AWS security - NULL meet chennai

AWS Security

n|u - The Open security communityChennai Meet

Presenter : Vinoth KumarDate : 18/03/2017

# About Me

Application security engineer @ Freshdesk

Blogger @ http://www.tutorgeeks.net

Email @ [email protected]

https://null.co.in/profile/294-vinothpkumar

What is AWS

Amazon Web Services (AWS) is a “secure“ cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow.

Getting started with AWS

Create an account in AWS and start playing with their services - https://aws.amazon.com/free/

Valid Credit card is required for account creation.

AWS Services

Amazon Elastic Compute - EC2

Amazon Simple Storage Service - S3

Amazon Relational Database Service - RDS

Amazon CloudFront - CDN

Why AWS

No need for a Infrastructure capability - Cost saved

No need for more employee resources - Cost saved

Helps in obtaining industry certifications like ISO 270001, etc in ease - Less tension :)

Accessing AWS using CLIThe AWS Command Line Interface is a unified tool to manage your AWS services.

pip install awscli

cd <path_to_awscli>python setup.py install

aws configure

AWS Access Key ID: ←---------------------->

AWS Secret Access Key: ←---------------------->

Default region name [us-west-2]: us-west-2

Default output format [None]: json

https://aws.amazon.com/cli/

AWS S3 - Internet’s hard drive is down

AWS S3 service was down on Feb28th. What exactly happened?

Human Error - Accidentally deleted 2 main servers supporting S3 operation.

S3 outage affected other AWS services like ELB, IOT etc., which depends on S3.

EC2 Instance IP disclosure

1. Send a GET request to example.com

2. Change the HTTP version from 1.1 to 1.0

3. Remove the HOST header. ( Since HTTP 1.0 doesn’t require a HOST header. Source - Web application hacker’s handbook )

4. Add a traversal attack ( GET /.. ) and forward the request.

5. Observe the IP being disclosed in the location header.

S3 Bucket Misconfiguration“bucketname.s3-ap-southeast-1.amazonaws.com”

Vulnerability : “Write access to any AWS Authenticated user”

Vinoth:~ aws s3 mv malicious.bat s3://bucketname

move. ./malicious.bat s3://bucketname/malicious.exe

The issue has been reported and it is fixed.

Vinoth:~ vinoth$ aws s3 mv demo.txt s3://bucketname

move failed: ./demo.txt to s3://bucketname/demo.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

S3 Bucket - Subdomain takeover

Enumerate the subdomains. It’s not so difficult to hit this command - knockpy example.com

Keep an eye for the following error messages while viewing the subdomains - “No such bucket” / “Bucket doesn’t exist”

Investigate the subdomain - dig / nslookup subdomain.example.com

subdomain.example.com CNAME “bucketname.s3.amazonaws.com”

Create the above bucket in your AWS and host your subdomain takeover page.

Now “subdomain.example.com” will show your hosted page.

Asana - AWS key disclosure

Uploaded 65000x65000 pixel image in the profile picture.

S3 Bucket couldn’t accommodate the huge pixel image.

Error message is shown along with AWS Access and Secret key.

Bounty awarded : 500 USD

https://molico.tomahock.com/lottapixel-my-first-500-bounty-d3e678da1861#.88buoaod6

AWS Keys Exposed

Developers by mistake hardcode their AWS credentials in github.

https://gitleaks.com/search?q=AWS

Murder in the cloud

Code space - AWS Root credentials were hacked.

Attacker asked for Ransom - Code Space refused.

Attacker got pissed off and deleted the AWS account.

Codespace was shut down completely.

Key takeaways : Have offsite backup.

http://www.infoworld.com/article/2608076/data-center/murder-in-the-amazon-cloud.html

Resources for Learning AWS Security

https://aws.amazon.com/blogs/security/ - Official AWS security blog.

http://flaws.cloud - CTF Challenge to learn AWS security.

https://www.slideshare.net/search/slideshow?searchfrom=header&q=AWS+Security