Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

AWS Relational Database Services (RDS) uses Amazon Aurora PostgresSQL. This is a hosted database service that are meant to ONLY be used for the database and nothing else. A user can interact with the psql shell to do things to the database.

The author tries some really simple attacks, such as write to or read from a file. However, the author quickly notices that the highest permissioned user is not accessible to them. As such, their current user cannot do a multitude of things considered dangerous, such as read local files or run system commands.

Time for more recon! After diving into other parts of the setup, they noticed a default extension called log_fdw. To use this feature, a log file can be selected for both reads and writes. Unfortunately, there is validation on the file names, making it not possible to exploit off the bat. How do these extensions work?

PostgreSQL allows access to data that resides outside of PostgreSQL using regular SQL queries. Such data is referred to as foreign data and is accessed with help from a foreign data wrapper to access things like files. There are three fields that must be defined: handler, validator and options.

The log_fdw code has both a validator and a handler. Since the validator is not 100% necessary, it can be removed. Once this function has been removed, arbitrary files can be read on the system!

While exploring the file system, they noticed a reference to a file that had the word credentials in it, which had an access key, secret access key and a session token. Finally, they used the STS API to get the caller identity. At this point, they realized this gave them access to the internal account so they stopped hacking.

Overall, awesome finding within a fairly locked down system. Sometimes, third party updates are the killer, even though your code is secure.