From no access at all, to the company Amazon’s root account, this talk will teach attendees about the components used in cloud applications like: EC2, SQS, IAM, RDS, meta-data, user-data, Celery; and how misconfigurations in each can be abused to gain access to operating systems, database information, application source code and Amazon’s services through it’s API.
The talk will follow a knowledgeable intruder from the first second after identifying a vulnerability in a cloud-deployed Web application and all the steps he takes to reach the root account for the Amazon user.
Except from the initial vulnerability, a classic remote file include in a Web application which grants access to the front-end EC2 instance, all the other vulnerabilities and weaknesses exploited by this intruder are going to be cloud-specific.
The tools used by this intruder are going to be released after the talk and will provide the following features:
- Enumerate access to AWS services for current IAM role
- Use poorly configured IAM role to create new AWS userExtract current AWS credentials from meta-data, .boto.cfg, environment variables, etc.
- Clone DB to access information stored in snapshot
- Inject raw Celery task for pickle attack