SlideShare a Scribd company logo

Terraform Unleashed - Crafting Custom Provider Exploits for Ultimate Control

Cloud Village
Cloud Village

Video and presentation on Youtube channel - https://www.youtube.com/cloudvillage_dc

1 of 18
Download to read offline
Terraform Unleashed: Crafting custom Provider exploits for Ultimate control
Rupali Dash brings over 8 years of cybersecurity experience, specializing in penetration testing and red teaming. Currently a Lead Security Architect at Axl.net Security, she oversees cloud security and penetration testing engagements. Her credentials include notable certifications like OSCP, OSWE, AWS Security Specialist, and GCPN. She has presented at prominent conferences like Black Hat Asia, DevSecCon, and CoCon. Alex Foley is a broadly experienced security professional with over 25 years of experience in IT and cybersecurity. He is the founder and CEO of Axl.net Security. He has operated and continues to operate as the vCISO of multiple startup companies with the support of the team from Axl.net Security. Throughout his career, he's had the opportunity to wear many hats and do "all the things" within product development, operations, and security. This broad experience has enabled Alex to bring this depth of understanding to the CISO roles. Alex's skill set focuses on blue team operations, which complements Rupali's expertise in red team activities. Who Are We ??
Who Does The Talk Cater To Pen testers and Red-teamers who will be testing an cloud infrastructure. Security Architects managing the security posture of the cloud infrastructure.
Terraform Enterprise Deployment Architecture
Terraform Workflow
► - In-order to provision this code the user logs in to the terraform enterprise first and provides the AWS Credentials of the account for the resource provisioning . ► Upon Terraform Init the TFE Spins up the worker container in the TFE AWS account and Downloads the required provides specified in the provider block. ► During Terraform Plan, The Terraform API zips the IAC code and the Provided authentication credentials along with the terraform binary and stores it over the worker container. ► It also performs a state lock using dynamo DB for that specific workspace so that no two TFE plan can run simultaneously for a specific workspace and it ques the job. ► It also downloads the Sentinel policies associated with the workspace on to the worker container. ► During the Terraform plan once the sentinel policies are validated against the TFE plan out out, Terraform generates a newer set of credentials using the provided AWS credentials in the terraform file which will be used to provision the resource in the clients AWS account. ► Once the Apply is completed the worker container stores the generated terraform state file over the s3 bucket and destroyes the container.
Terraform Provider ►A terraform provider is a binary written in go that interacts with terraform binary over RPC & enables interaction with the provider API. This includes Cloud providers and Software-as-a-service providers. The providers are specified in the Terraform configuration code. They tell Terraform which services it needs to interact with.
Key-RISK Terraform binaries are executables which will be downloaded into the emphiral container during terraform init. Terraform Provider runs with the highest privilege on the worker container and hence have access to all the mounted file system as well as the AWS STS credentials. The TFE worker container needs to have the read access to the s3 and RDS instance where the TFE state file gets stored as a part of application. In a scenario where multiple providers are invoked for a specific Terraform Plan, Both the providers will have access to the TFE environment variables and the host file system.
Attack-1: Custom provider with filesystem access to gain access to the host file system ● In Golang Import os/exec and import syscall modules enables the binary to interact with the host file system. ● Create the data source to read an environment variable & register this new data source in your provider.go file. ● Use “go build” command to build the provider.
Exploit ( System File Read) Create a Terraform configuration file that uses the new data source to read the /etc/passwd file on the host.
Attack-2: Custom provider with Code Execution feature Terraform-provider-cmdexec is a custom built provider that provides command execution capability through Terraform Configuration. Below is the example of the main.tf file used to leverage the provider to execute the command. https://github.com/rung/terraform-provider-cmdexec https://alex.kaskaso.li/post/terraform-plan-rce
► Execute Commands on the Terraform container ► Provision highly privileged roles / resources by Bypassing sentinel policies to gain persistence. ► Exfiltrate Vaulted secrets from the TFE container. ► Manipulate state files resulting in deleting resources in the existing cloud accounts. ► Gain access to PII data in Production accounts. ► Supply chain threats to organizations using the malicious providers.
Why the Terraform Provider and not the Provisioners ? ►Terraform Provisioner has local_exec() and remote_exec() capability which helps to execute commands on the TFE infrastructure as a part of terraform apply. ►Terraform Provisioners are called only after a successful plan and prior to the Terraform Apply. Hence usage of sentinel policy can be leveraged to block those attacks. ►Terraform Provider block executes during the terraform plan and hence It cannot be blocked/restricted through Sentinel
Provider Security Risks ►1: Malevolence of the Binary: This is to ensure that the provider binary doesn’t contain any malware , packers or custom exploits. ►2: Impact on the TFE infrastructure: This will provide insight on the different functionalities and access level of the provider in the TFE infrastructure. ►3: Out bound Network communication: This will provide insight on the different end points/APIs embedded into the binary
Terraform Unleashed - Crafting Custom Provider Exploits for Ultimate Control
Terraform Unleashed - Crafting Custom Provider Exploits for Ultimate Control
Conclusions ● Provider Attack Types ○ Third Party Providers ○ Insider Threat ● Defense ○ Updated Training ○ Updated Detection Technology ○ Updated Processes
Questions? ►rdash@axl.net ►afoley@axl.net
Ad

