Upgrade to Pro — share decks privately, control downloads, hide ads and more …

From ‘huh?’ to privilege escalation

Ben Bridts
June 12, 2023
Technology
0
14

From ‘huh?’ to privilege escalation

Security research is not something that’s only done by dedicated teams and companies. Sometimes it will be a developer or platform engineer that makes the jump from “that’s not how I expect it to work” to “that’s not how it’s supposed to work”.

In this talk we’ll walk through the process we took when we found strange behaviour in the AWS console, tried to debug what’s going wrong and ended up finding an API that didn’t check iam:PassRole correctly. We’ll see that in a lot of cases the needs of a person who’s debugging and a security researcher will overlap and that features like CloudTrail and documented APIs are useful resources for everyone.

Presentation given at fwd:cloudsec 2023 (https://fwdcloudsec.org/)

Ben Bridts

June 12, 2023
Tweet

More Decks by Ben Bridts

See All by Ben Bridts
The Hidden Costs of Managed Open Source
benbridts
0
5
re:Invent re:Cap 2023: Evolving your architecture
benbridts
0
39
A closer look at new ways to manage access - EKS Pod Identiy and S3 Access Grant
benbridts
0
5
re:Invent re:Cap - Removing Heavy Lifting
benbridts
0
73
Policy as Code: Putting best practices in your repository
benbridts
0
140
(Don't) try this at work - Lightning Talk
benbridts
0
110
AWS Systems Manager
benbridts
1
98
Do(n’t) try this at work - Technically, you _can_ do this
benbridts
0
160
Mistakes I made when writing Infrastructure as Code, and how to avoid them
benbridts
0
55

Other Decks in Technology

See All in Technology
心が動くエンジニアリング ── 私が夢中になる理由
16bitidol
0
100
生成AIが変えるデータ分析の全体像
ishikawa_satoru
0
170
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
600
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
Lambdaと地方とコミュニティ
miu_crescent
2
370
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.7k
飲食店データの分析事例とそれを支えるデータ基盤
kimujun
0
150
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
310
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
120
組織成長を加速させるオンボーディングの取り組み
sudoakiy
2
210
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
390
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
28
13k

Featured

See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Site-Speed That Sticks
csswizardry
0
28
The Invisible Side of Design
smashingmag
298
50k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
The Language of Interfaces
destraynor
154
24k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
RailsConf 2023
tenderlove
29
900
Building a Scalable Design System with Sketch
lauravandoore
459
33k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k

Transcript

  1. From ‘huh?’ to privilege escalation Finding vulnerabilities from a bug

    in the AWS console Ben Bridts

  2. who are we building for?

  3. Huh?

  4. AWS Well- Architected Reviews AWS Professional Services AWS Architecture Design

    AWS 24/7 Managed Services AWS DevOps Best Practices AWS Migration Expertise & Guidance AWS Public Sector Solutions AWS Workshops & Training AWS Reselling & Cost Optimization

  5. AWS Directory Service AWS Directory Service Simple AD AD Connector

    AWS Managed Microsoft AD Amazon WorkSpaces Amazon WorkDocs Amazon QuickSight Amazon Chime Amazon Connect Amazon Relational Database Service (Amazon RDS) Amazon Elastic Compute Cloud (Amazon EC2) AWS Management Console

  6. AWS Directory Services Console

  7. None
  8. None

  9. Investigation

  10. None

  11. https://docs.aws.amazon.com/directoryservice/latest/admin-guide/UsingWithDS_IAM_ResourcePermissions.html

  12. Lessons CloudTrail is not a given, especially for console-only actions

    CloudTrail is extremly valuable for operations and defense

  13. who are we building for?

  14. Reproducing the issue

  15. None
  16. None

  17. https://botocore.amazonaws.com/v1/documentation/api/latest/reference/loaders.html

  18. None

  19. Takeaways Race conditions will happen Nonpublic can still be usable

    (especially for attackers) client-side is untrusted

  20. who are we building for?

  21. Privilege escalation

  22. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B

  23. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B Permissions Permissions Trust Relationship Trust Relationship

  24. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B Permissions Permissions Trust Relationship Trust Relationship

  25. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B Permissions Permissions https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_role.html [docs]/directoryservice/latest/admin-guide/UsingWithDS_IAM_ResourcePermissions.html

  26. Existing Directory User Role ds-group-a User Role ds-group-b Alice Bob

    Group A Group B Permissions Permissions https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_role.html Group C

  27. Existing Directory User Role ds-group-a Alice Bob Group A Permissions

    Permissions https://docs.aws.amazon.com/directoryservice/latest/admin-guide/create_role.html Group C New Directory

  28. Takeaways Nonpublic APIs makes IAM Policies harder to write Make

    ExternalIds as specific as possible Verify the negative too

  29. who are we building for?

  30. Conclusion

  31. we can’t claim shared responsibility without the right tools

  32. there is still low-hanging fruit

  33. who are we building for?

  34. Please make me happy too Add auditing to your products

    Create documented, public APIs Use more specific ExternalIds

  35. https://fwdcloudsec.org/speakers.html#evading-logging-cloud-aws https://fwdcloudsec.org/speakers.html#ground-shifts-underneath-us https://github.com/benbridts/aws-undocumented-api-models https://github.com/Frichetten/aws-api-models https://www.youtube.com/watch?v=R039RTcy6_w Learn more https://cloudar.be/awsblog/cloudsec2023

  36. Thank you! Ben Bridts [email protected] @BenBridts | @WeAreCloudar www.cloudar.be