AWS Security

Transcript

1. DOING AWS ZOO AUDIT Denis Rybin @_ttffdd_

2. WHY? 2

3. Why? • AWS has small coverage in the Russian IS

   community • The most frequent question is, “I knock the metadata API, but can’t understand anything there.” • False confidence in AWS being vulnerable to nothing but public S3 and SSRF to metadata API. • Curiosity 3

4. What? • 30-45 min. of mish-mash • Level: “introduction and

   selected aspects” The talk DOES cover: • AWS for 5 minutes or so • AWS for a bughunter • AWS for an auditor • Helpful tips and tricks

5. What? • 30-45 min. of mish-mash • Level: “introduction and

   selected aspects” The talk DOESN’T cover: • AWS EKS • Google Compute Engine • Microsoft Azure • Anything interesting

6. WHAT IS AWS? A bunch of services 6

7. Simple and intuitive EC2, you’ve surely heard about it: •

   A ready virtual server • Equipped with virtual metadata API • May be furnished with a user data script • A part of the AWS ecosystem. • Connected to VPC

8. Two words about VPC VPC is a key AWS network

   unit: • Subnetworks/IP • Subnetworks and gateways • Security Group AWS VPC

9. Simple and intuitive Metadata API: [ec2-user ~]$ curl http://169.254.169.254/ 1.0

   2012-01-12 2014-02-25 2014-11-05 2015-10-20 2016-04-19 2016-06-30 2016-09-02 latest

10. Simple and intuitive User data and metadata sensitive part: •

    http://169.254.169.254/latest/user- data • http://169.254.169.254/latest/meta- data/iam/security-credentials/[ROLE NAME]

11. Fun fact about metadata API Google Cloud • Header "Metadata-Flavor:

    Google" Required Azure • Header "Metadata: true" Required AWS • No Header Required

12. Dirty fix https://github.com/stefansundin/ec2-metadata-filter The program blocks any request with a

    User- Agent that does not start with one of the following prefixes: aws-chalice/ aws-cli/ aws-sdk- Boto3/ Botocore/ Cloud-Init/

13. Dirty fix https://github.com/stefansundin/ec2-metadata-filter In addition to whitelisting User-Agent prefixes, the

    program also allows requests that send the header Metadata-Flavor: Amazon.

14. Dirty fix https://github.com/stefansundin/ec2-metadata-filter Like GCE, the program blocks requests containing

    an X-Forwarded-For header.

15. COOOOOL STORY TIME A story by @ninjazeroone about functionshield AWS

    Lambda

16. COOOOOL STORY TIME

17. COOOOOL STORY TIME Context: There is a python sandbox with

    code execution. The code in it is executed for data processing, big data, etc. We post python code in a website form → the code is parsed and ran on AWS Lambda. AWS Lambda

18. COOOOOL STORY TIME This is where the library jumps into

    action. It serves 4 major tasks: 1. To block all tcp connections (udp aren’t blocked) 2. Restrict all child processes 3. Forbids read/write to tmp 4. Forbids reading a handler script that contains the biggest amount of code AWS Lambda

19. COOOOOL STORY TIME AWS Lambda

20. COOOOOL STORY TIME So everything, but read/write to tmp, wasn’t

    allowed for us. AWS Lambda

21. COOOOOL STORY TIME Было запрещено всё, кроме читать/писать в tmp.

    AWS Lambda

22. COOOOOL STORY TIME Было запрещено всё, кроме читать/писать в tmp.

    AWS Lambda

23. COOOOOL STORY TIME AWS Lambda

24. COOOOOL STORY TIME The more the merrier: • The mechanism

    of blocking tmp on a syscall blacklist • Let’s look for something out of the blacklist AWS Lambda

25. COOOOOL STORY TIME And we managed to find it: •

    Read and write are forbidden • Rename is NOT AWS Lambda

26. WIN-WIN-WIN BACK TO AWS… 26

27. Simple and intuitive Quite often, user data is a script

    executed when an instance is ran. For example: #!/bin/bash yum update -y amazon-linux-extras install -y lamp-mariadb10.2-php7.2 php7.2 yum install -y httpd mariadb-server systemctl start httpd systemctl enable httpd usermod -a -G apache ec2-user chown -R ec2-user:apache /var/www chmod 2775 /var/www find /var/www -type d -exec chmod 2775 {} \; find /var/www -type f -exec chmod 0664 {} \; echo "<?php phpinfo(); ?>" > /var/www/html/phpinfo.php

28. Pretty important AWS Security Credentials Access keys consist of two

    parts: • an access key ID (for example, AKIAIOSFODNN7EXAMPLE) • a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPL EKEY). AWS IAM

29. Pretty important The key to what? There are 2 options

    to find out: • Ask AWS directly and get screwed • Bruteforce AWS IAM

30. Pretty important The key to what? There are 2 options

    to find out: • https://github.com/elitest/RedDolphin/blob/ master/checkAWSKey.py • https://github.com/andresriancho/enumerat e-iam AWS IAM

31. Pretty important https://github.com/elitest/RedDolphin/blob/maste r/checkAWSKey.py for those who prefer asking AWS

    IAM

32. Pretty important https://github.com/andresriancho/enumerate- iam time-consuming AWS IAM

33. Pretty important https://github.com/andresriancho/enumerate- iam time-consuming AWS IAM

34. AWS 101 ARN default format: • arn:partition:service:region:account-id:resource-id • arn:partition:service:region:account-id:resource- type/resource-id

    • arn:partition:service:region:account-id:resource- type:resource-id Example: • arn:aws:iam::123456789012:user/Development/prod uct_1234/* AWS core