Recommended

Terraform Abstractions for Safety and Power
Terraform Abstractions for Safety and PowerTerraform Abstractions for Safety and Power
Terraform Abstractions for Safety and Power
Calvin French-Owen
 
Linode_eBook_Declarative_Cloud_Infrastructure_Management_with_Terraform.pptx
Linode_eBook_Declarative_Cloud_Infrastructure_Management_with_Terraform.pptxLinode_eBook_Declarative_Cloud_Infrastructure_Management_with_Terraform.pptx
Linode_eBook_Declarative_Cloud_Infrastructure_Management_with_Terraform.pptx
AkwasiBoateng6
 
RIMA-Infrastructure as a code with Terraform.pptx
RIMA-Infrastructure as a code with Terraform.pptxRIMA-Infrastructure as a code with Terraform.pptx
RIMA-Infrastructure as a code with Terraform.pptx
MrJustbis
 
Terraform Definition, Working and Challenges it Overcomes
Terraform Definition, Working and Challenges it OvercomesTerraform Definition, Working and Challenges it Overcomes
Terraform Definition, Working and Challenges it Overcomes
Eyeglass Repair USA
 
Terraform Automation in Azure Cloud Online Training in Hyderabad.pptx
Terraform Automation in Azure Cloud Online Training in Hyderabad.pptxTerraform Automation in Azure Cloud Online Training in Hyderabad.pptx
Terraform Automation in Azure Cloud Online Training in Hyderabad.pptx
sivavisualpath
 
Terraform modules and some of best-practices - March 2019
Terraform modules and some of best-practices - March 2019Terraform modules and some of best-practices - March 2019
Terraform modules and some of best-practices - March 2019
Anton Babenko
 
Terraform vs Pulumi
Terraform vs PulumiTerraform vs Pulumi
Terraform vs Pulumi
HoaiNam307
 
Hashicorp-Terraform_Packer_Vault-by Sushil
Hashicorp-Terraform_Packer_Vault-by SushilHashicorp-Terraform_Packer_Vault-by Sushil
Hashicorp-Terraform_Packer_Vault-by Sushil
Sushil Kumar
 
Introduction to Terraspace Presentation.
Introduction to Terraspace Presentation.Introduction to Terraspace Presentation.
Introduction to Terraspace Presentation.
Knoldus Inc.
 
Introduction to Terra space Presentation
Introduction to Terra space PresentationIntroduction to Terra space Presentation
Introduction to Terra space Presentation
Knoldus Inc.
 
Terraform Automation in Azure Online Training Institute in Hyderabad.pptx
Terraform Automation in Azure Online Training Institute in Hyderabad.pptxTerraform Automation in Azure Online Training Institute in Hyderabad.pptx
Terraform Automation in Azure Online Training Institute in Hyderabad.pptx
sivavisualpath
 
Terraform day 1
Terraform day 1Terraform day 1
Terraform day 1
Kalkey
 
Building infrastructure as code using Terraform - DevOps Krakow
Building infrastructure as code using Terraform - DevOps KrakowBuilding infrastructure as code using Terraform - DevOps Krakow
Building infrastructure as code using Terraform - DevOps Krakow
Anton Babenko
 
Terraform with OCI
Terraform with OCITerraform with OCI
Terraform with OCI
JeSam Kim
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern Clouds
Nic Jackson
 
