Pivoting In Amazon Clouds

Presented at DeepSec 2013 „Secrets, Failures, and Visions“, Unknown date/time (Unknown duration)

From no access at all to the company Amazon's root account - this talk will teach attendees about the components used in cloud applications like: EC2, SQS, IAM, RDS, meta-data, user-data, Celery; and how misconfigurations in each can be abused to gain access to operating systems, database information, application source code and Amazon's services through it's API. The talk will follow a knowledgeable intruder from the first second after identifying a vulnerability in a cloud-deployed Web application through all the steps he takes to reach the root account for the Amazon user. Except from the initial vulnerability, a classic remote file included in a Web application which grants access to the front-end EC2 instance, all vulnerabilities and weaknesses exploited by this intruder are going to be cloud-specific. The tools used by this intruder are going to be released after the talk and will provide the following features: Enumerate access to AWS services for current IAM role Use poorly configured IAM role to create new AWS user Extract current AWS credentials from meta-data, .boto.cfg, environment variables, etc. Clone DB to access information stored in snapshot Inject raw Celery task for pickle attack

Presenters:

• Andres Riancho - -
  Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world. In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications. His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants. Andrés has spoken and hold trainings at many security conferences around the globe, like PHDays (Moscow), SecTor (Toronto), OWASP (Poland), CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada), T2 (Finland) and ekoparty (Buenos Aires). Andrés founded Bonsai, a web security focused consultancy firm, in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.

Links:

• https://deepsec.net/archive/2013.deepsec.net/speaker.html#PSLOT128

Similar Presentations:

• Black Hat Europe 2014 / Bringing a Machete to the Amazon
• Black Hat USA 2014 / Pivoting in Amazon Clouds
• ToorCamp 2016 / The Good the Bad and the Ugly: AWS Account Takeover via IAM Instance Roles