SamEzebunandu

[Music] it's uh 9:30 almost uh welcome to my talk um I know it sounds the title sounds very verose that's because that's the best that CH GPT came up with to be honest what I really want us to talk about today is um the instance metadata service and if you're still deploying E2 instances with imds V1 you need to go and fix that right away that's really what we're talking about today um in case you're wondering if you're in the right room from maybe reading the abstract and you want to go through all the details this is the um um abstract that I submitted for this talk bits are that um we'll talk about Cloud work Lo

identities we'll do the demo using Cloud good um similar to the bridge scenario for Capital One and and then hopefully I would also share some like links and resources to help you if you if you have an imds problem and you want to address that um [Music] just okay yeah everybody hear him okay yeah yeah okay let no it's just to keep moving away there it's okay it's okay okay try talking now okay yeah am I good yeah yeah okay let's let's uh yeah so in case you're wondering who I am I I go by Sam my profile is up on the B website currently work as a security analyst with the company based out of

Vancouver sry no worries it's spot phone should I try holding it yeah okay all right okay I think I'll keep it a bit further away this sounds okay yeah okay cool I've been a volunteer with bides last year and this is my second time volunteering and this time decided to mix it up and give a talk um I have an NBA from the UFA now that the Oilers are really really [ __ ] it's easy for me to say go Flames um but Edmonton still has a fun place in my heart sorry to admit that I have a few sets as you can see I like my infos Brew served uh cloudy um and I'm fully sied

into the infos koid so I you'll find out that I 98% passion maybe just 2% knowledge hopefully that's a useful 2% um in case you here you're in a hurry and you want the cliff noes version we'll talk about am um I'll tell I I hope you already understand that I am is probably the most important layer of control for cloud hosted assets um there's a challenge when you're trying to configure resource to Resource access what on pray world you would call U service accounts um imds is one solution that way you can automate the process of getting temporary credentials for resource to Resource access but there are issues with the imds that you should

be aware of and you should look to the

useful grounder to then explain machine identities the challenge with machine identities at some point we find our way Meandering to start talking about I am roles and is to instance profiles we'll talk specifically about the imds V1 which is the problematic version of imds that you want to avoid using in your environment we do a little upse SEC because in addition to Cloud infrastructure Security application secur is like my other passion um we'll talk about what happens if you make a toxic brew of imds V1 and add a little sprink sprinkling of ssrf and that's how you end up with data Bridges um we will do a little D with Cloud Goods is an open source tool for um learning parent

testing of AWS environments if you're a cloud person you're not using Cloud Goods already please go use cloud good it's fun and it's an easy way to deploy really complicated infrastructure which is single man create or destroy um really neat um hopefully at the end of the day I'll tell you what imds V2 and you and your Cloud resources would leave happily ever after um what I wanted us to do at this point is like I have a little bit of a demo like I said with Cloud gos um infrastructure takes like maybe four or five minutes to deploy so I'll start the deployment now switch back to the slides and then hopefully at the point where

we're ready to do the deployments we have everything done the demo we have our infrastructure all good to ah okay this worked so if you were fast enough to point to the QR code that I had on the screen before I switch it over maybe I should go back to showing okay let's do the so present no no no there you go um if you scan this QR code you go to a notion page that I have stepbystep instructions that I intend to mostly for follow for the demo so you could go there look at the instructions if you want to try this at after today do that as well uh so hopefully you're seeing my terminal I

will move the mouse here my step by step instruction really starts I'm assuming like someone who doesn't have a lot of knowledge about the cloud I needs to know I have an AWS account what do I need to do to follow you so I'm telling you what kind of user you should provision in your account how to create um access keys for those user for today's conversation I'm just going to skip over all of that and jump straight to where I'm cloning the repo for cloud goat and actually setting things up and I will prove to you that I've already configured a user in my AWS account uh with all of those credentials if I just

run this with a little bit of terminal completion magic you see that I have an identity if I call the STS service I have an identi that tells you that I have an ews account configured on this uh on my CLI so um what I want to do here is let's clone the cloud go repository from G giop right here there you

go okay floing floing floing all right internet

problems almost

there

okay what I'm doing here is to create a python virtual environment um that I would use to install the dependencies that cloud gr requires okay I have my python environment set up um what I want to do is to um no I haven't I to Source okay thank you completion now that and I want to keep

install okay almost there I will say cloud Goods ah okay

I configure a profile in Cloud goat I have a user called Cloud goat from earlier when I showed the color identity so I tell you to use that profile and I can say cloud

good create

yes please okay and I believe our deployment has started we can switch back to the slides okay so before I go any further um there are a few fundamental IM Concepts that I think we should all um be speaking from the same page when we talk about those um if you Point your QR code at that um your camera that QR code it take you to a link to the reference that I have at the bottom by the way I do that for every slide where I have references at the bottom with the QR code just to make it easy to follow along um what is an identity the folks that Miss provided this very extended definition but I