35. AWS 101 Try guessing what the config does? Get the

    prize! AWS core

36. AWS 101 Try guessing what the config does? Get the

    prize! AWS core

37. AWS 101 Dungeon and dragons Users and policies AWS core

38. AWS 101 Users: • The AWS Account Root User •

    IAM Users • IAM Groups • IAM Roles AWS core

39. AWS 101 Policies: • Identity-based policies • Managed policies •

    Inline policies • Resource-based policies AWS core

40. Escalation case Escalation case from CloudGoat Here is a simple

    case - iam_privesc_by_rollback CloudGoat

41. Route Walkthrough - IAM User "Raynor" 1. Starting as the

    IAM user "Raynor," the attacker has only a few limited - seemingly harmless - privileges available to them. CloudGoat Escalation case

42. Route Walkthrough - IAM User "Raynor" 2. The attacker analyzes

    Raynor's privileges and notices the SetDefaultPolicyVersion permission - allowing access to 4 other versions of the policy via setting an old version as the default. CloudGoat Escalation case

43. Route Walkthrough - IAM User "Raynor" 3. After reviewing the

    old policy versions, the attacker finds that one version in particular offers a full set of admin rights. CloudGoat Escalation case

44. Route Walkthrough - IAM User "Raynor" 4. Attacker restores the

    full-admin policy version, gaining full admin privileges and the ability to carry out any malicious actions they wish. CloudGoat Escalation case

45. Route Walkthrough - IAM User "Raynor" 5. As a final

    step, the attacker may choose to revert Raynor's policy version back to the original one, thereby concealing their actions and the true capabilities of the IAM user. CloudGoat Escalation case

46. Route Walkthrough - IAM User "Raynor" 1. Starting as the

    IAM user "Raynor," the attacker has only a few limited - seemingly harmless - privileges available to them. 2. The attacker analyzes Raynor's privileges and notices the SetDefaultPolicyVersion permission - allowing access to 4 other versions of the policy via setting an old version as the default. 3. After reviewing the old policy versions, the attacker finds that one version in particular offers a full set of admin rights. 4. Attacker restores the full-admin policy version, gaining full admin privileges and the ability to carry out any malicious actions they wish. 5. As a final step, the attacker may choose to revert Raynor's policy version back to the original one, thereby concealing their actions and the true capabilities of the IAM user. CloudGoat Escalation case

47. AWS-CLI Walkthrough - IAM User «Raynor» 1. aws configure --profile

    raynor 2. aws iam list-attached-user-policies --user-name raynor --profile Raynor 3. aws iam list-policy-versions --policy-arn <generatedARN>/cg-raynor-policy --profile Raynor 4. aws iam get-policy-version --policy-arn <generatedARN>/cg-raynor-policy --version-id <versionID> --profile Raynor 5. aws iam set-default-policy-version --policy-arn <generatedARN>/cg-raynor-policy --version-id <versionID> --profile Raynor CloudGoat AWS-CLI In action

48. Pretty important Escalation will be addressed later But here is

    a couple of helpful links! • https://github.com/RhinoSecurityLabs/AWS- IAM-Privilege-Escalation - 28 (!!!) techniques • https://github.com/RhinoSecurityLabs/pacu - метасплоит мира AWS AWS IAM

49. Best first step Scout Suite

50. Details Scout Suite

51. MORE Details Scout Suite

52. What you need for audit? Scout Suite Permissions The following

    AWS Managed Policies can be attached to the principal used to run Scout in order to grant the necessary permissions: • ReadOnlyAccess • SecurityAudit You will also find a custom policy to run Scout with minimal privileges here.

53. AWS Bloodhound Cartography is a Python tool that consolidates infrastructure

    assets and the relationships between them in an intuitive graph view powered by a Neo4j database. Lyft cartography

54. AWS Bloodhound Lyft cartography

55. OK, LAST PART TWO GREAT CASES 55

56. COGNITO case The service allows for assigning limited rights to

    users in your AWS account. The purpose of the service: • Obtain identity ID • Pass AWS Credentials The service is used by mobile apps and websites AWS cognito

57. COGNITO case Q: Could obtained rights be unsafe? A: Sure)

    AWS cognito

58. COGNITO case Original research: internet-scale-analysis-of-aws-cognito- security AWS cognito

59. EBS case AWS EBS Amazon Elastic Block Store (EBS) –

    is a simple-to-use, highly performant cloud storage service designed to be used in combination with Amazon Elastic Compute Cloud (EC2).

60. EBS case AWS EBS It can be: • Public/Private •

    Encrypted/Non-encrypted

61. EBS case AWS EBS Q: Can public non-encrypted disks contain

    secrets? A: Sure they can)

62. EBS case AWS EBS Original research: Finding Secrets In Publicly

    Exposed EBS Volumes - Ben Morris

63. nehochy( Oh, come on: • http://flaws.cloud/ • https://github.com/EdOverflow/can-i- take-over-xyz •

    Hundreds of BB cases, thousands of articles on the same top AWS S3

64. For defense Asecure cloud A

65. RESOURCES • AWS EC2 Security Strategy Guide https://asecure.cloud/g/strategy_ec2_security/ • API

    Keys Now WhatTaking the Pen Test Into the Amazon Cloud Jim Shave https://www.youtube.com/watch?v=vV7xN2JQNOU • Finding Secrets In Publicly Exposed EBS Volumes - Ben Morris https://www.youtube.com/watch?v=-LGR63yCTts • CloudGoat https://github.com/RhinoSecurityLabs/cloudgoat • Blog RhinoSecurity https://rhinosecuritylabs.com/blog/ • Blog Andres Riancho https://andresriancho.com/blog

66. RESOURCES Канал куда я планирую постить интересности связанные безопасностью AWS

    , прочих облаков и может k8s https://t.me/cloud_sec

67. @author THANKS FOR ATTENTION @_TTFFDD_