OracleBeer_Terraform_soe.pdf
OracleBeer_Terraform_soe.pdfOracleBeer_Terraform_soe.pdf
OracleBeer_Terraform_soe.pdf
Stefan Oehrli
 
Infrastructure as Code with Terraform
Infrastructure as Code with TerraformInfrastructure as Code with Terraform
Infrastructure as Code with Terraform
Pedro J. Molina
 
Debasihish da final.ppt
Debasihish da final.pptDebasihish da final.ppt
Debasihish da final.ppt
Kalkey
 
presentation @ docker meetup
presentation @ docker meetuppresentation @ docker meetup
presentation @ docker meetup
Daniël van Gils
 
Hashicorp-Certified-Terraform-Associate_V1
Hashicorp-Certified-Terraform-Associate_V1Hashicorp-Certified-Terraform-Associate_V1
Hashicorp-Certified-Terraform-Associate_V1
kodecloud86
 
Final terraform
Final terraformFinal terraform
Final terraform
Gourav Varma
 
Terraform Basics
Terraform BasicsTerraform Basics
Terraform Basics
Mohammed Fazuluddin
 
Infrastructure as Code with Terraform.pptx
Infrastructure as Code with Terraform.pptxInfrastructure as Code with Terraform.pptx
Infrastructure as Code with Terraform.pptx
Samuel862293
 
What are the Benefits of Using Terraform?
What are the Benefits of Using Terraform?What are the Benefits of Using Terraform?
What are the Benefits of Using Terraform?
Ravendra Singh
 
Deploy resources on Azure using IaC (Azure Terraform)
Deploy resources on Azure using IaC (Azure Terraform)Deploy resources on Azure using IaC (Azure Terraform)
Deploy resources on Azure using IaC (Azure Terraform)
George Grammatikos
 
Infrastructure as code, using Terraform
Infrastructure as code, using TerraformInfrastructure as code, using Terraform
Infrastructure as code, using Terraform
Harkamal Singh
 
Instant download Terraform in Depth (MEAP V01) Robert Hafner pdf all chapter
Instant download Terraform in Depth (MEAP V01) Robert Hafner pdf all chapterInstant download Terraform in Depth (MEAP V01) Robert Hafner pdf all chapter
Instant download Terraform in Depth (MEAP V01) Robert Hafner pdf all chapter
akceyohros
 
Devops Columbia October 2020 - Gabriel Alix: A Discussion on Terraform
Devops Columbia October 2020 - Gabriel Alix: A Discussion on TerraformDevops Columbia October 2020 - Gabriel Alix: A Discussion on Terraform
Devops Columbia October 2020 - Gabriel Alix: A Discussion on Terraform
Drew Malone
 
Unexpected Leaks in AWS Transit Gateways
Unexpected Leaks in AWS Transit GatewaysUnexpected Leaks in AWS Transit Gateways
Unexpected Leaks in AWS Transit Gateways
Cloud Village
 
The Rise of the Planet of the Agents: LLM-based AI Agents and Cloud Security ...
The Rise of the Planet of the Agents: LLM-based AI Agents and Cloud Security ...The Rise of the Planet of the Agents: LLM-based AI Agents and Cloud Security ...
The Rise of the Planet of the Agents: LLM-based AI Agents and Cloud Security ...
Cloud Village
 
Ad

More Related Content

Similar to Terraform Unleashed - Crafting Custom Provider Exploits for Ultimate Control (20)

Introduction to Terraspace Presentation.
Introduction to Terraspace Presentation.Introduction to Terraspace Presentation.
Introduction to Terraspace Presentation.
Knoldus Inc.
 
Introduction to Terra space Presentation
Introduction to Terra space PresentationIntroduction to Terra space Presentation
Introduction to Terra space Presentation
Knoldus Inc.
 
