Slide 1

Slide 1 text

Understanding AWS attacks using CloudGoat Kavisha Sheth Security Analyst, Appsecco

Slide 2

Slide 2 text

Kavisha Sheth • Security Analyst at Appsecco • Breaks web application, API and Cloud security • Member of a number of security communities including null community, InfoSecGirls, and WiCys India • Listed as one of the top security researchers of the nation, in a newsletter of NCIIPC RVDP About me

Slide 3

Slide 3 text

• Why are we doing this? • AWS Real World Attacks • Attacking AWS infra using keys obtained via SSRF • Enumerating and attacking AWS S3 storage • Privilege escalation within AWS using IAM policy rollback • Privilege escalation using lambda functions • Next steps in learning • Tools • References What we will cover today

Slide 4

Slide 4 text

• Enterprises are increasingly running their IT and application infrastructure natively in the cloud • Our experience with multiple cloud assessments has shown mis-configurations to be a major security concern • Lot of default code and deployment practices on the Internet do not take security into account • Shared responsibility between cloud provider and you can be confusing • If you are aware of what attacks are out there, you can defend yourself better Why are we doing this?

Slide 5

Slide 5 text

What we are covering today Attacking AWS infra using keys obtained via SSRF Enumerating and attacking AWS S3 storage Privilege escalation within AWS using IAM policy rollback Privilege escalation using lambda functions

Slide 6

Slide 6 text

• To understand the attacks in today's talk we will be using CloudGoat as our target environment • You can setup CloudGoat to practice these attacks by following instructions from our reference slide Target Environment

Slide 7

Slide 7 text

Attacking AWS infra using keys obtained via SSRF

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

• Credentials already found by attacker (through JS source, Github, server-side code disclosure etc.) Scenario Assumptions

Slide 10

Slide 10 text

1. Discovery of AWS IAM keys in client-side source code

Slide 11

Slide 11 text

2. Identify the user using AWS STS

Slide 12

Slide 12 text

3. Enumerate permissions for solus user https://github.com/andresriancho/enumerate-iam

Slide 13

Slide 13 text

4. List Lamba functions Hard-coded AWS security credentials in the environment variables of the lambda function

Slide 14

Slide 14 text

5. Identify who the creds belong to

Slide 15

Slide 15 text

6. Permission enumeration for IAM user "wrex" https://github.com/andresriancho/enumerate-iam EC2 operations access

Slide 16

Slide 16 text

7. What EC2 instances are running?

Slide 17

Slide 17 text

8. Describe EC2 instance Public IP address of the EC2 instance

Slide 18

Slide 18 text

9. Web application running on port 80

Slide 19

Slide 19 text

10. Added string value to URL parameter

Slide 20

Slide 20 text

Web application vulnerable to SSRF

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

11. Steal the IAM role credentials

Slide 23

Slide 23 text

12. Enumerate permissions

Slide 24

Slide 24 text

13.List the buckets and download any data stored on the s3 buckets. S3 Bucket has additional sensitive information!!

Slide 25

Slide 25 text

What was our approach? • Found credentials with read only access • Application which is hosted on EC2 instance was vulnerable to SSRF • Role was attached to EC2 instance • Exploit to steal the IAM role credentials • Look for permissions • Found S3 related permission • List S3 bucket and downloaded data

Slide 26

Slide 26 text

Attacker flow so far!!

Slide 27

Slide 27 text

What's next? • Is web application hosted on EC2 instance? • Is role attached to EC2 instance?

Slide 28

Slide 28 text

Attacker flow so far!! Post exploitation of SSRF

Slide 29

Slide 29 text

Finding SSRF via HTML Injection inside a PDF file on AWS EC2 https://blog.appsecco.com/finding-ssrf-via-html-injection-inside-a-pdf-file-on-aws-ec2-214cc5ec5d90

Slide 30

Slide 30 text

AWS S3 Data breach

Slide 31

Slide 31 text

• Attacker has discovered a public IP with a HTTP reverse proxy running • Reverse proxy is misconfigured (does not check target IP) • This reverse proxy allows access to any internal IP addresses including the instance metadata endpoint Scenario Assumptions

