Amazon Cognito (Mis)Configurations

Transcript

1. Amazon Cognito (Mis)Configurations Kavisha sheth @sheth_kavisha

2. • Security Analyst at Appsecco. • Listed as a security

   researcher of the nation by NCIIPC RVDP. • Infosec speaker, who has spoken at national and international conferences - @OWASP, @HackinParis, @Cocon2021, @Defcon(Cloud village) and many more conferences/Security events • Lifelong learner and believe in sharing knowledge

3. Agenda • Amazon cognito working • What are the possible

   attack vectors • Exploitation • What are the root causes • What can be done

4. Amazon cognito working https://aws.amazon.com/blogs/mobile/building-fine-grained-authorization-using-amazon-cognito-user-pools-groups/

5. What are the possible attack vectors? • Hardcoded Identity Pool

   ID. • Identity Pool ID present in HTTP response. • Liberal AWS permissions has been assigned. • Misconfigured AWS Cognito Attributes. • AWS cognito misconfigured to allow sign up of new user.

6. The disclosure of App Client ID, User Pool ID, Identity

   Pool ID, and Region information is not a misconfiguration since these are not confidential values

7. Hardcoded Identity PoolID is value is disclosed in HTTP response

   Is security concern or not?

8. Try to request for identityID as an unauthenticate d identities

   Verify if throws error or not

9. No error , what’s next? Using the IdentityPoolID generate our

   IdentityID From the IdentityID, generate temporary AWS Access Key, Secret Key and Session Token API call to fetch temporary credentials AWSCognitoIdentityService.Get CredentialsIdentity Use botto script Run Python script python get_creds.py "<region_id>" "<identity_pool_id>"

10. Got Temporary credentials, what's next ?? Check if token are

    working fine aws sts get-caller-identity Emumeration permissions (You can use enumerate-iam tool) Verify if you get any sensitive information or if you get any interesting permission

11. Error ! Access to unauthenticated identities was disabled. "NotAuthorizedException" Why

    What can be done Try to identify that the application exposed some functionalities unintentionally due to AWS Cognito misconfiguration Run Python script python get_creds.py "<region_id>" "<identity_pool_id>"

12. ClientID is value disclosed Is security concern or not?

13. From knowing only ClientID to performing self-registration

14. From knowing ClientID to performing self-register • AWS CLI command

    aws with the cognito-idp option which allows creating or modifying an application's user pool data • Verify and check mail that the account verification code sent to his e-mail address in order to activate his self-registered account • After getting code at mentioned email id, run following command aws cognito-idp confirm-sign-up --client-id < knownClientid value> --username <emailid of attacker> --password <password> aws cognito-idp confirm-sign-up --client-id <knownClientid value> --username <emailid of attacker> --confirmation-code <code> Using CLI

15. • Check weather self-registration was successful or not. • If

    self -registration is successful, try to attempt to log in to Victim’s website with the newly registered account. • If able to register with newly created account

16. Try to look for AWSCognitoIdentityService.ConfirmSignUp keyword and observe that POST

    request is being made Try to alter email and password value in request and see if you are able to perform action successfully. Using Burpsuite

17. Approach Check if the confirmation email was sent to the

    attacker specified email along with the confirmation code. Check if the user account can be confirmed from the token/code received on the registered email. Check if Application validated a newly created user and allowed to signup.

18. What went wrong? Allowing users to signup themselves Client id

    value is disclosed

19. What can be done? Only allow administrators to create users

20. • Try to run cognito-idp following command: • Observed that

    it’s throws Unauthorized error and that’s confirm that user is not allowed register himself. • self-registration workflow is no longer accessible by anonymous users! aws cognito-idp confirm-sign-up --client-id < Clientid value> --username <emailID of attacker> --password <password> Why ClientID is not really issue?

21. How with help of misconfigured attribute attacker can allow to

    perform privilege escalation?

22. IdToken contains claims about the identity of the authenticated user

    such as name, email, and phone_number. AccessToken contains scopes and groups information and it’s used to grant access to authorized resources.

23. Exploitation scenario • List User Attributes by using command using

    the AWS command-line interface: • Look for custom user attribute. • Custom user attribute is created by an application developer when the built-in standard user attributes are not sufficient or applicable. e.g. adding a boolean isAdmin flag, role to your User object. aws cognito-idp get-user --access-token $token

24. Custom user attribute Gets the user attributes & metadata for

    a user in a Cognito user pool Command returns an array of name-value pairs that represent user attributes List user attributes

25. Try to update user attribute value • Run following command

    to update user custom attribute: aws cognito-idp update-user-attributes --access-token <token> --user-attributes Name="custom:isAdmin",Value="true" Verify if command returns a successful update of user's custom:isAdmin attribute, updating it to true !!! If attempt to update the custom:isAdmin attribute would fail with the following error: NotAuthorizedException, Then confirm that attribute is set to read only access.

26. Try to re-attempt login Check if you are able to

    update user attribute value successfully. Verify if user is able to perform actions as an admin Check if custom user attributes are present List user attributes Approach

27. What was causing the issue ? Custom user attribute is

    writeable

28. What can be done ? Update by unchecking custom:isAdmin attribute’s

    write check box and verify that attribute has to read-only access. aws cognito-idp update-user-attributes --access-token <token> --user-attributes Name="custom:isAdmin",Value="true" Observed that it’s not allowing to update value of user attribute and throws error "NotAuthorizedExc eption"

29. Approach List user attributes See if custom user attribute is

    present Try to update custom user attribute value

30. Q/A @sheth_kavisha

31. References • https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html • https://andresriancho.com/wp-content/uploads/2019/06/whitepaper-internet-scale-analysis-of- aws-cognito-security.pdf • https://curlsandbun.medium.com/compromising-s3-buckets-through-misconfigured-aws-cogni to-e23f08b2f475 •

    https://github.com/andresriancho/enumerate-iam • https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

32. Get in Touch at • Twitter - @sheth_kavisha https://twitter.com/sheth_kavisha •

    LinkedIn - Kavisha-sheth https://in.linkedin.com/in/kavisha-sheth

33. Kavisha sheth