亞基爾·卡德科達與邁克爾·卡欽斯基與奧費克·伊塔赫_通過影子資源入侵AWS帳戶.pdf

1、#BHUSA BlackHatEventsBreaching AWS AccountsThroughShadow ResourcesYakir KadkodaMichael KatchinskiyOfek Itach#BHUSA BlackHatEventsAWS Account IDEach AWS account has a unique account ID12-digit IDSome treat it as a secret,others dont#BHUSA BlackHatEventsAWS Account IDEach AWS account has a unique acco

2、unt ID12-digit IDSome treat it as a secret,others dont#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEventshttps:/ BlackHatEvents#BHUSA BlackHatEventsYakir KadkoaSecurityLead Security ResearcherYakirKadMichael KatchinskiyFormerly SecuritySenior Security Researchermike_katchOfek ItachSecuri

3、tySenior Security Researcherofekitachaws sts get-caller-identity#BHUSA BlackHatEventsAgendaIntroduce“Shadow Resources”Showcase several AWS vulnerabilitiesIntroduce BucketMonopolyMitigation and RecommendationsDemonstrate open-source tool TrailShark#BHUSA BlackHatEvents#BHUSA BlackHatEventsShadow Reso

4、urce AWS resources generated automatically or semi-automaticallyMost of the time,spawned without user interventionMight go unnoticedby the account owner#BHUSA BlackHatEventsS3 Buckets as Shadow Resources#BHUSA BlackHatEventsBucket UniquenessIf you create cool-bucket-1,no one else can claim that buck

5、et nameS3 bucket names must be globally unique across all AWS accountsAWS CloudFormation Vulnerability#BHUSA BlackHatEventsWhat is AWS CloudFormation?https:/ or use an existing templateSave locally or in S3 bucketUse AWS CloudFormation to create a stack based on your template123#BHUSA BlackHatEvents

6、1Upload a template fileAWS CloudFormationAWS UserCreateUploadBucketIf the Bucket Does Not Exists:Create BucketReturn Bucket Name2BucketNamePutObject345CreateStack6template_file.yaml#BHUSA BlackHatEventsCloudFormation Bucket NameRegionPrefixHashcf-templates-a3gjv31ap90h-us-east-1#BHUSA BlackHatEvents

7、us-east-1Bucket name:cf-templates-a3gjv31ap90h-us-east-1AWS AccountAWS CloudFormationAWS S3 Bucket#BHUSA BlackHatEventsBucket name:cf-templates-a3gjv31ap90h-us-east-1AWS AccountAWS CloudFormationAWS S3 Bucketus-east-1Bucket name:cf-templates-a3gjv31ap90h-eu-west-2AWS Accounteu-west-2AWS S3 BucketAWS

8、 CloudFormation#BHUSA BlackHatEventsBucket name:cf-templates-a3gjv31ap90h-us-east-1AWS AccountAWS CloudFormationAWS S3 Bucketus-east-1Bucket name:cf-templates-a3gjv31ap90h-eu-west-2AWS Accounteu-west-2AWS S3 BucketAWS CloudFormationcf-templates-a3gjv31ap90h-Region#BHUSA BlackHatEvents#BHUSA BlackHat

9、Eventshttps:/ BlackHatEventsBucket name:cf-templates-a3gjv31ap90h-us-east-1AWS Account-Victimus-east-1Bucket name:cf-templates-a3gjv31ap90h-eu-west-2AWS Account-Victimeu-west-2Bucket name:cf-templates-a3gjv31ap90h-eu-west-2AWS Account-Attackereu-west-2AWS S3 BucketAWS CloudFormationAWS CloudFormatio

10、nAWS S3 Bucket#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEventsBucket name:cf-templates-a3gjv31ap90h-eu-west-2AWS Account-Victimeu-west-2Bucket name:cf-templates-a3gjv31ap90h-eu-west-2AWS Account-Attackereu-west-2AWS CloudFormationAWS S3 Bucket#BHUSA BlackHatEvents#BHUSA BlackHatEvents

11、Bucket name:cf-templates-a3gjv31ap90h-eu-west-2AWS Account-Victimeu-west-2Bucket name:cf-templates-a3gjv31ap90h-eu-west-2AWS Account-Attackereu-west-2AWS CloudFormationAWS S3 Bucket#BHUSA BlackHatEventshttps:/ BlackHatEventsBucket name:cf-templates-a3gjv31ap90h-eu-west-2AWS Account-Victimeu-west-2Bu