Terraform Automation in Azure Online Training Institute in Hyderabad.pptx
Terraform Automation in Azure Online Training Institute in Hyderabad.pptxTerraform Automation in Azure Online Training Institute in Hyderabad.pptx
Terraform Automation in Azure Online Training Institute in Hyderabad.pptx
sivavisualpath
 
Terraform day 1
Terraform day 1Terraform day 1
Terraform day 1
Kalkey
 
Building infrastructure as code using Terraform - DevOps Krakow
Building infrastructure as code using Terraform - DevOps KrakowBuilding infrastructure as code using Terraform - DevOps Krakow
Building infrastructure as code using Terraform - DevOps Krakow
Anton Babenko
 
Terraform with OCI
Terraform with OCITerraform with OCI
Terraform with OCI
JeSam Kim
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern Clouds
Nic Jackson
 
OracleBeer_Terraform_soe.pdf
OracleBeer_Terraform_soe.pdfOracleBeer_Terraform_soe.pdf
OracleBeer_Terraform_soe.pdf
Stefan Oehrli
 
Infrastructure as Code with Terraform
Infrastructure as Code with TerraformInfrastructure as Code with Terraform
Infrastructure as Code with Terraform
Pedro J. Molina
 
Debasihish da final.ppt
Debasihish da final.pptDebasihish da final.ppt
Debasihish da final.ppt
Kalkey
 
presentation @ docker meetup
presentation @ docker meetuppresentation @ docker meetup
presentation @ docker meetup
Daniël van Gils
 
Hashicorp-Certified-Terraform-Associate_V1
Hashicorp-Certified-Terraform-Associate_V1Hashicorp-Certified-Terraform-Associate_V1
Hashicorp-Certified-Terraform-Associate_V1
kodecloud86
 
Final terraform
Final terraformFinal terraform
Final terraform
Gourav Varma
 
Terraform Basics
Terraform BasicsTerraform Basics
Terraform Basics
Mohammed Fazuluddin
 
Infrastructure as Code with Terraform.pptx
Infrastructure as Code with Terraform.pptxInfrastructure as Code with Terraform.pptx
Infrastructure as Code with Terraform.pptx
Samuel862293
 
What are the Benefits of Using Terraform?
What are the Benefits of Using Terraform?What are the Benefits of Using Terraform?
What are the Benefits of Using Terraform?
Ravendra Singh
 
Deploy resources on Azure using IaC (Azure Terraform)
Deploy resources on Azure using IaC (Azure Terraform)Deploy resources on Azure using IaC (Azure Terraform)
Deploy resources on Azure using IaC (Azure Terraform)
George Grammatikos
 
Infrastructure as code, using Terraform
Infrastructure as code, using TerraformInfrastructure as code, using Terraform
Infrastructure as code, using Terraform
Harkamal Singh
 
Instant download Terraform in Depth (MEAP V01) Robert Hafner pdf all chapter
Instant download Terraform in Depth (MEAP V01) Robert Hafner pdf all chapterInstant download Terraform in Depth (MEAP V01) Robert Hafner pdf all chapter
Instant download Terraform in Depth (MEAP V01) Robert Hafner pdf all chapter
akceyohros
 
Devops Columbia October 2020 - Gabriel Alix: A Discussion on Terraform
Devops Columbia October 2020 - Gabriel Alix: A Discussion on TerraformDevops Columbia October 2020 - Gabriel Alix: A Discussion on Terraform
Devops Columbia October 2020 - Gabriel Alix: A Discussion on Terraform
Drew Malone
 
Introduction to Terraspace Presentation.
Introduction to Terraspace Presentation.Introduction to Terraspace Presentation.
Introduction to Terraspace Presentation.
Knoldus Inc.
 
Introduction to Terra space Presentation
Introduction to Terra space PresentationIntroduction to Terra space Presentation
Introduction to Terra space Presentation
Knoldus Inc.
 
Terraform Automation in Azure Online Training Institute in Hyderabad.pptx
Terraform Automation in Azure Online Training Institute in Hyderabad.pptxTerraform Automation in Azure Online Training Institute in Hyderabad.pptx
Terraform Automation in Azure Online Training Institute in Hyderabad.pptx
sivavisualpath
 
Terraform day 1
Terraform day 1Terraform day 1
Terraform day 1
Kalkey
 
Building infrastructure as code using Terraform - DevOps Krakow
Building infrastructure as code using Terraform - DevOps KrakowBuilding infrastructure as code using Terraform - DevOps Krakow
Building infrastructure as code using Terraform - DevOps Krakow
Anton Babenko
 
Terraform with OCI
Terraform with OCITerraform with OCI
Terraform with OCI
JeSam Kim
 
Terraform - Taming Modern Clouds
Terraform - Taming Modern CloudsTerraform - Taming Modern Clouds
Terraform - Taming Modern Clouds
Nic Jackson
 
