Pivoting in Amazon clouds

Expo Theatre (Hall G) October 22, 2013 - Feedback     

Bookmark and Share

Andrés Riancho

From no access at all, to the company Amazon’s root account, this talk will teach attendees about the components used in cloud applications like: EC2, SQS, IAM, RDS, meta-data, user-data, Celery; and how misconfigurations in each can be abused to gain access to operating systems, database information, application source code and Amazon’s services through it’s API.

The talk will follow a knowledgeable intruder from the first second after identifying a vulnerability in a cloud-deployed Web application and all the steps he takes to reach the root account for the Amazon user.

Except from the initial vulnerability, a classic remote file include in a Web application which grants access to the front-end EC2 instance, all the other vulnerabilities and weaknesses exploited by this intruder are going to be cloud-specific.

The tools used by this intruder are going to be released after the talk and will provide the following features:

  • Enumerate access to AWS services for current IAM role
  • Use poorly configured IAM role to create new AWS userExtract current AWS credentials from meta-data, .boto.cfg, environment variables, etc.
  • Clone DB to access information stored in snapshot
  • Inject raw Celery task for pickle attack