12、cket name:cf-templates-a3gjv31ap90h-eu-west-2AWS Account-Attackereu-west-2AWS CloudFormationAWS S3 BucketInformation Disclosure#BHUSA BlackHatEvents#BHUSA BlackHatEventsResource Injection in CloudFormation Templateshttps:/ BlackHatEventsAWS Account-Victimeu-west-2AWS Account-Attackereu-west-2AWS Clo

13、udFormationAWS S3 BucketCloudFormation:Full Attack ScenarioUser1Create StackUpload Victim Template29Lambda triggered by PutBucketNotification3Get Victim Template4Resource Injection5Put Modified Template67Submit StackGet Modified Template8Create the injected resourceAdmin role#BHUSA BlackHatEventsAWS

14、 Account-Victimeu-west-2AWS Account-Attackereu-west-2AWS CloudFormationAWS S3 BucketCloudFormation:Full Attack ScenarioUser1Create StackUpload Victim Template29Lambda triggered by PutBucketNotification3Get Victim Template4Resource Injection5Put Modified Template67Submit StackGet Modified Template8Cr

15、eate the injected resourceAdmin role#BHUSA BlackHatEventsCloudFormation:Important PointsInitiator needs IAM role management permissions to create admin roleAttackers can still modify resources based on the template fileWait for new stack deployment in a new region#BHUSA BlackHatEventsPoC#BHUSA Black

16、HatEventsThe Elephant in the Room#BHUSA BlackHatEventsCloudFormation S3 Bucket HashRegionPrefixHashcf-templates-a3gjv31ap90h-us-east-14,738,381,338,321,616,896a-z0-912#BHUSA BlackHatEvents#BHUSA BlackHatEvents The Hash#BHUSA BlackHatEvents The Hash#BHUSA BlackHatEvents The Hash#BHUSA BlackHatEventsH

17、ash Discovery in Open-Source1000#BHUSA BlackHatEventsEureka#BHUSA BlackHatEventsEurekaglue-assets-AccoutId-Region#BHUSA BlackHatEventsEurekaglue-assets-AccoutId-Region#BHUSA BlackHatEventsExploring Potential VulnerabilitiesOpen-SourceDocumentationCrawlingAutomation#BHUSA BlackHatEventsTrailShark#BHU

18、SA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEventsTrailSharkhttps:/ BlackHatEventsDigging for Potential Buckets#BHUSA BlackHatEvents#BHUSA BlackHatEventsWhich services are responsible for these buckets?Are they exploitable?GlueEMRSageMakerCodeStarService Catalog#BHUSA BlackHatEventsPre-Step

19、s for ExploitationAllow public access with permissive policyCreate Lambda to inject malicious code via PutBucketNotificationCreate predictable S3 bucket in a new regionGlue Vulnerabilityaws-glue-assets-AWS:AccountId-AWS:Region#BHUSA BlackHatEventsWhat is AWS Glue?https:/ BlackHatEvents#BHUSA BlackHa

20、tEventsAWS Account-Victimeu-west-2AWS Account-Attackereu-west-2AWS GlueAWS S3 BucketGlue:Full Attack ScenarioUser1Create jobCreate Glue Python script29Lambda triggered by PutBucketNotification3Get Victim script4Modify Glue Python script5Put Modified script67Run jobGet Modified Glue Python script8Run

21、 the injected Python scriptRemote Code Execution#BHUSA BlackHatEventsGlue Service Rolehttps:/ BlackHatEventsInvisible BackdoorWhat the victim seesWhat is run#BHUSA BlackHatEventsVideoEMR Vulnerabilityaws-emr-studio-AWS:AccountId-AWS:Region#BHUSA BlackHatEventshttps:/ is AWS EMR?#BHUSA BlackHatEvents

22、#BHUSA BlackHatEventsAWS Account-Victimeu-west-2AWS Account-Attackereu-west-2AWS EMRAWS S3 BucketEMR:Full Attack ScenarioUser1Create a StudioCreate Jupyter notebook29Lambda triggered by PutBucketNotification3Get Victim script4Modify Jupyter notebook5Put Modified script67Get Modified Jupyter notebook