OracleBeer_Terraform_soe.pdf
OracleBeer_Terraform_soe.pdfOracleBeer_Terraform_soe.pdf
OracleBeer_Terraform_soe.pdf
Stefan Oehrli
 
Infrastructure as Code with Terraform
Infrastructure as Code with TerraformInfrastructure as Code with Terraform
Infrastructure as Code with Terraform
Pedro J. Molina
 
Debasihish da final.ppt
Debasihish da final.pptDebasihish da final.ppt
Debasihish da final.ppt
Kalkey
 
presentation @ docker meetup
presentation @ docker meetuppresentation @ docker meetup
presentation @ docker meetup
Daniël van Gils
 
Hashicorp-Certified-Terraform-Associate_V1
Hashicorp-Certified-Terraform-Associate_V1Hashicorp-Certified-Terraform-Associate_V1
Hashicorp-Certified-Terraform-Associate_V1
kodecloud86
 
Final terraform
Final terraformFinal terraform
Final terraform
Gourav Varma
 
Terraform Basics
Terraform BasicsTerraform Basics
Terraform Basics
Mohammed Fazuluddin
 
Infrastructure as Code with Terraform.pptx
Infrastructure as Code with Terraform.pptxInfrastructure as Code with Terraform.pptx
Infrastructure as Code with Terraform.pptx
Samuel862293
 
What are the Benefits of Using Terraform?
What are the Benefits of Using Terraform?What are the Benefits of Using Terraform?
What are the Benefits of Using Terraform?
Ravendra Singh
 
Deploy resources on Azure using IaC (Azure Terraform)
Deploy resources on Azure using IaC (Azure Terraform)Deploy resources on Azure using IaC (Azure Terraform)
Deploy resources on Azure using IaC (Azure Terraform)
George Grammatikos
 
Infrastructure as code, using Terraform
Infrastructure as code, using TerraformInfrastructure as code, using Terraform
Infrastructure as code, using Terraform
Harkamal Singh
 
Instant download Terraform in Depth (MEAP V01) Robert Hafner pdf all chapter
Instant download Terraform in Depth (MEAP V01) Robert Hafner pdf all chapterInstant download Terraform in Depth (MEAP V01) Robert Hafner pdf all chapter
Instant download Terraform in Depth (MEAP V01) Robert Hafner pdf all chapter
akceyohros
 
Devops Columbia October 2020 - Gabriel Alix: A Discussion on Terraform
Devops Columbia October 2020 - Gabriel Alix: A Discussion on TerraformDevops Columbia October 2020 - Gabriel Alix: A Discussion on Terraform
Devops Columbia October 2020 - Gabriel Alix: A Discussion on Terraform
Drew Malone
 

More from Cloud Village (18)

Unexpected Leaks in AWS Transit Gateways
Unexpected Leaks in AWS Transit GatewaysUnexpected Leaks in AWS Transit Gateways
Unexpected Leaks in AWS Transit Gateways
Cloud Village
 
The Rise of the Planet of the Agents: LLM-based AI Agents and Cloud Security ...
The Rise of the Planet of the Agents: LLM-based AI Agents and Cloud Security ...The Rise of the Planet of the Agents: LLM-based AI Agents and Cloud Security ...
The Rise of the Planet of the Agents: LLM-based AI Agents and Cloud Security ...
Cloud Village
 
Creating Azure Policy Compliant Backdoor
Creating Azure Policy Compliant BackdoorCreating Azure Policy Compliant Backdoor
Creating Azure Policy Compliant Backdoor
Cloud Village
 
Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities f...
Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities f...Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities f...
Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities f...
Cloud Village
 
Cloud Tripwires: fighting stealth with stealth
Cloud Tripwires: fighting stealth with stealthCloud Tripwires: fighting stealth with stealth
Cloud Tripwires: fighting stealth with stealth
Cloud Village
 
Connecting the Dots - Mastering Alert Correlation for Proactive Defense in th...
Connecting the Dots - Mastering Alert Correlation for Proactive Defense in th...Connecting the Dots - Mastering Alert Correlation for Proactive Defense in th...
Connecting the Dots - Mastering Alert Correlation for Proactive Defense in th...
Cloud Village
 
Runtime Reachability: Prioritizing Vulnerabilities with eBPF & Continuous Pro...
Runtime Reachability: Prioritizing Vulnerabilities with eBPF & Continuous Pro...Runtime Reachability: Prioritizing Vulnerabilities with eBPF & Continuous Pro...
Runtime Reachability: Prioritizing Vulnerabilities with eBPF & Continuous Pro...
Cloud Village
 
