About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

BreakingFormation: AWS CloudFormation Vulnerability- 736

Tzah Pahima - Orca SecurityPosted 4 Years Ago
  • AWS Cloudformatino allows the provisioning of AWS resources, such as EC2 instances and S3 buckets using templates. Since the service has the ability to do all of these things, a vulnerability in this would allow for the editing inside of ALL other accounts.
  • Within the template parsing, the author of the post found an XML eXternal Entity (XXE) Injection vulnerability. By including the External Entity into the XML file, HTTP requests can be made (SSRF) and files can be read from the file system. Using this vulnerability, the authors stole credentials from the host file system!
  • Once they had the credentials on the host file system, it is gameover. With how much permission CloudFormation has, this could be used to escape customer boundaries and effect many running services. If this would have been found in the wild by an attacker, this could have been a major security breach of many different systems.
  • Sadly, there are very little details on the privilege escalation technique and injection point for the XXE. There is a bunch of marketing fluff; I wish there were more technical details about this. Interesting and impactful bug but very few technical details.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed