Wednesday, 13 October 2021
Exploiting Cloud Storage Misconfiguration-S3.
Exploiting Cloud Storage Misconfiguration.
Overview about the Misconfiguration Blog.
Modern application uses various features of the cloud components and build their applications and any amazon cloud applications might be using their s3 buckets for their storage. Similarly,a client was using s3 to store files and then send email to customer with a link to access the files. Once, tester receives email link and starts to perform recon and methodology listed below to identity misconfigured bucket to misuse the service.
What are S3 Buckets?
S3 buckets are storage services offered by the amazon which gives various security features to be implemented. Here are few examples like
1. IAM (Identity and Access Management) –Helps to control authentication and authorization of buckets and objects
2.ACLS (Access Control List) – Helps to implement policy to restrict commands to be executed on Buckets or Objects like read,write,delete.
3. Server & Client-Side Encryption – Helps to encrypt data stored.
Attacking S3:
Let’s start with attacking part and methodology to listed below. First, we need to identify URLs coming from the cloud environment in the web application and S3 Buckets have a particular name format and are easy to identify like listed below
Format:
• bucket-name.s3.amazonaws.com
• s3.amazonaws.com/bucket-name
• bucket-name.s3-us-west-2.amazonaws.com
• s3-us-west-2.amazonaws.com/bucket-name
• bucket-name.storage.googleapis.com
• storage.googleapis.com/bucket-name
-Second, sometimes application will hide their association with cloud vendor hiding behind the cname or mask their URLs. Here are few places to look out for
• Old and abandoned JS files.
• Old API endpoints.
• Abandoned CDN’s Endpoints.
• Abandoned Subdomains.
-Third, Storage URL, api keys,firebase database can be found in client-side java scripts and let’s see what are the different methods we can use to confirm the s3 bucket.
Methods:
1.CNAME
2 Server Header
3, Error messages
Attack scenario:
Let’s implement the discussed methodology to identify any s3 misconfiguration is present in the current application. In initial recon of the email link, led to s3 bucket URL. Then, we started to fuzz using random values on the s3 bucket url, to get more information about the bucket and due to error handling not handled properly. Sensitive Information were been exposed like access keys and some other bucket endpoint details.
Now, bucket information is revealed in the error message. We were to find active s3 cname record (bucket name) has been attached to main email bucket url using open-source tools like dns dumpster, mxtoolbox and performed some basic s3 commands to check misconfiguration is present.
To check misconfiguration of s3, we need to first analyze, whether S3 bucket is having public access with restriction or does not allow any anonymous access. So, we create a free account in aws and configure the same in the command prompt and test whether any aws authenticated users were able to perform or issue commands on client s3 bucket. In my case, I was able to perform commands which are listed below without any restriction to misuse the misconfiguration.
commands
get-object-acl, put-object-acl, get-object, put-object, list-object.
After cname confirmation and aws profile setup, I was able to perform both put object and put acl commands to grant public read on dropped malicious test files in the bucket. Now, I need to download the s3 file from the URL to distribute any shell or dropped malicious files to other victims but I was not able to download using Bucket name + payload URL. In order to test, opened the vulnerable s3 url and see any information is given but it displayed some endpoint have been implemented to access the buckets in error message. So, I tried giving endpoint name + bucket name + payload and I was able to download the file from the crafted url.
Then after some time during revalidation on the same issue, after patch there was no extra information about the s3 endpoint been displayed in the error page. So, I tried visiting aws s3 endpoints reference page by amazon and substituted each endpoint, {endpoint} + bucket name + payload and I was able to download the malicious file from the portal again.
Effect:
In an organization, what amount of damage can cloud misconfiguration can bring cause of s3 or different attack vectors can be performed is listed below.
1.We may be able to modify existing library to inject or lead to any xss or rce attacks.
2.it can be used as distribution center for malicious payload
3.Jquery library objects can be deleted to cause denial of service
Mitigation:
In order to mitigate s3 storage leakage from the application. It’s important to implement following steps
• Upload any files through web by using authorized account controlled by the aws site admin.
• Disable PutBucketAcl, PutObjectAcl, PutBucketPolicy, and PutBucketWebsite for any public bucket.
• Using IAM roles and policy, were only company users that can access buckets and objects with conditional statement.
• Add IP address in the bucket policy where request originates.
• Analyze aws api using put commands by cloud trail and cloud watch.
References:
https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your-assets/?utm_source=blog&utm_campaign=s3_buckets
https://book.hacktricks.xyz/pentesting/pentesting-web/buckets/aws-s3
https://docs.aws.amazon.com/general/latest/gr/s3.html
https://docs.aws.amazon.com/cli/latest/reference/s3/
https://docs.aws.amazon.com/cli/latest/userguide/cli-services-s3-commands.html
Friday, 12 January 2018
Azure Security Checklist
When everybody trying to move into cloud ,people worry about the security but by following best security or recommended practices one can really mitigate the attack or reduce possible attack vectors.Here are few security guidelines which was provided by the Microsoft for customers.
So Let's talk about the Azure Security before you are trying to move your applications to the cloud.
1. In order to restrict the user in accessing the required resources ,we need to apply the RBAC-Role Based Access Control.