Revealing Choke Points - Practical Tactics for Boosting Cloud Security
Revealing Choke Points - Practical Tactics for Boosting Cloud SecurityRevealing Choke Points - Practical Tactics for Boosting Cloud Security
Revealing Choke Points - Practical Tactics for Boosting Cloud Security
Cloud Village
 
Finding Holes in Conditional Access Policies
Finding Holes in Conditional Access PoliciesFinding Holes in Conditional Access Policies
Finding Holes in Conditional Access Policies
Cloud Village
 
One Click, Six Services - Abusing The Dangerous Multi-service Orchestration P...
One Click, Six Services - Abusing The Dangerous Multi-service Orchestration P...One Click, Six Services - Abusing The Dangerous Multi-service Orchestration P...
One Click, Six Services - Abusing The Dangerous Multi-service Orchestration P...
Cloud Village
 
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Cloud Village
 
DC 32: Epyon - Attacking DevOps environments
DC 32: Epyon - Attacking DevOps environmentsDC 32: Epyon - Attacking DevOps environments
DC 32: Epyon - Attacking DevOps environments
Cloud Village
 
Exploit K8S via Misconfiguration .YAML in CSP environments
Exploit K8S via Misconfiguration .YAML in CSP environmentsExploit K8S via Misconfiguration .YAML in CSP environments
Exploit K8S via Misconfiguration .YAML in CSP environments
Cloud Village
 
Cloud Offensive Breach and Risk Assessment (COBRA)
Cloud Offensive Breach and Risk Assessment (COBRA)Cloud Offensive Breach and Risk Assessment (COBRA)
Cloud Offensive Breach and Risk Assessment (COBRA)
Cloud Village
 
One Port to Serve Them All - Google GCP Cloud Shell Abuse
One Port to Serve Them All - Google GCP Cloud Shell AbuseOne Port to Serve Them All - Google GCP Cloud Shell Abuse
One Port to Serve Them All - Google GCP Cloud Shell Abuse
Cloud Village
 
The Oracle Awakens: Demystifying Privilege Escalation in the cloud
The Oracle Awakens: Demystifying Privilege Escalation in the cloudThe Oracle Awakens: Demystifying Privilege Escalation in the cloud
The Oracle Awakens: Demystifying Privilege Escalation in the cloud
Cloud Village
 
Catch them all! Detection engineering and purple teaming in the cloud
Catch them all! Detection engineering and purple teaming in the cloudCatch them all! Detection engineering and purple teaming in the cloud
Catch them all! Detection engineering and purple teaming in the cloud
Cloud Village
 
Gone in 60 Seconds… How Azure AD/Entra ID Tenants are Compromise
Gone in 60 Seconds… How Azure AD/Entra ID Tenants are CompromiseGone in 60 Seconds… How Azure AD/Entra ID Tenants are Compromise
Gone in 60 Seconds… How Azure AD/Entra ID Tenants are Compromise
Cloud Village
 
Unexpected Leaks in AWS Transit Gateways
Unexpected Leaks in AWS Transit GatewaysUnexpected Leaks in AWS Transit Gateways
Unexpected Leaks in AWS Transit Gateways
Cloud Village
 
The Rise of the Planet of the Agents: LLM-based AI Agents and Cloud Security ...
The Rise of the Planet of the Agents: LLM-based AI Agents and Cloud Security ...The Rise of the Planet of the Agents: LLM-based AI Agents and Cloud Security ...
The Rise of the Planet of the Agents: LLM-based AI Agents and Cloud Security ...
Cloud Village
 
Creating Azure Policy Compliant Backdoor
Creating Azure Policy Compliant BackdoorCreating Azure Policy Compliant Backdoor
Creating Azure Policy Compliant Backdoor
Cloud Village
 
Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities f...
Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities f...Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities f...
Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities f...
Cloud Village
 
Cloud Tripwires: fighting stealth with stealth
Cloud Tripwires: fighting stealth with stealthCloud Tripwires: fighting stealth with stealth
Cloud Tripwires: fighting stealth with stealth
Cloud Village
 
