Pivoting in Amazon Clouds

Presented at Black Hat USA 2014, Aug. 6, 2014, 10:15 a.m. (60 minutes)

From no access at all, to the company Amazon's root account, this talk will teach attendees about the components used in cloud applications like: EC2, SQS, IAM, RDS, meta-data, user-data, Celery; and how misconfigurations in each can be abused to gain access to operating systems, database information, application source code, and Amazon's services through its API. The talk will follow a knowledgeable intruder from the first second after identifying a vulnerability in a cloud-deployed Web application and all the steps he takes to reach the root account for the Amazon user. Except for the initial vulnerability, a classic remote file included in a Web application which grants access to the front-end EC2 instance, all the other vulnerabilities and weaknesses exploited by this intruder are going to be cloud-specific. The tools used by this intruder are going to be released after the talk and will provide the following features: - Enumerate access to AWS services for current IAM role - Use poorly configured IAM role to create new AWS user - Extract current AWS credentials from meta-data, .boto.cfg, environment variables, etc. - Clone DB to access information stored in snapshot - Inject raw Celery task for pickle attack

Presenters:

  • Andres Riancho
    Andrs Riancho is an application security expert that currently leads the community-driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world. In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS; and contributed with SAP research performed at his former employer. His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants. Andrs has spoken and held trainings at many security conferences around the globe, like PHDays (Moscow), SecTor (Toronto), OWASP (Poland), CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada), T2 (Finland), and ekoparty (Buenos Aires). Andrs founded Bonsai in 2009 in order to further research automated Web Application Vulnerability detection and exploitation.

Links:

Similar Presentations: