4.5 KiB
AWS - Lambda Post Exploitation
{{#include ../../../../banners/hacktricks-training.md}}
Lambda
詳細は以下を参照してください:
{{#ref}} ../../aws-services/aws-lambda-enum.md {{#endref}}
Exfilrtate Lambda Credentials
Lambda は実行時に環境変数を使ってクレデンシャルを注入します。これらにアクセスできれば(/proc/self/environ を読み取るか脆弱な関数自体を利用して)、自分でそのクレデンシャルを使用できます。これらはデフォルトの変数名 AWS_SESSION_TOKEN, AWS_SECRET_ACCESS_KEY, および AWS_ACCESS_KEY_ID に保存されています。
デフォルトでは、これらは cloudwatch log group(その名前は AWS_LAMBDA_LOG_GROUP_NAME に格納されています)への書き込みや任意のロググループの作成が可能ですが、Lambda 関数には用途に応じてより多くの権限が割り当てられていることがよくあります。
lambda:Delete*
lambda:Delete* が付与された攻撃者は Lambda 関数、バージョン/エイリアス、レイヤー、event source mappings、およびその他関連する設定を削除することができます。
aws lambda delete-function \
--function-name <LAMBDA_NAME>
Steal Others Lambda URL Requests
If an attacker somehow manage to get RCE inside a Lambda he will be able to steal other users HTTP requests to the lambda. If the requests contain sensitive information (cookies, credentials...) he will be able to steal them.
{{#ref}} aws-warm-lambda-persistence.md {{#endref}}
Steal Others Lambda URL Requests & Extensions Requests
Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests.
{{#ref}} ../../aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md {{#endref}}
AWS Lambda – VPC Egress Bypass
Force a Lambda function out of a restricted VPC by updating its configuration with an empty VpcConfig (SubnetIds=[], SecurityGroupIds=[]). The function will then run in the Lambda-managed networking plane, regaining outbound internet access and bypassing egress controls enforced by private VPC subnets without NAT.
{{#ref}} aws-lambda-vpc-egress-bypass.md {{#endref}}
AWS Lambda – Runtime Pinning/Rollback Abuse
Abuse lambda:PutRuntimeManagementConfig to pin a function to a specific runtime version (Manual) or freeze updates (FunctionUpdate). This preserves compatibility with malicious layers/wrappers and can keep the function on an outdated, vulnerable runtime to aid exploitation and long-term persistence.
{{#ref}} aws-lambda-runtime-pinning-abuse.md {{#endref}}
AWS Lambda – Log Siphon via LoggingConfig.LogGroup Redirection
Abuse lambda:UpdateFunctionConfiguration advanced logging controls to redirect a function’s logs to an attacker-chosen CloudWatch Logs log group. This works without changing code or the execution role (most Lambda roles already include logs:CreateLogGroup/CreateLogStream/PutLogEvents via AWSLambdaBasicExecutionRole). If the function prints secrets/request bodies or crashes with stack traces, you can collect them from the new log group.
{{#ref}} aws-lambda-loggingconfig-redirection.md {{#endref}}
AWS - Lambda Function URL Public Exposure
Turn a private Lambda Function URL into a public unauthenticated endpoint by switching the Function URL AuthType to NONE and attaching a resource-based policy that grants lambda:InvokeFunctionUrl to everyone. This enables anonymous invocation of internal functions and can expose sensitive backend operations.
{{#ref}} aws-lambda-function-url-public-exposure.md {{#endref}}
AWS Lambda – Event Source Mapping Target Hijack
Abuse UpdateEventSourceMapping to change the target Lambda function of an existing Event Source Mapping (ESM) so that records from DynamoDB Streams, Kinesis, or SQS are delivered to an attacker-controlled function. This silently diverts live data without touching producers or the original function code.
{{#ref}} aws-lambda-event-source-mapping-hijack.md {{#endref}}
AWS Lambda – EFS Mount Injection data exfiltration
Abuse lambda:UpdateFunctionConfiguration to attach an existing EFS Access Point to a Lambda, then deploy trivial code that lists/reads files from the mounted path to exfiltrate shared secrets/config that the function previously couldn’t access.
{{#ref}} aws-lambda-efs-mount-injection.md {{#endref}}
{{#include ../../../../banners/hacktricks-training.md}}