Upgrade to Pro — share decks privately, control downloads, hide ads and more …

From ‘huh?’ to privilege escalation

Ben Bridts
June 12, 2023
Technology
0
13

From ‘huh?’ to privilege escalation

Security research is not something that’s only done by dedicated teams and companies. Sometimes it will be a developer or platform engineer that makes the jump from “that’s not how I expect it to work” to “that’s not how it’s supposed to work”.

In this talk we’ll walk through the process we took when we found strange behaviour in the AWS console, tried to debug what’s going wrong and ended up finding an API that didn’t check iam:PassRole correctly. We’ll see that in a lot of cases the needs of a person who’s debugging and a security researcher will overlap and that features like CloudTrail and documented APIs are useful resources for everyone.

Presentation given at fwd:cloudsec 2023 (https://fwdcloudsec.org/)

Ben Bridts

June 12, 2023
Tweet

More Decks by Ben Bridts

See All by Ben Bridts
The Hidden Costs of Managed Open Source
benbridts
0
5
re:Invent re:Cap 2023: Evolving your architecture
benbridts
0
39
A closer look at new ways to manage access - EKS Pod Identiy and S3 Access Grant
benbridts
0
5
re:Invent re:Cap - Removing Heavy Lifting
benbridts
0
70
Policy as Code: Putting best practices in your repository
benbridts
0
140
(Don't) try this at work - Lightning Talk
benbridts
0
110
AWS Systems Manager
benbridts
1
95
Do(n’t) try this at work - Technically, you _can_ do this
benbridts
0
150
Mistakes I made when writing Infrastructure as Code, and how to avoid them
benbridts
0
55

Other Decks in Technology

See All in Technology
ネット広告に未来はあるか?「3rd Party Cookie廃止とPrivacy Sandboxの効果検証の裏側」 / third-party-cookie-privacy
cyberagentdevelopers
PRO
1
130
[AWS JAPAN 生成AIハッカソン] Dialog の紹介
yoshimi0227
0
150
「視座」の上げ方が成人発達理論にわかりやすくまとまってた / think_ perspective_hidden_dimensions
shuzon
2
130
オニオンアーキテクチャで実現した 本質課題を解決する インフラ移行の実例
hryushm
14
3k
Amazon FSx for NetApp ONTAPを利用するにあたっての要件整理と設計のポイント
non97
1
160
CAMERA-Suite: 広告文生成のための評価スイート / ai-camera-suite
cyberagentdevelopers
PRO
3
270
事業者間調整の行間を読む 調整の具体事例
sugiim
0
1.3k
【若手エンジニア応援LT会】AWS Security Hubの活用に苦労した話
kazushi_ohata
0
160
Jr. Championsになって、強く連携しながらAWSをもっと使いたい!~AWSに対する期待と行動~
amixedcolor
0
190
物価高なラスベガスでの過ごし方
zakky
0
370
MAMを軸とした動画ハンドリングにおけるAI活用前提の整備と次世代ビジョン / abema-ai-mam
cyberagentdevelopers
PRO
1
110
[JAWS-UG金沢支部×コンテナ支部合同企画]コンテナとは何か
furuton
3
240

Featured

See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.2k
GitHub's CSS Performance
jonrohan
1030
460k
For a Future-Friendly Web
brad_frost
175
9.4k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
How to Think Like a Performance Engineer
csswizardry
19
1.1k
Gamification - CAS2011
davidbonilla
80
5k
Code Reviewing Like a Champion
maltzj
519
39k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Into the Great Unknown - MozCon
thekraken
31
1.5k
Testing 201, or: Great Expectations
jmmastey
38
7k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
What's new in Ruby 2.0
geeforr
342
31k

Transcript

  1. From ‘huh?’ to privilege escalation Finding vulnerabilities from a bug

    in the AWS console Ben Bridts

  2. who are we building for?

  3. Huh?

  4. AWS Well- Architected Reviews AWS Professional Services AWS Architecture Design

    AWS 24/7 Managed Services AWS DevOps Best Practices AWS Migration Expertise & Guidance AWS Public Sector Solutions AWS Workshops & Training AWS Reselling & Cost Optimization

  5. AWS Directory Service AWS Directory Service Simple AD AD Connector

    AWS Managed Microsoft AD Amazon WorkSpaces Amazon WorkDocs Amazon QuickSight Amazon Chime Amazon Connect Amazon Relational Database Service (Amazon RDS) Amazon Elastic Compute Cloud (Amazon EC2) AWS Management Console

  6. AWS Directory Services Console

  7. None
  8. None

  9. Investigation

  10. None

  11. https://docs.aws.amazon.com/directoryservice/latest/admin-guide/UsingWithDS_IAM_ResourcePermissions.html

  12. Lessons CloudTrail is not a given, especially for console-only actions

    CloudTrail is extremly valuable for operations and defense

  13. who are we building for?

  14. Reproducing the issue

  15. None
  16. None

  17. https://botocore.amazonaws.com/v1/documentation/api/latest/reference/loaders.html

  18. None

  19. Takeaways Race conditions will happen Nonpublic can still be usable

    (especially for attackers) client-side is untrusted

  20. who are we building for?

  21. Privilege escalation

  22. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B

  23. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B Permissions Permissions Trust Relationship Trust Relationship

  24. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B Permissions Permissions Trust Relationship Trust Relationship

  25. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B Permissions Permissions https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_role.html [docs]/directoryservice/latest/admin-guide/UsingWithDS_IAM_ResourcePermissions.html

  26. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B Permissions Permissions https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_role.html Group C

  27. Existing Directory User Role ds-group-a Alice Bob Group A Permissions

    Permissions https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_role.html Group C New Directory

  28. Takeaways Nonpublic APIs makes IAM Policies harder to write Make

    ExternalIds as specific as possible Verify the negative too

  29. who are we building for?

  30. Conclusion

  31. we can’t claim shared responsibility without the right tools

  32. there is still low-hanging fruit

  33. who are we building for?

  34. Please make me happy too Add auditing to your products

    Create documented, public APIs Use more specific ExternalIds

  35. https://fwdcloudsec.org/speakers.html#evading-logging-cloud-aws https://fwdcloudsec.org/speakers.html#ground-shifts-underneath-us https://github.com/benbridts/aws-undocumented-api-models https://github.com/Frichetten/aws-api-models https://www.youtube.com/watch?v=R039RTcy6_w Learn more https://cloudar.be/awsblog/cloudsec2023

  36. Thank you! Ben Bridts [email protected] @BenBridts | @WeAreCloudar www.cloudar.be