From 5b539714aa39f5093a21b62aac475cd8086cf5d4 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Wed, 18 Dec 2024 12:57:41 +0000 Subject: [PATCH] GITBOOK-732: No subject --- pentesting-ci-cd/terraform-security.md | 118 ++++++++++++++++++++++--- 1 file changed, 106 insertions(+), 12 deletions(-) diff --git a/pentesting-ci-cd/terraform-security.md b/pentesting-ci-cd/terraform-security.md index d294608f63..5cf8b26507 100644 --- a/pentesting-ci-cd/terraform-security.md +++ b/pentesting-ci-cd/terraform-security.md @@ -15,7 +15,7 @@ Learn & practice GCP Hacking: {% endhint %} -### Basic Information +## Basic Information [From the docs:](https://developer.hashicorp.com/terraform/intro) @@ -43,7 +43,7 @@ Just install terraform in your computer. Here you have a [guide](https://learn.hashicorp.com/tutorials/terraform/install-cli) and here you have the [best way to download terraform](https://www.terraform.io/downloads). -### RCE in Terraform +## RCE in Terraform Terraform **doesn't have a platform exposing a web page or a network service** we can enumerate, therefore, the only way to compromise terraform is to **be able to add/modify terraform configuration files**. @@ -59,7 +59,7 @@ Actually, there are solutions out there that **execute terraform plan/apply auto If you are able to compromise a terraform file there are different ways you can perform RCE when someone executed `terraform plan` or `terraform apply`. -#### Terraform plan +### Terraform plan Terraform plan is the **most used command** in terraform and developers/solutions using terraform call it all the time, so the **easiest way to get RCE** is to make sure you poison a terraform config file that will execute arbitrary commands in a `terraform plan`. @@ -112,7 +112,7 @@ You can find the rev shell code in [https://github.com/carlospolop/terraform\_ex * In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b` -#### Terraform Apply +### Terraform Apply Terraform apply will be executed to apply all the changes, you can also abuse it to obtain RCE injecting **a malicious Terraform file with** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\ You just need to make sure some payload like the following ones ends in the `main.tf` file: @@ -135,7 +135,7 @@ resource "null_resource" "rev_shell" { Follow the **suggestions from the previous technique** the perform this attack in a **stealthier way using external references**. -### Secrets Dumps +## Secrets Dumps You can have **secret values used by terraform dumped** running `terraform apply` by adding to the terraform file something like: @@ -145,11 +145,11 @@ output "dotoken" { } ``` -### Abusing Terraform State Files +## Abusing Terraform State Files In case you have write access over terraform state files but cannot change the terraform code, [**this research**](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) gives some interesting options to take advantage of the file: -#### Deleting resources +### Deleting resources There are 2 ways to destroy resources: @@ -177,7 +177,7 @@ Because terraform will see that the resource shouldn't exit, it'll destroy it (f For an EC2 instance, modifying the type of the instance is enough to make terraform delete a recreate it. -#### RCE +### RCE It's also possible to [create a custom provider](https://developer.hashicorp.com/terraform/tutorials/providers-plugin-framework/providers-plugin-framework-provider) and just replace one of the providers in the terraform state file for the malicious one or add an empty resource with the malicious provider. Example from the original research: @@ -217,12 +217,106 @@ data "external" "example" { } ``` -### Audit Tools +## Automatic Audit Tools -* [**tfsec**](https://github.com/aquasecurity/tfsec): tfsec uses static analysis of your terraform code to spot potential misconfigurations. -* [**terascan**](https://github.com/tenable/terrascan): Terrascan is a static code analyzer for Infrastructure as Code. +### [**Snyk Infrastructure as Code (IaC)**](https://snyk.io/product/infrastructure-as-code-security/) -### References +Snyk offers a comprehensive Infrastructure as Code (IaC) scanning solution that detects vulnerabilities and misconfigurations in Terraform, CloudFormation, Kubernetes, and other IaC