Understanding AWS cloud attacks using CloudGoat

Transcript

1. Understanding AWS attacks using CloudGoat Kavisha Sheth Security Analyst, Appsecco

2. Kavisha Sheth • Security Analyst at Appsecco • Breaks web

   application, API and Cloud security • Member of a number of security communities including null community, InfoSecGirls, and WiCys India • Listed as one of the top security researchers of the nation, in a newsletter of NCIIPC RVDP About me

3. • Why are we doing this? • AWS Real World

   Attacks • Attacking AWS infra using keys obtained via SSRF • Enumerating and attacking AWS S3 storage • Privilege escalation within AWS using IAM policy rollback • Privilege escalation using lambda functions • Next steps in learning • Tools • References What we will cover today

4. • Enterprises are increasingly running their IT and application infrastructure

   natively in the cloud • Our experience with multiple cloud assessments has shown mis-configurations to be a major security concern • Lot of default code and deployment practices on the Internet do not take security into account • Shared responsibility between cloud provider and you can be confusing • If you are aware of what attacks are out there, you can defend yourself better Why are we doing this?

5. What we are covering today Attacking AWS infra using keys

   obtained via SSRF Enumerating and attacking AWS S3 storage Privilege escalation within AWS using IAM policy rollback Privilege escalation using lambda functions

6. • To understand the attacks in today's talk we will

   be using CloudGoat as our target environment • You can setup CloudGoat to practice these attacks by following instructions from our reference slide Target Environment

7. Attacking AWS infra using keys obtained via SSRF

8. None

9. • Credentials already found by attacker (through JS source, Github,

   server-side code disclosure etc.) Scenario Assumptions

10. 1. Discovery of AWS IAM keys in client-side source code

11. 2. Identify the user using AWS STS

12. 3. Enumerate permissions for solus user https://github.com/andresriancho/enumerate-iam

13. 4. List Lamba functions Hard-coded AWS security credentials in the

    environment variables of the lambda function

14. 5. Identify who the creds belong to

15. 6. Permission enumeration for IAM user "wrex" https://github.com/andresriancho/enumerate-iam EC2 operations

    access

16. 7. What EC2 instances are running?

17. 8. Describe EC2 instance Public IP address of the EC2

    instance

18. 9. Web application running on port 80

19. 10. Added string value to URL parameter

20. Web application vulnerable to SSRF

21. None

22. 11. Steal the IAM role credentials

23. 12. Enumerate permissions

24. 13.List the buckets and download any data stored on the

    s3 buckets. S3 Bucket has additional sensitive information!!

25. What was our approach? • Found credentials with read only

    access • Application which is hosted on EC2 instance was vulnerable to SSRF • Role was attached to EC2 instance • Exploit to steal the IAM role credentials • Look for permissions • Found S3 related permission • List S3 bucket and downloaded data

26. Attacker flow so far!!

27. What's next? • Is web application hosted on EC2 instance?

    • Is role attached to EC2 instance?

28. Attacker flow so far!! Post exploitation of SSRF

29. Finding SSRF via HTML Injection inside a PDF file on

    AWS EC2 https://blog.appsecco.com/finding-ssrf-via-html-injection-inside-a-pdf-file-on-aws-ec2-214cc5ec5d90

30. AWS S3 Data breach

31. • Attacker has discovered a public IP with a HTTP

    reverse proxy running • Reverse proxy is misconfigured (does not check target IP) • This reverse proxy allows access to any internal IP addresses including the instance metadata endpoint Scenario Assumptions

32. 1. Crafted cURL command

33. 2. Role credentials retrieved

34. 3.Configure profile using stolen credentials

35. 4. Enumerate permissions Command: python enumerate-iam.py --access-key ACCESS-ID --secret-key SECRET-KEY

    --session- token SESSION-TOKEN

36. 5.Get access to S3 bucket data

37. Approach https://github.com/RhinoSecurityLabs/cloudgoat/blob/master/scenarios/cloud_breach_s3/README.md

38. Where can you find S3 buckets ? • HTTP responses

    when uploading a file • In DNS records • Google searches for website name and s3 buckets • Shodan, Certificate Transparency Logs, Censys, numerous bucket finder scripts, GrayHat Warfare bucket search

39. Privilege escalation within AWS using IAM policy rollback

40. • Credentials already found by attacker (through JS source, Github,

    server-side code disclosure etc.) Scenario Assumptions

41. Credentials Found

42. 1. Entity/verify who the security credentials belong to

43. 2. Review and enumerate policy versions

44. 3. Enumerate Policy versions

45. 4. Policy with admin privileges – version 3

46. 5. Make V3 version as the default policy version Command

    to make V5 default policy version aws iam set-default-policy-version \ --policy-arn "arn:aws:iam::ACCOUNT-ID:policy/cg-raynor-policy" \ - -version-id v3 --profile <PROFILE-NAME> Let's create a new IAM user!

47. Tool to detect this vulnerability automatically • https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py

48. Privilege escalation using lambda functions

49. • Credentials already found by attacker (through JS source, Github,

    server-side code disclosure etc.) Scenario Assumptions

50. 1.List users and policies

51. 2. List Roles

52. 3.Verifying Access control

53. 4.Try to assume lambda manager role

54. 5. Attach the administrator policy to the IAM user "Chris"

55. • Create lambda function: aws lambda create-function --function-name admin_function --runtime

    python3.6 --role <cg-debug-role arn> --handler code.lambda_handler -- zip-file fileb://code.zip --profile lambdaManager • Invoke lambda function: aws lambda invoke --function-name admin_function out.txt -- profile lambdaManager 6.Leverage the lambdaManager role to perform a privilege escalation using a Lambda function

56. 7. Chris got full admin access

57. Approach

58. Some AWS Vulnerability detection tools Scout Suite Scout Suite Prowler

    Prowler Bucket finder Bucket finder Enumerate IAM Enumerate IAM iam_user_enum iam_user_enum

59. • Reconnaissance and OSINT are the key to discover the

    security issues in cloud services and applications • To prevent the risk associated with a successful SSRF on AWS, administrators can upgrade EC2 instance metadata endpoints to IMDSv2 which can protect EC2 instances against vanilla SSRF attempts • Make sure that EC2 instances are configured properly • The most common themes are mis-configuration of services, insecure programming and permissions that should not have been given • Post exploitation has no limits with the cloud. You can attack additional services, disrupt logging, make code changes to attack users. • There are a ton of tools that security folks have written on GitHub and a lot of work is being done in the attack and exploitation areas Things to note

60. • https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest- tools/iam_user_enum • https://github.com/appsecco/attacking-cloudgoat2 • https://blog.appsecco.com/server-side-request-forgery-ssrf-and-aws-ec2-instances-after- instance-meta-data-service-version-38fc1ba1a28a • https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-

    7630fa57c7ed • https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios • https://github.com/toniblyx/prowler • https://github.com/nccgroup/ScoutSuite • https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html References

61. Q&A Kavisha Sheth Security Analyst [email protected] @sheth_kavisha https://linkedin.com/in/kavisha-sheth/ https://appsecco.com https://blog.appsecco.com

    @appseccouk [email protected]
62. None