Connecting the Dots - Mastering Alert Correlation for Proactive Defense in th...
Connecting the Dots - Mastering Alert Correlation for Proactive Defense in th...Connecting the Dots - Mastering Alert Correlation for Proactive Defense in th...
Connecting the Dots - Mastering Alert Correlation for Proactive Defense in th...
Cloud Village
 
Runtime Reachability: Prioritizing Vulnerabilities with eBPF & Continuous Pro...
Runtime Reachability: Prioritizing Vulnerabilities with eBPF & Continuous Pro...Runtime Reachability: Prioritizing Vulnerabilities with eBPF & Continuous Pro...
Runtime Reachability: Prioritizing Vulnerabilities with eBPF & Continuous Pro...
Cloud Village
 
Revealing Choke Points - Practical Tactics for Boosting Cloud Security
Revealing Choke Points - Practical Tactics for Boosting Cloud SecurityRevealing Choke Points - Practical Tactics for Boosting Cloud Security
Revealing Choke Points - Practical Tactics for Boosting Cloud Security
Cloud Village
 
Finding Holes in Conditional Access Policies
Finding Holes in Conditional Access PoliciesFinding Holes in Conditional Access Policies
Finding Holes in Conditional Access Policies
Cloud Village
 
One Click, Six Services - Abusing The Dangerous Multi-service Orchestration P...
One Click, Six Services - Abusing The Dangerous Multi-service Orchestration P...One Click, Six Services - Abusing The Dangerous Multi-service Orchestration P...
One Click, Six Services - Abusing The Dangerous Multi-service Orchestration P...
Cloud Village
 
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Cloud Village
 
DC 32: Epyon - Attacking DevOps environments
DC 32: Epyon - Attacking DevOps environmentsDC 32: Epyon - Attacking DevOps environments
DC 32: Epyon - Attacking DevOps environments
Cloud Village
 
Exploit K8S via Misconfiguration .YAML in CSP environments
Exploit K8S via Misconfiguration .YAML in CSP environmentsExploit K8S via Misconfiguration .YAML in CSP environments
Exploit K8S via Misconfiguration .YAML in CSP environments
Cloud Village
 
Cloud Offensive Breach and Risk Assessment (COBRA)
Cloud Offensive Breach and Risk Assessment (COBRA)Cloud Offensive Breach and Risk Assessment (COBRA)
Cloud Offensive Breach and Risk Assessment (COBRA)
Cloud Village
 
One Port to Serve Them All - Google GCP Cloud Shell Abuse
One Port to Serve Them All - Google GCP Cloud Shell AbuseOne Port to Serve Them All - Google GCP Cloud Shell Abuse
One Port to Serve Them All - Google GCP Cloud Shell Abuse
Cloud Village
 
The Oracle Awakens: Demystifying Privilege Escalation in the cloud
The Oracle Awakens: Demystifying Privilege Escalation in the cloudThe Oracle Awakens: Demystifying Privilege Escalation in the cloud
The Oracle Awakens: Demystifying Privilege Escalation in the cloud
Cloud Village
 
Catch them all! Detection engineering and purple teaming in the cloud
Catch them all! Detection engineering and purple teaming in the cloudCatch them all! Detection engineering and purple teaming in the cloud
Catch them all! Detection engineering and purple teaming in the cloud
Cloud Village
 
Gone in 60 Seconds… How Azure AD/Entra ID Tenants are Compromise
Gone in 60 Seconds… How Azure AD/Entra ID Tenants are CompromiseGone in 60 Seconds… How Azure AD/Entra ID Tenants are Compromise
Gone in 60 Seconds… How Azure AD/Entra ID Tenants are Compromise
Cloud Village
 
Ad

Recently uploaded (20)

Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
How analogue intelligence complements AI
How analogue intelligence complements AIHow analogue intelligence complements AI
How analogue intelligence complements AI
Paul Rowe
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Ad

