云上攻防系列其实早在几年前笔者就公开分享过一些思路,有兴趣的可以看看Red Teaming for Cloud(云上攻防)。
众所周知,云计算领域是一个融合众多软件技术及架构的领域因此也面临着各式各样的安全威胁,作为聚焦云上攻防的蓝军从业人员(Red Team)不仅需要掌握传统领域的渗透技能,也需要积极拓展思路,切忌画地为牢。
本文是通过对近期国外TOP3云厂商已公开攻击方法的洞察分析后的阶段性总结提炼。
AWS
- 利用AWS的ECS服务的Task Definition新建容器并通过EC2的metadata API获取临时AK/SK提权:https://rhinosecuritylabs.com/aws/pillaging-ecs-task-definitions-two-new-pacu-modules/
- 通过AWS ECS Task Definition可以获取敏感信息(Task Definition类似于k8s的kubeconfig文件):https://rhinosecuritylabs.com/aws/weaponizing-ecs-task-definitions-steal-credentials-running-containers/
- 利用AWS API Gateway服务可以绕过IP黑名单的限制:https://rhinosecuritylabs.com/aws/bypassing-ip-based-blocking-aws/
- 滥用AWS VPC服务的TrafficMirror特性获取东西向流量中的敏感信息:https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/
- CloudFormation(利用XXE读取本地文件和SSRF获取metadata):https://orca.security/resources/blog/aws-cloudformation-vulnerability/
- Glue(利用assume role提权至Glue服务账号再结合其内部API的不安全配置获得其他使用了Glue服务的租户账号权限):https://orca.security/resources/blog/aws-glue-vulnerability/
- S3漏洞利用(计算资源中列权限、过度依赖IAM防止数据泄露、非公开的桶中包含公开的存储对象):https://cloudsecurityalliance.org/blog/2020/06/18/3-big-amazon-s3-vulnerabilities-you-may-be-missing/
- WorkSpace(利用第三方软件SDK漏洞):https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/
- 云上资源的子域名接管:https://0xpatrik.com/subdomain-takeover-ns/
- 利用云服务的跨账号默认IAM权限配置不当,如允许修改资源arn,实现跨租户资源获取:https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Breaking-The-Isolation-Cross-Account-AWS-Vulnerabilities.pdf
- AWS SageMaker Jupyter Notebook Instance Takeover(利用XSS->CSRF->安全恶意扩展->访问Metadata->获取AWS认证token):https://blog.lightspin.io/aws-sagemaker-notebook-takeover-vulnerability
- CVE-2020-8897 SSRF Vulnerability in AWS KMS and Encryption SDK:https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf
- AWS: In-band key negotiation issue in the AWS S3 Crypto SDK for golang:https://github.com/google/security-research/security/advisories/GHSA-7f33-f4f5-xwgw
GCP
- 利用GCP CloudBuild服务的Service Account账号的token(metatdata API中获取)实现IAM的提权,即利用云服务的默认过多的IAM权限实现IAM的低权限提升:https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/
- 利用GCP的各种服务特性实现IAM权限提升,即间接提权方式:https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation
- 利用k8s TLS Bootstapping机制进行提权:https://rhinosecuritylabs.com/cloud-security/kubelet-tls-bootstrap-privilege-escalation/
- GCP VM takeover via DHCP PRNG:https://github.com/irsl/gcp-dhcp-takeover-code-exec
- Privilege Escalation in Google Cloud Platform’s OS Login:https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-tech-notes/-/tree/master/oslogin-privesc-june-2020
Azure
- GoldenSAML攻击主要针对联邦认证机制中使用的SAML Response的伪造:https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps
- Azure Container Instances (ACI)服务跨账号容器接管:https://unit42.paloaltonetworks.com/azure-container-instances/
- Azure Sphere漏洞(代码执行、拒绝服务、信息泄漏、权限提升等):https://blog.talosintelligence.com/2020/10/Azure-Sphere-Challenge.html
- Azure Sphere内核利用:https://blog.talosintelligence.com/2021/11/an-azure-sphere-kernel-exploit-or-how-i.html
- Azure NotLegit:https://blog.wiz.io/azure-app-service-source-code-leak/
- Azure ChaosDB:https://blog.wiz.io/chaosdb-explained-azures-cosmos-db-vulnerability-walkthrough/
- Azure OMIGOD – Azure OMI Management Interface Authentication Bypass (CVE-2021-38647):https://blog.wiz.io/update-everything-you-need-to-know-about-omigod-from-the-team-that-discovered-it/
- Azure AAD:https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-cloud-vulnerability-credmanifest/
- Azure AAD:https://msrc-blog.microsoft.com/2021/11/17/guidance-for-azure-active-directory-ad-keycredential-property-information-disclosure-in-application-and-service-principal-apis/
- Azure Stack:https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-i/
- Azure Stack:https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-ii/
- Azure Office365 Exchange Online:https://portswigger.net/daily-swig/critical-zero-day-rce-in-microsoft-office-365-awaits-third-security-patch
小结
目前云上攻击的主要思路集中在以下几个层面:
- 突破网络隔离:传统的网络隔离边界(防火墙、路由器、交换机、VPN)、VPC(peering、endpoint、traffic mirror)、云专线(混合云、多云网络)、安全组等;
- 突破资源隔离:虚拟机逃逸、容器逃逸、物理机CPU/芯片侧信道攻击等;
- 突破权限隔离:IAM账号(AWS Landing Zone)、IAM策略(ABAC)、委托代理、联邦认证(AWS STS security tokens、SAML)等;
- 突破架构隔离:物理多租(单租户独享)、逻辑多租(多租户共享)等。
参考
- Cloud Service Provider security mistakes:https://github.com/SummitRoute/csp_security_mistakes