formats. + +* **Features:** + * Real-time scanning for security vulnerabilities and compliance issues. + * Integration with version control systems (GitHub, GitLab, Bitbucket). + * Automated fix pull requests. + * Detailed remediation advice. +* **Sign Up:** Create an account on [Snyk](https://snyk.io/). + +```bash +brew tap snyk/tap +brew install snyk +snyk auth +snyk iac test /path/to/terraform/code +``` + +### [Checkov](https://github.com/bridgecrewio/checkov) + +**Checkov** is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages. + +It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md), [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md), [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md), or [OpenTofu](https://opentofu.org/) and detects security and compliance misconfigurations using graph-based scanning. + +It performs [Software Composition Analysis (SCA) scanning](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Sca.md) which is a scan of open source packages and images for Common Vulnerabilities and Exposures (CVEs). + +```bash +pip install checkov +checkov -d /path/to/folder +``` + +### [terraform-compliance](https://github.com/terraform-compliance/cli) + +From the [**docs**](https://github.com/terraform-compliance/cli): `terraform-compliance` is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code. + +* **compliance:** Ensure the implemented code is following security standards, your own custom standards +* **behaviour driven development:** We have BDD for nearly everything, why not for IaC ? +* **portable:** just install it from `pip` or run it via `docker`. See [Installation](https://terraform-compliance.com/pages/installation/) +* **pre-deploy:** it validates your code before it is deployed +* **easy to integrate:** it can run in your pipeline (or in git hooks) to ensure all deployments are validated. +* **segregation of duty:** you can keep your tests in a different repository where a separate team is responsible. + +{% hint style="info" %} +Unfortunately if the code is using some providers you don't have access to you won't be able to perform the `terraform plan` and run this tool. +{% endhint %} + +```bash +pip install terraform-compliance +terraform plan -out=plan.out +terraform-compliance -f /path/to/folder +``` + +### [tfsec](https://github.com/aquasecurity/tfsec) + +From the [**docs**](https://github.com/aquasecurity/tfsec): tfsec uses static analysis of your terraform code to spot potential misconfigurations. + +* ☁️ Checks for misconfigurations across all major (and some minor) cloud providers +* ⛔ Hundreds of built-in rules +* 🪆 Scans modules (local and remote) +* ➕ Evaluates HCL expressions as well as literal values +* ↪️ Evaluates Terraform functions e.g. `concat()` +* 🔗 Evaluates relationships between Terraform resources +* 🧰 Compatible with the Terraform CDK +* 🙅 Applies (and embellishes) user-defined Rego policies +* 📃 Supports multiple output formats: lovely (default), JSON, SARIF, CSV, CheckStyle, JUnit, text, Gif. +* 🛠️ Configurable (via CLI flags and/or config file) +* ⚡ Very fast, capable of quickly scanning huge repositories + +```bash +brew install tfsec +tfsec /path/to/folder +``` + +### [KICKS](https://github.com/Checkmarx/kics) + +Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with **KICS** by Checkmarx. + +**KICS** stands for **K**eeping **I**nfrastructure as **C**ode **S**ecure, it is open source and is a must-have for any cloud native project. + +```bash +docker run -t -v $(pwd):/path checkmarx/kics:latest scan -p /path -o "/path/" +``` + +### [Terrascan](https://github.com/tenable/terrascan) + +From the [**docs**](https://github.com/tenable/terrascan): Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allows you to: + +* Seamlessly scan infrastructure as code for misconfigurations. +* Monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture. +* Detect security vulnerabilities and compliance violations. +* Mitigate risks before provisioning cloud native infrastructure. +* Offers flexibility to run locally or integrate with your CI\CD. + +```bash +brew install terrascan +``` + +## References * [Atlantis Security](atlantis-security.md) * [https://alex.kaskaso.li/post/terraform-plan-rce](https://alex.kaskaso.li/post/terraform-plan-rce)