Slide 32

Slide 32 text

1. Crafted cURL command

Slide 33

Slide 33 text

2. Role credentials retrieved

Slide 34

Slide 34 text

3.Configure profile using stolen credentials

Slide 35

Slide 35 text

4. Enumerate permissions Command: python enumerate-iam.py --access-key ACCESS-ID --secret-key SECRET-KEY --session- token SESSION-TOKEN

Slide 36

Slide 36 text

5.Get access to S3 bucket data

Slide 37

Slide 37 text

Approach https://github.com/RhinoSecurityLabs/cloudgoat/blob/master/scenarios/cloud_breach_s3/README.md

Slide 38

Slide 38 text

Where can you find S3 buckets ? • HTTP responses when uploading a file • In DNS records • Google searches for website name and s3 buckets • Shodan, Certificate Transparency Logs, Censys, numerous bucket finder scripts, GrayHat Warfare bucket search

Slide 39

Slide 39 text

Privilege escalation within AWS using IAM policy rollback

Slide 40

Slide 40 text

• Credentials already found by attacker (through JS source, Github, server-side code disclosure etc.) Scenario Assumptions

Slide 41

Slide 41 text

Credentials Found

Slide 42

Slide 42 text

1. Entity/verify who the security credentials belong to

Slide 43

Slide 43 text

2. Review and enumerate policy versions

Slide 44

Slide 44 text

3. Enumerate Policy versions

Slide 45

Slide 45 text

4. Policy with admin privileges – version 3

Slide 46

Slide 46 text

5. Make V3 version as the default policy version Command to make V5 default policy version aws iam set-default-policy-version \ --policy-arn "arn:aws:iam::ACCOUNT-ID:policy/cg-raynor-policy" \ - -version-id v3 --profile Let's create a new IAM user!

Slide 47

Slide 47 text

Tool to detect this vulnerability automatically • https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py

Slide 48

Slide 48 text

Privilege escalation using lambda functions

Slide 49

Slide 49 text

• Credentials already found by attacker (through JS source, Github, server-side code disclosure etc.) Scenario Assumptions

Slide 50

Slide 50 text

1.List users and policies

Slide 51

Slide 51 text

2. List Roles

Slide 52

Slide 52 text

3.Verifying Access control

Slide 53

Slide 53 text

4.Try to assume lambda manager role

Slide 54

Slide 54 text

5. Attach the administrator policy to the IAM user "Chris"

Slide 55

Slide 55 text

• Create lambda function: aws lambda create-function --function-name admin_function --runtime python3.6 --role --handler code.lambda_handler -- zip-file fileb://code.zip --profile lambdaManager • Invoke lambda function: aws lambda invoke --function-name admin_function out.txt -- profile lambdaManager 6.Leverage the lambdaManager role to perform a privilege escalation using a Lambda function

Slide 56

Slide 56 text

7. Chris got full admin access

Slide 57

Slide 57 text

Approach

Slide 58

Slide 58 text

Some AWS Vulnerability detection tools Scout Suite Scout Suite Prowler Prowler Bucket finder Bucket finder Enumerate IAM Enumerate IAM iam_user_enum iam_user_enum

Slide 59

Slide 59 text

• Reconnaissance and OSINT are the key to discover the security issues in cloud services and applications • To prevent the risk associated with a successful SSRF on AWS, administrators can upgrade EC2 instance metadata endpoints to IMDSv2 which can protect EC2 instances against vanilla SSRF attempts • Make sure that EC2 instances are configured properly • The most common themes are mis-configuration of services, insecure programming and permissions that should not have been given • Post exploitation has no limits with the cloud. You can attack additional services, disrupt logging, make code changes to attack users. • There are a ton of tools that security folks have written on GitHub and a lot of work is being done in the attack and exploitation areas Things to note

Slide 60

Slide 60 text

• https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest- tools/iam_user_enum • https://github.com/appsecco/attacking-cloudgoat2 • https://blog.appsecco.com/server-side-request-forgery-ssrf-and-aws-ec2-instances-after- instance-meta-data-service-version-38fc1ba1a28a • https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities- 7630fa57c7ed • https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios • https://github.com/toniblyx/prowler • https://github.com/nccgroup/ScoutSuite • https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html References

Slide 61

Slide 61 text

Q&A Kavisha Sheth Security Analyst [email protected] @sheth_kavisha https://linkedin.com/in/kavisha-sheth/ https://appsecco.com https://blog.appsecco.com @appseccouk [email protected]

Slide 62

Slide 62 text

No content