gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-13 13:26:31 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
123b37d1f3e1e7d688d8e0ea1d37397a53c1bb2b
hacktricks-cloud/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-lambda-runtime-pinning-abuse.md
HackTricks News Bot 123b37d1f3 Add content from: Skimming Credentials with Azure's Front Door WAF 
- Remove searchindex.js (auto-generated file)
2025-10-09 18:29:08 +00:00

1.1 KiB
Raw Blame History

AWS Lambda Runtime Pinning/Rollback Abuse via PutRuntimeManagementConfig

{{#include ../../../../banners/hacktricks-training.md}}

Abuse lambda:PutRuntimeManagementConfig to pin a function to a specific runtime version (Manual) or freeze updates (FunctionUpdate). This preserves compatibility with malicious layers/wrappers and can keep the function on an outdated, vulnerable runtime to aid exploitation and long-term persistence.

Requirements: lambda:InvokeFunction, logs:FilterLogEvents, lambda:PutRuntimeManagementConfig, lambda:GetRuntimeManagementConfig.

Example (us-east-1):

  • Invoke: aws lambda invoke --function-name /tmp/ping.json --payload {} --region us-east-1 > /dev/null; sleep 5
  • Freeze updates: aws lambda put-runtime-management-config --function-name --update-runtime-on FunctionUpdate --region us-east-1
  • Verify: aws lambda get-runtime-management-config --function-name --region us-east-1

Optionally pin to a specific runtime version by extracting the Runtime Version ARN from INIT_START logs and using --update-runtime-on Manual --runtime-version-arn <arn>.

{{#include ../../../../banners/hacktricks-training.md}}

Reference in New Issue View Git Blame Copy Permalink