavisha Sheth Security Analyst, Appsecco

Kavisha Sheth • Security Analyst at Appsecco • Breaks web application, API and Cloud security • Member of a number of security communities including null community, InfoSecGirls, and WiCys India • Listed as one of the top security researchers of the nation, in a newsletter of NCIIPC RVDP About me

• Why are we doing this? • AWS Real World Attacks • Attacking AWS infra using keys obtained via SSRF • Enumerating and attacking AWS S3 storage • Privilege escalation within AWS using IAM policy rollback • Privilege escalation using lambda functions • Next steps in learning • Tools • References What we will cover today

• Enterprises are increasingly running their IT and application infrastructure natively in the cloud • Our experience with multiple cloud assessments has shown mis-configurations to be a major security concern • Lot of default code and deployment practices on the Internet do not take security into account • Shared responsibility between cloud provider and you can be confusing • If you are aware of what attacks are out there, you can defend yourself better Why are we doing this?

What we are covering today Attacking AWS infra using keys obtained via SSRF Enumerating and attacking AWS S3 storage Privilege escalation within AWS using IAM policy rollback Privilege escalation using lambda functions

• To understand the attacks in today's talk we will be using CloudGoat as our target environment • You can setup CloudGoat to practice these attacks by following instructions from our reference slide Target Environment

Attacking AWS infra using keys obtained via SSRF

No content

• Credentials already found by attacker (through JS source, Github, server-side code disclosure etc.) Scenario Assumptions

1. Discovery of AWS IAM keys in client-side source code

2. Identify the user using AWS STS

3. Enumerate permissions for solus user https://github.com/andresriancho/enumerate-iam

4. List Lamba functions Hard-coded AWS security credentials in the environment variables of the lambda function

5. Identify who the creds belong to

6. Permission enumeration for IAM user "wrex" https://github.com/andresriancho/enumerate-iam EC2 operations access

7. What EC2 instances are running?

8. Describe EC2 instance Public IP address of the EC2 instance

9. Web application running on port 80

10. Added string value to URL parameter

Web application vulnerable to SSRF

No content

11. Steal the IAM role credentials

12. Enumerate permissions

13.List the buckets and download any data stored on the s3 buckets. S3 Bucket has additional sensitive information!!

What was our approach? • Found credentials with read only access • Application which is hosted on EC2 instance was vulnerable to SSRF • Role was attached to EC2 instance • Exploit to steal the IAM role credentials • Look for permissions • Found S3 related permission • List S3 bucket and downloaded data

Attacker flow so far!!

What's next? • Is web application hosted on EC2 instance? • Is role attached to EC2 instance?

Attacker flow so far!! Post exploitation of SSRF

Finding SSRF via HTML Injection inside a PDF file on AWS EC2 https://blog.appsecco.com/finding-ssrf-via-html-injection-inside-a-pdf-file-on-aws-ec2-214cc5ec5d90

AWS S3 Data breach

• Attacker has discovered a public IP with a HTTP reverse proxy running • Reverse proxy is misconfigured (does not check target IP) • This reverse proxy allows access to any internal IP addresses including the instance metadata endpoint Scenario Assumptions

1. Crafted cURL command

2. Role credentials retrieved

3.Configure profile using stolen credentials

4. Enumerate permissions Command: python enumerate-iam.py --access-key ACCESS-ID --secret-key SECRET-KEY --session- token SESSION-TOKEN

5.Get access to S3 bucket data

Approach https://github.com/RhinoSecurityLabs/cloudgoat/blob/master/scenarios/cloud_breach_s3/README.md

Where can you find S3 buckets ? • HTTP responses when uploading a file • In DNS records • Google searches for website name and s3 buckets • Shodan, Certificate Transparency Logs, Censys, numerous bucket finder scripts, GrayHat Warfare bucket search

Privilege escalation within AWS using IAM policy rollback

• Credentials already found by attacker (through JS source, Github, server-side code disclosure etc.) Scenario Assumptions

Credentials Found

1. Entity/verify who the security credentials belong to

2. Review and enumerate policy versions

3. Enumerate Policy versions

4. Policy with admin privileges – version 3

5. Make V3 version as the default policy version Command to make V5 default policy version aws iam set-default-policy-version \ --policy-arn "arn:aws:iam::ACCOUNT-ID:policy/cg-raynor-policy" \ - -version-id v3 --profile Let's create a new IAM user!

Tool to detect this vulnerability automatically • https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py

Privilege escalation using lambda functions

• Credentials already found by attacker (through JS source, Github, server-side code disclosure etc.) Scenario Assumptions

1.List users and policies

2. List Roles

3.Verifying Access control

4.Try to assume lambda manager role

5. Attach the administrator policy to the IAM user "Chris"

• Create lambda function: aws lambda create-function --function-name admin_function --runtime python3.6 --role --handler code.lambda_handler -- zip-file fileb://code.zip --profile lambdaManager • Invoke lambda function: aws lambda invoke --function-name admin_function out.txt -- profile lambdaManager 6.Leverage the lambdaManager role to perform a privilege escalation using a Lambda function

7. Chris got full admin access

Approach

Some AWS Vulnerability detection tools Scout Suite Scout Suite Prowler Prowler Bucket finder Bucket finder Enumerate IAM Enumerate IAM iam_user_enum iam_user_enum

• Reconnaissance and OSINT are the key to discover the security issues in cloud services and applications • To prevent the risk associated with a successful SSRF on AWS, administrators can upgrade EC2 instance metadata endpoints to IMDSv2 which can protect EC2 instances against vanilla SSRF attempts • Make sure that EC2 instances are configured properly • The most common themes are mis-configuration of services, insecure programming and permissions that should not have been given • Post exploitation has no limits with the cloud. You can attack additional services, disrupt logging, make code changes to attack users. • There are a ton of tools that security folks have written on GitHub and a lot of work is being done in the attack and exploitation areas Things to note

• https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest- tools/iam_user_enum • https://github.com/appsecco/attacking-cloudgoat2 • https://blog.appsecco.com/server-side-request-forgery-ssrf-and-aws-ec2-instances-after- instance-meta-data-service-version-38fc1ba1a28a • https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities- 7630fa57c7ed • https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios • https://github.com/toniblyx/prowler • https://github.com/nccgroup/ScoutSuite • https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html References

Q&A Kavisha Sheth Security Analyst kavisha@appsecco.com @sheth_kavisha https://linkedin.com/in/kavisha-sheth/ https://appsecco.com https://blog.appsecco.com @appseccouk contact@appsecco.com

No content