Data Collection:
2. Management Plane Security ---> RBAC
3. Secure access of the Data -----> SAS (Shared Access Key)
4. Use HTTPS and SMB 3.0 -------> Azure file share
5. Encrypting Data within Client Application Data ---> With Cipher Block Mode with AES6.
6. To encrypt data automatically in Azure Storage ---> Storage Service Encryption
7. To Encrypt Azure Virtual Machine Disks with OS and DATA ----> Azure Disk Encryption
8. To find which user have access to SAS ----------> Storage Analytics
9. To access storage resources from different domains ---> Cross -Origin Resource Sharing
Security Policies:
10.Endpoint solutions deployment(anti-malware) -------> Azure security center
11.To Secure Web application -------> Web Application Firewall
12. To add extra protection --------->Next-Generation Firewall(NGFW) from Microsoft Partner.
13.Update Security Contact Details in your Azure Subscription------->Microsoft Security Response Center(MSRC)
Identity & Access Management
14.To Protect users from hackers and allowing users to use only required resources.We can use following features related to Identity Management.
Single Sign-ON
Registration Activity
Mutli-factor Authentication
Azure -AD Premium and Identity Protection roles.
Developer Operations (DevOps)
15.Here are few features for the Azure Devops with Visual Studio Team Services and Team Foundation Server.
Infrastructure as Code(Iac)
Continuous Integration and Deployment
Release Mangement
App performance Management
Load Testing and Auto Scale
Azure Security Center Detection Capabilities
16.Azure has detection capabilities for threats in Azure Resource Manager and uses Threat Intelligence for finding Bad Actor.
17.They have Microsoft Digital Crimes Unit (DCU) and Microsoft Security Response Center (MSRC).
18.They use behavioral analytics to discover the malicious patterns and Anomaly detection to build historical baseline.
So Let's talk about the Azure Security before you are trying to move your applications to the cloud.
1. In order to restrict the user in accessing the required resources ,we need to apply the RBAC-Role Based Access Control.
Data Collection:
2. Management Plane Security ---> RBAC
3. Secure access of the Data -----> SAS (Shared Access Key)
4. Use HTTPS and SMB 3.0 -------> Azure file share
5. Encrypting Data within Client Application Data ---> With Cipher Block Mode with AES6.
6. To encrypt data automatically in Azure Storage ---> Storage Service Encryption
7. To Encrypt Azure Virtual Machine Disks with OS and DATA ----> Azure Disk Encryption
8. To find which user have access to SAS ----------> Storage Analytics
9. To access storage resources from different domains ---> Cross -Origin Resource Sharing
Security Policies:
10.Endpoint solutions deployment(anti-malware) -------> Azure security center
11.To Secure Web application -------> Web Application Firewall
12. To add extra protection --------->Next-Generation Firewall(NGFW) from Microsoft Partner.
13.Update Security Contact Details in your Azure Subscription------->Microsoft Security Response Center(MSRC)
Identity & Access Management
14.To Protect users from hackers and allowing users to use only required resources.We can use following features related to Identity Management.
Single Sign-ON
Registration Activity
Mutli-factor Authentication
Azure -AD Premium and Identity Protection roles.
Developer Operations (DevOps)
15.Here are few features for the Azure Devops with Visual Studio Team Services and Team Foundation Server.
Infrastructure as Code(Iac)
Continuous Integration and Deployment
Release Mangement
App performance Management
Load Testing and Auto Scale
Azure Security Center Detection Capabilities
16.Azure has detection capabilities for threats in Azure Resource Manager and uses Threat Intelligence for finding Bad Actor.
17.They have Microsoft Digital Crimes Unit (DCU) and Microsoft Security Response Center (MSRC).
18.They use behavioral analytics to discover the malicious patterns and Anomaly detection to build historical baseline.
Sunday, 26 March 2017
Sunday, 31 January 2016
Azure Stack for On-premise
Hello All!!!!
Guess what,Windows Azure Stack for the On-Premise is been released.So,let's see what are the features included in the pack.
The techanical Preview just includes the fundamental capabailites for the azure services in onpremise.
1.Developer and IT administrators experience
2.Unified application model(Azure resource manager)
3.Foundatinal Services(Vms,Vm extensions,virtual Network ,software load balancer,disturbted firewall ,storage(blobs and tables)
4.Application components:curated azure resource manager and azure consistent vm extensions
5.Core services -Subscription management(identity and quotas),
role based access control metering and audit.
Paas Services and other services will be added in upcoming days.stay tuned!!
Guess what,Windows Azure Stack for the On-Premise is been released.So,let's see what are the features included in the pack.
The techanical Preview just includes the fundamental capabailites for the azure services in onpremise.
1.Developer and IT administrators experience
2.Unified application model(Azure resource manager)
3.Foundatinal Services(Vms,Vm extensions,virtual Network ,software load balancer,disturbted firewall ,storage(blobs and tables)
4.Application components:curated azure resource manager and azure consistent vm extensions
5.Core services -Subscription management(identity and quotas),
role based access control metering and audit.
Paas Services and other services will be added in upcoming days.stay tuned!!
Sunday, 4 October 2015
WebHooks for Azure Alert
It is mainly used for monitoring the azure resources usage.Webhooks are the user defined HTTP or HTTPS endpoints for Creating or Updating an alert on the azure portal.
Azure Alert makes a HTTP post operation to the endpoints ,which we specify.
It sends Alert Metadata to endpoint
the endpoint can then process the data received to take further action on the alert
what makes the azure alert so special, lets take few examples:
Execute the Scripts using the Azure Automation.
Trigger Logic apps
you can build the api to receive the text files using the twilio ,slack azure queue.
It is mainly used for monitoring the azure resources usage.Webhooks are the user defined HTTP or HTTPS endpoints for Creating or Updating an alert on the azure portal.
Azure Alert makes a HTTP post operation to the endpoints ,which we specify.
It sends Alert Metadata to endpoint
the endpoint can then process the data received to take further action on the alert
what makes the azure alert so special, lets take few examples:
Execute the Scripts using the Azure Automation.
Trigger Logic apps
you can build the api to receive the text files using the twilio ,slack azure queue.
Subscribe to:
Comments (Atom)