8000 False negative - lambda:UpdateFunctionCode & lambda:UpdateFunctionConfiguration · Issue #86 · nccgroup/PMapper · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

False negative - lambda:UpdateFunctionCode & lambda:UpdateFunctionConfiguration #86

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sethsec opened this issue Jul 13, 2021 · 3 comments
Closed

False negative - lambda:UpdateFunctionCode & lambda:UpdateFunctionConfiguration #86

sethsec opened this issue Jul 13, 2021 · 3 comments
Labels
bug Something isn't working

Comments

@sethsec
Copy link
sethsec commented Jul 13, 2021

Brief Description
I can't get pmapper to trigger on EditExistingLambdaFunctionWithRole even though I have have verified the exploit path manually (simulator results pasted below).

For additional context, PassExistingRoleToNewLambdaThenInvoke and PassRoleToNewLambdaThenTriggerWithNewDynamo are both detected correctly!

Side note: Pmapper is awesome! I love the recent improvements and the new detections!

IAM Action, Resource, and Condition Being Authorized & IAM Policies Attached to Principal
Here's the IAM policy attached to my caller principal:

{
    "Statement": [
        {
            "Action": [
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}

This policy is attached to the role arn:aws:iam::[ACCOUNT]:role/privesc17-EditExistingLambdaFunctionWithRole-role.

There is one lambda in the account, and that lambba has a high privileged role attached to it:

Lambda:

aws lambda list-functions
{
    "Functions": [
        {
            "FunctionName": "test_lambda",
            "FunctionArn": "arn:aws:lambda:us-east-1:[ACCOUNT]:function:test_lambda",
            "Runtime": "nodejs12.x",
            "Role": "arn:aws:iam::[ACCOUNT]:role/privesc-high-priv-lambda-role2",
            "Handler": "index.handler",
            "CodeSize": 240,
            "Description": "",
            "Timeout": 3,
            "MemorySize": 128,
            "LastModified": "2021-07-09T01:16:27.313+0000",
            "CodeSha256": "OT2zB5ADpBxEV3dYxHs6xl0IHaO6XXwABGvncPiBct0=",
            "Version": "$LATEST",
            "TracingConfig": {
                "Mode": "PassThrough"
            },
            "RevisionId": "4fdb8ba2-08a8-422d-8f9f-2708a35eef1c",
            "PackageType": "Zip"
        }
    ]
}

Here is the policy attached to "Role": "arn:aws:iam::[ACCOUNT]:role/privesc-high-priv-lambda-role2"

{
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}

Expected Behavior
This should be detected as a privesc, but it is not detected.

AWS IAM Policy Simulation Result

Simulator confirms it is allowed

 aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::[ACCOUNT]:role/privesc17-EditExistingLambdaFunctionWithRole-role \
--action-names lambda:UpdateFunctionCode \
--resource-arns arn:aws:lambda:us-east-1:[ACCOUNT]:function:test_lambda
{
    "EvaluationResults": [
        {
            "EvalActionName": "lambda:UpdateFunctionCode",
            "EvalResourceName": "arn:aws:lambda:us-east-1:[ACCOUNT]:function:test_lambda",
            "EvalDecision": "allowed",
            "MatchedStatements": [
                {
                    "SourcePolicyId": "privesc17-EditExistingLambdaFunctionWithRole",
                    "SourcePolicyType": "IAM Policy",
                    "StartPosition": {
                        "Line": 1,
                        "Column": 15
                    },
                    "EndPosition": {
                        "Line": 1,
                        "Column": 124
                    }
                }
            ],
            "MissingContextValues": [],
            "EvalDecisionDetails": {},
            "ResourceSpecificResults": [
                {
                    "EvalResourceName": "arn:aws:lambda:us-east-1:[ACCOUNT]:function:test_lambda",
                    "EvalResourceDecision": "allowed",
                    "MatchedStatements": [
                        {
                            "SourcePolicyId": "privesc17-EditExistingLambdaFunctionWithRole",
                            "SourcePolicyType": "IAM Policy",
                            "StartPosition": {
                                "Line": 1,
                                "Column": 15
                            },
                            "EndPosition": {
                                "Line": 1,
                                "Column": 124
                            }
                        }
                    ],
                    "MissingContextValues": []
                }
            ]
        }
    ]
}
@sethsec sethsec added the bug Something isn't working label Jul 13, 2021
@ncc-erik-steringer
Copy link
Collaborator

Thank you for the report! Just a couple follow-up questions:

  • Which version of PMapper are you using? If not the current v1.1.3-dev branch code, can you try it out and see if the issue persists?
  • When running the graph create subcommand, are you including the region the Lambda function is in (--include-regions/--exclude-regions args)?

Additional context, here's the source code that is supposed to detect this type of Edge: https://github.com/nccgroup/PMapper/blob/v1.1.3-dev/principalmapper/graphing/lambda_edges.py#L139-L176

ncc-erik-steringer pushed a commit that referenced this issue Jul 13, 2021
fix for #86 - Did not include Edges for existing Lambda functions
05504a7
@ncc-erik-steringer
Copy link
Collaborator
ncc-erik-steringer commented Jul 13, 2021
edited
Loading

Found the issue, applied a fix in 05504a7 and verified it worked on my machine. This has affected all v1.1.X up until this point. Please try the latest release (master branch of the repo or v1.1.3 from PyPI) and verify that it is working for you as well.

ncc-erik-steringer added a commit that referenced this issue Jul 13, 2021
@ncc-erik-steringer
v1.1.3 (#87)
722efec 
bugfixes: 

* NotPrincipal in resource policies, '*' for matching principals
* Codebuild tag handling fixed
* Querying with cached resource policies fixed for IAM Role Trust Policies
* SQS messaging on missing queue policy fixed
* Orgs messaging on improper args fixed
* Orgs without SCPs fixed
* fixed handling for condition contexts, case-insensitive keys
* fix for #86 - Did not include Edges for existing Lambda functions

additions:

* updated output of (arg)query, changed edge descriptions to use node searchable-names
* add endgame support for Secrets Manager

Co-authored-by: Erik Steringer <erik.steringer@nccgroup.com>
@sethsec
Copy link
Author
sethsec commented Jul 14, 2021

Confirmed on my end. Nice work!

wdahlenburg pushed a commit to wdahlenburg/PMapper that referenced this issue Sep 5, 2022
@Frichetten
Merge pull request nccgroup#86 from righteousgambitresearch/patch-6
ddfbfa5 
Updated to include information about Quiet Riot
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sethsec @ncc-erik-steringer
0