Privilege Escalation Attack : Attacking AWS IAM permission misconfigurations

This blog series aims to help you get started with cloud security. We will be looking at how to attack cloud Identity and Access Management such as AWS IAM, Azure IAM, GCP IAM. This blog is aimed at security professionals and companies who want to learn about cloud security.

Before we try Privilege Escalation , we will understand what IAM is.

What is AWS IAM ?

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

What is AWS IAM Role ?

AWS IAM roles allow you to delegate access to users or services that normally don’t have access to your organization’s AWS resources. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls. Consequently, you don’t have to share long-term credentials or define permissions for each entity that requires access to a resource.

What is AWS IAM Policy ?

A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents. AWS supports six types of policies: identity-based policies, resource-based policies, permissions boundaries, Organizations SCPs, ACLs, and session policies.

How to create an IAM User?

Now let’s create an IAM user. Login to AWS console and navigate to the IAM page, click on the Services button on the top-left of the page, then search for and click on the relevant link to the IAM page

Let’s create a new IAM user here.

After we are on the IAM dashboard Click on Users to continue.
To create an IAM user, click on the Add user button at the top-left of the page

You will then be presented with a page that requests a User name and the type of access to provide to the new user. One of the two types of access that you can choose is Programmatic access, which creates an access key ID and secret access key for the user, so that they can access the AWS APIs through something like the AWS CLI or the SDKs provided for various programming languages. The other is AWS Management Console access, which will either autogenerate a password or allow you to set a custom one, so that the user can access the AWS web console.

For our example, let’s create a user named Test that is allowed programmatic access to the AWS APIs. Once that has been filled out, you can click on Next: Permissions to continue:

After continuing, you will be presented with three options to set up permissions for this new user. The three options that are presented allow you to do the following: Add the user to an IAM group Copy the permissions of another existing user Attach the existing IAM policies directly to the user Click on the third option to attach an existing policy directly to the user

After doing so, you will be presented with a list of IAM policies
In the search box that appears, type in AmazonEC2FullAccess and check the box to the left of the policy that appears. This policy will provide the user with full access to the EC2 service, as well as other services that are often used in tandem with EC2. If you are interested in viewing the JSON document for this policy, you can click on the arrow next to the policy name and then click on the {} JSON button:
We can now click the Next: Review button towards the bottom-right of the window to move on after adding tags ( optional).

The next page will be a summary of what we have just set up, so we can go ahead and click on the Create user button towards the bottom right of the window

Next, you should be presented with a green Success message and the option to either view or download the associated Access key ID and Secret access key for this new user

Note to escalate privileges, we first need access key id and secret access key of the compromised user. For demo, we will use the above-created user.

Suggested Read – Windows Privilege Escalation

cloud vulnerabilities that lead to compromise of cloud user credentials

1. Finding access keys exposed online in code repositories, Docker containers, etc.
2. Using a web service to proxy requests to the 169.254.169.254 metadata service (if you run a web server that performs any kind of remote downloading of user-provided URLs, the above should be blocked).
3. Obtaining access to an instance that has credentials hard coded on the machine.
4. Exploiting an application vulnerability to expose its environment variables, config files, etc., which may contain the AWS credentials.
5. Obtaining access to a role that has been assigned “.” permissions or is part of a group with those permissions.
   The list goes on.

To install AWS CLI you can refer to the official website.

Now to configure the AWS CLI we need AWS credentials i.e Access Key ID & Secret Access Key.

1. Click on Download .csv file or click on show secret access key.
2. Now Open your terminal and type the below command and add your access key ID & Secret key.aws configure

   

We will use AWS CLI in the later section.

importance of permissions enumeration

In any case, whether you can escalate your privileges or not, having a definitive list of what permissions you do have is extremely important.. By knowing what access you have, you can avoid the need to run test commands to determine whether you have privileges or not. This is beneficial because API errors, especially access denied errors, can be very noisy, and will likely alert a defender to your activity.

Let’s check out different methods to find the misconfigured IAM policies.

Enumeration

AWS IAM users can have different policies

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "ec2:*",
            "Effect": "Allow",
            "Resource": "*"
        },

Now we will look at different ways to enumerate IAM permissions that the compromised user have before escalating priveleges.

In aws cli use the command to list Inline User policies

aws --profile "test" iam list-user-policies --user-name "test"

There are also a couple of tools for iam security such as [awsconsoler] (https://github.com/salesforce/cloudsplaining), enumerate-iam which can be used to dump permissions.

Exploitation

We have enumerated the IAM permissions and policies ,

we come to know that the test user is having the following inline policy

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Action": "iam:PutUserPolicy",
 "Resource": "*"
 }
 ]
}

let’s Perform Privilege Escalation

We have configured AWS CLI already, we can exploit the IAM misconfig by firing the below command.

aws iam put-user-policy –user-name my_username –policy-name my_inline_policy –policy-document file://path/to/administrator/policy.json

If you observe the IAM policy, Due to the ability to specify an arbitrary policy document with this method, the attacker could specify a policy that gives permission to perform any action on any resource, ultimately escalating to full administrator privileges in the AWS environment.

Automation

For this, we will be using pacu tool.
Let’s explore how to check misconfiguation using this tool.

We have already set up our AWS keys to work with the AWS CLI, so the simplest approach
will be to import them from the AWS CLI. We can import our Test AWS CLI profile by
running the following Pacu command:
import_keys Test
This command should return the following output:

To run this module for our own user, we don’t need to pass in any arguments,
so we can just run the following command to execute the module:

run iam__enum_permissions

Our permissions have been enumerated, so now we will move into trying to use those
permissions for privilege escalation in the environment. There is also a Pacu module for
this called iam_privesc_scan. This module will run and check the set of permissions that
you enumerated to see if your user is vulnerable to any methods out of 21 different known
privilege escalation methods in AWS.

run iam__privesc_scan

Why you need to check iam security?

Many times the team who manages the cloud environment assign the same overpermissive managed policies or do not follow the security practices for IAM. Post initial compromise, these IAM policies, and controls play the most important role in stopping the major impact on a company cloud infrastructure

Labs

To learn and practice the attacks related to IAM you can navigate to the below vulnerable sites.

• cloudgoat

This concludes our blog. In the next blog, we will be exploring other cloud security issues in aws.

References :

• https://aws.amazon.com/iam/
• https://docs.aws.amazon.com/cli/latest/reference/iam/
• https://www.cloudconformity.com/knowledge-base/aws/IAM/
• https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

About Payatu

Payatu is a boutique security testing and services organization specialized in Products, Application, and Infrastructure security assessments and deep technical security training. We offer a full IoT ecosystem security assessment, including Hardware, Cloud, Web, and Mobile interface. If you are looking for security testing services then let’s talk, share your requirements:

Get in touch with us. Click on the get started button below.