Terraform Unleashed - Crafting Custom Provider Exploits for Ultimate Control

  • 1. Terraform Unleashed: Crafting custom Provider exploits for Ultimate control
  • 2. Rupali Dash brings over 8 years of cybersecurity experience, specializing in penetration testing and red teaming. Currently a Lead Security Architect at Axl.net Security, she oversees cloud security and penetration testing engagements. Her credentials include notable certifications like OSCP, OSWE, AWS Security Specialist, and GCPN. She has presented at prominent conferences like Black Hat Asia, DevSecCon, and CoCon. Alex Foley is a broadly experienced security professional with over 25 years of experience in IT and cybersecurity. He is the founder and CEO of Axl.net Security. He has operated and continues to operate as the vCISO of multiple startup companies with the support of the team from Axl.net Security. Throughout his career, he's had the opportunity to wear many hats and do "all the things" within product development, operations, and security. This broad experience has enabled Alex to bring this depth of understanding to the CISO roles. Alex's skill set focuses on blue team operations, which complements Rupali's expertise in red team activities. Who Are We ??
  • 3. Who Does The Talk Cater To Pen testers and Red-teamers who will be testing an cloud infrastructure. Security Architects managing the security posture of the cloud infrastructure.
  • 6. ► - In-order to provision this code the user logs in to the terraform enterprise first and provides the AWS Credentials of the account for the resource provisioning . ► Upon Terraform Init the TFE Spins up the worker container in the TFE AWS account and Downloads the required provides specified in the provider block. ► During Terraform Plan, The Terraform API zips the IAC code and the Provided authentication credentials along with the terraform binary and stores it over the worker container. ► It also performs a state lock using dynamo DB for that specific workspace so that no two TFE plan can run simultaneously for a specific workspace and it ques the job. ► It also downloads the Sentinel policies associated with the workspace on to the worker container. ► During the Terraform plan once the sentinel policies are validated against the TFE plan out out, Terraform generates a newer set of credentials using the provided AWS credentials in the terraform file which will be used to provision the resource in the clients AWS account. ► Once the Apply is completed the worker container stores the generated terraform state file over the s3 bucket and destroyes the container.
  • 7. Terraform Provider ►A terraform provider is a binary written in go that interacts with terraform binary over RPC & enables interaction with the provider API. This includes Cloud providers and Software-as-a-service providers. The providers are specified in the Terraform configuration code. They tell Terraform which services it needs to interact with.
  • 8. Key-RISK Terraform binaries are executables which will be downloaded into the emphiral container during terraform init. Terraform Provider runs with the highest privilege on the worker container and hence have access to all the mounted file system as well as the AWS STS credentials. The TFE worker container needs to have the read access to the s3 and RDS instance where the TFE state file gets stored as a part of application. In a scenario where multiple providers are invoked for a specific Terraform Plan, Both the providers will have access to the TFE environment variables and the host file system.
  • 9. Attack-1: Custom provider with filesystem access to gain access to the host file system ● In Golang Import os/exec and import syscall modules enables the binary to interact with the host file system. ● Create the data source to read an environment variable & register this new data source in your provider.go file. ● Use “go build” command to build the provider.
  • 10. Exploit ( System File Read) Create a Terraform configuration file that uses the new data source to read the /etc/passwd file on the host.
  • 11. Attack-2: Custom provider with Code Execution feature Terraform-provider-cmdexec is a custom built provider that provides command execution capability through Terraform Configuration. Below is the example of the main.tf file used to leverage the provider to execute the command. https://github.com/rung/terraform-provider-cmdexec https://alex.kaskaso.li/post/terraform-plan-rce
  • 12. ► Execute Commands on the Terraform container ► Provision highly privileged roles / resources by Bypassing sentinel policies to gain persistence. ► Exfiltrate Vaulted secrets from the TFE container. ► Manipulate state files resulting in deleting resources in the existing cloud accounts. ► Gain access to PII data in Production accounts. ► Supply chain threats to organizations using the malicious providers.
  • 13. Why the Terraform Provider and not the Provisioners ? ►Terraform Provisioner has local_exec() and remote_exec() capability which helps to execute commands on the TFE infrastructure as a part of terraform apply. ►Terraform Provisioners are called only after a successful plan and prior to the Terraform Apply. Hence usage of sentinel policy can be leveraged to block those attacks. ►Terraform Provider block executes during the terraform plan and hence It cannot be blocked/restricted through Sentinel
  • 14. Provider Security Risks ►1: Malevolence of the Binary: This is to ensure that the provider binary doesn’t contain any malware , packers or custom exploits. ►2: Impact on the TFE infrastructure: This will provide insight on the different functionalities and access level of the provider in the TFE infrastructure. ►3: Out bound Network communication: This will provide insight on the different end points/APIs embedded into the binary
  • 17. Conclusions ● Provider Attack Types ○ Third Party Providers ○ Insider Threat ● Defense ○ Updated Training ○ Updated Detection Technology ○ Updated Processes