23、8Redirect the user to the malicious site#BHUSA BlackHatEventsAWS Account-Victimeu-west-2AWS Account-Attackereu-west-2AWS EMRAWS S3 BucketEMR:Full Attack ScenarioUser1Create a StudioCreate Jupyter notebook29Lambda triggered by PutBucketNotification3Get Victim script4Modify Jupyter notebook5Put Modifi

24、ed script67Get Modified Jupyter notebook8Redirect the user to the malicious site#BHUSA BlackHatEventsAWS Account-Victimeu-west-2AWS Account-Attackereu-west-2AWS EMRAWS S3 BucketEMR:Full Attack ScenarioUser1Create a StudioCreate Jupyter notebook29Lambda triggered by PutBucketNotification3Get Victim s

25、cript4Modify Jupyter notebook5Put Modified script67Get Modified Jupyter notebook8Redirect the user to the malicious site#BHUSA BlackHatEventsEMR:Disclaimer#BHUSA BlackHatEventsTwo Ways to Continue#BHUSA BlackHatEventsVideoSageMaker Vulnerabilitysagemaker-AWS:Region-AWS:AccountId#BHUSA BlackHatEvents

26、https:/ BlackHatEventsAWS Account-Victimeu-west-2AWS Account-Attackereu-west-2AWS SageMakerAWS S3 BucketSageMaker:Full Attack ScenarioUser1Open CanvasUpload Dataset3Get Manipulated Dataset6Create Dataset/Upload files2AttackerGet DatasetManipulated Dataset45Data ManipulationData LeakageService Catalo

27、g Vulnerabilitycf-templates-Hash-AWS:Region#BHUSA BlackHatEventsWhat is AWS Service Catalog?#BHUSA BlackHatEventsCodeStar Vulnerabilityaws-codestar-AWS:Region-AWS:AccountId#BHUSA BlackHatEventsCodeStar:Full Attack ScenarioShadow Resource in Open Source#BHUSA BlackHatEventsCase Studies#BHUSA BlackHat

28、EventsPast Services Affected by Shadow ResourcesAthenahttps:/ Monopoly#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEvents#BHUSA BlackHatEventsBucket Monopoly Step-by-StepMonopolizeCreating Unclaimed Buckets Across All RegionsDiscovering the Uniqu

29、e IdentifierIdentifying Predictable Bucket Name#BHUSA BlackHatEventsIdentifying#BHUSA BlackHatEventsDiscovering the Unique IdentifierGlueCloudFormationaws-glue-assets-AWS:AccountId-AWS:Region cf-templates-Hash-AWS:Region#BHUSA BlackHatEventsDiscovering Account IDshttps:/ BlackHatEventsMonopolize#BHU

30、SA BlackHatEventsDisclosure and Timeline 16 February 2024:Reported vulnerabilities in CloudFormation,Glue,EMR,SageMaker,and CodeStar to AWS.AWS acknowledged and began investigating.18 February 2024:Reported a vulnerability in ServiceCatalog.16 March 2024:AWS confirmed fixes for CloudFormation and EM

31、R.25 March 2024:AWS confirmed fixes for Glue and SageMaker.CodeStar addressed as its planned for deprecation in July 2024.30 April 2024:Reported CloudFormation fix leaves users vulnerable to DoS.26 June 2024:AWS confirmed fixes for ServiceCatalog and CloudFormation.#BHUSA BlackHatEventsSummary and M

32、itigationsUse aws:ResourceAccount Condition#BHUSA BlackHatEventsSummary and MitigationsVerify Expected Bucket OwnerUse aws:ResourceAccount Condition#BHUSA BlackHatEventsSummary and MitigationsNaming S3 Buckets with Unpredictable IdentifiersUse aws:ResourceAccount Condition RegionPrefixAccount-IDaws-

33、xyz-123456789123-us-east-1Verify Expected Bucket Owner#BHUSA BlackHatEventsSummary and MitigationsNaming S3 Buckets with Unpredictable IdentifiersUse aws:ResourceAccount Condition RegionPrefixAccount-IDaws-xyz-123456789123-us-east-1-1vc8126RandomVerify Expected Bucket OwnerDo you still believe account ID isnt asecret?#BHUSA BlackHatEventsThank you!YakirKadmike_katchofekitach