Attacking AWS Lambda via Triggers

Introduction

Lambda is an event driven serverless compute service that lets you build applications and run code on computing resources completely managed by AWS.

Lambda functions can be triggered through various events originating from different AWS services. A common service that is used as a trigger is the AWS S3 wherein a Lambda function can be triggered via an S3 event like an object create or delete.

What are we going to cover?

This chapter will cover an attack that can be triggered via AWS S3 and eventually gain access to a AWS Lambda function.

Steps to set up the Lab

There are 3 main AWS services involved in this attack scenario

  1. AWS S3

  2. AWS Lambda

  3. AWS Simple Notification Service

The userflow for this lab begins when a user uploads a PNG image file (*.png) to a bucket. A Lambda Function called bucket-write-md5-calc is called when an image file upload to the bucket succeeds. This function obtains a copy of the file from the bucket and computes its MD5 sum. The MD5 sum is then emailed to the email addresses that have subscribed to the SNS Topic assigned as the destination of the function.

To setup the lab, open a terminal on the student machine and perform the following steps

  1. Download the setup script by running the command - wget -q https://access-appsecco-training.s3.amazonaws.com/lambdatriggers.sh -O ~/Downloads/lambdatriggers.sh

  2. Switch to the downloads directory - cd ~/Downloads/

  3. Execute the script - bash lambdatriggers.sh

Next, to create a custom SNS subscription to receive an email with data. Replace the <EMAIL-ADDRESS> placeholder in the command below

export AWS_ACCOUNT_ID=$(aws sts get-caller-identity | jq .Arn | awk -F: '{print $5}')
aws sns subscribe --topic-arn "arn:aws:sns:us-east-1:$AWS_ACCOUNT_ID:lambdatrigger-s3write-$bapname" --protocol email --notification-endpoint <EMAIL-ADDRESS>

Confirm the subscription email you receive in your inbox to complete the lab setup.

Steps to attack

Confirming the vulnerability

  1. Navigate to https://s3.console.aws.amazon.com/s3/buckets?region=us-east-1

  2. Open the bucket that starts with resume-bucket-lambda-trigger-

  3. Use the upload button and upload the bird.jpg. Notice the MD5 sum of the bird.jpg is received in your inbox.

  4. To exploit the Lambda code, upload a file whose name contains special characters that can cause command injection in a vulnerable context.

  5. Upload the image.png;id;w file (valid filename on Linux).

  6. Notice the output of the id command is now sent to your inbox.

Credential Exfiltration

  1. Make a copy of bird.jpg but with a command to print environment variables. Do this using cp bird.jpg 'bird.jpg;env;w

  2. Upload this new file to the Lambda function

  3. Check your email

You can configure the credentials like any other stolen credentials and perform other attacks starting with identifying what access you have and accessing other resources in AWS.

Additional references

PreviousAWS ServerlessNextGoogle Cloud VM Instances - Lab setup

Last updated