think it's easy to think of the things if you can connect it to human identity so say you listening to me today you want to set up a profile on Facebook maybe you go to Facebook you provide an email address a password your date of birth your address color of your underwear your favorite meal and all that stuff that Facebook asks for you provide it for Facebook and Facebook will say Okay based on this attributes you provided we know who you are right so that's identity and then authentication is when you want to sign on to Facebook you provide a subset of those attributes so Facebook might say give me your email address your password and hopefully some

something you have a two- Factor iation you provide that and they say based on those subset of your attributes you've provided comparing to our database we know who you are you're allowed to come in and use the Facebook system right then author authorization is about what you can do once you have access once you've authenticated so as a regular Facebook user you might have right to like upload pictures watch other people card other people's card videos Maybe postcast videos of your own right and then accounting is about tying all of that together being able to say who what at any given point hopefully you have logs or some assist to um human identities in the cloud you

should probably be familiar with this in the AWS context you would have an IM user you would assign permission to either directly to that user or you assign the user to a group that has some permission and user would inh those permissions user can um interact with AWS Resources by signing in either in the console or programmatically like we're going to do for most of our demo today and terminal okay let's tie that

to have your ni website that you designed yourself you set up in it set it up in the PHP server and you spawn up an E2 instance to host your website right and somewhere on your website you you provide the ability for people to upload cat photos you need to store those cat photos somewhere maybe they can come back later I want to view the C photos they have um they have uploaded now you need to be able to read that data from somewhere so it means that your application has an identity that it uses to read the data from wherever it is stored right so let's say your ec2 instance talks to S3 to store data right

one way to do that is in your PHP application code somewhere in there you can have a line that says AWS uncore secret access key and then in the next line AWS uncore access to you have hardcoded credentials in the application code and hopefully as good Security Professionals we know not to do that cuz um hardcoded credentials in applications is is an antia what AWS recommends that you do instead is to use an instance profile or a ro so that's how we're going to do it right nice Security Professionals um references provided here you can scan yourr Cod so why is it what specifically talking about machine identities um I grew up in a cloud in in it in a cloud

world so I don't really know that much about on Prem but I know even on Prem service accounts was a problem now what I think is that the cloud makes that problem a bit harder because what you end up with is for most application use cases for instance you'd have to equestr different services from a sing cloud provider so you have an E2 instance somewhere needs to talk to S3 what is IM am that you use for managing permissions to that instance and maybe you're doing some a AI stuff if you're using some other service every of that service is just an API call away as opposed to on Prem where you could protect the service

where firewalls and stuff in AWS everything is an API call you can use some configurations to make those Services running in private network but at the most fundamental level everything is an API callway so it means you have multiple services that are just an API callway how do you manage access between those services in right way right it starts to maybe it's easy enough to do if you if it's just you running your own website on a PHP server but think of an Enterprise that has an application that has maybe like 300 microservices multiply that by 10 you start to have a scaling problem and you know most things in life at skill start to become really

difficult right so when you have Cloud applications usually end up with the scenario where you have either a sec management problem you're having credentials being hardcoded all over the place or or you have a least privilege problem as well you are over provisioning Resources with excessive funs um sorry I

need okay what am Rose I told you what recommends for you to to use well what are um

something think of IM rules in the same context so you want an entity to have permission to resources but you don't want to give that entity Perpetual access you create a role you say you can assume that role get elevated permissions do whatever you want to do and then after while those permissions will expire what does that do for you well it means that even if those permissions were somehow compromise if someone got access to the authentication token for that session after a fixed time duration they become invalid except the attacker has some way of um gaining continuous access to zids it means that after the default expir period which I think by default in AWS is 12 hours for

R of course you can configure that even a bit as short as you want um so IRS are good that they give you access to Temporary tokens that expire and that's good for security um some example IM roles if you want to AWS account even if you haven't configured anything you see lots of um AWS manage IM am roles and I thought we would use one of those just for illustration right um the specific example I've picked is the service role for API Gateway as with most resources on AWS it's uniquely identified by an Amazon resource name um You' have permissions and you'd also have a trust policy and I'll talk in talk in a minute

about what the specific um parts of this role mean first off um there are three important things to keep in mind when you're thinking about IM am roles so I said IM am roles are identities that can be assumed the trust policy is what defines what can assume that identity otherwise anybody in the cloud can assume a role into your account right so who can assume the role is a trust policy I I think it's useful to think about that as the authentication beat right and then once you assume the role what can you do that's the permission bit for now that as the authorization bit right so authentication authorization um back to this example

this is the trust policy attached to this AWS manage um role in case anyone here is not vested in the Json policy language for ews what this is essentially saying is this API Gateway service is allowed to assume this role simple right and then in terms of the per that are assigned to this role again looking at this console um screenshot the Pol permissions itself is a policy and if you dug into this policy these are some of the subsets of um permissions that you will grant you so you see some elastic load balancer actions um you see an x-ray action and some I believe these are Cloud watch log permissions as well so trust policy permissions those are

the two useful bits to right easy easy got it okay so let's make that a bit more concrete let's go back to that application that we had running in an ec2 instance that needs access to S3 it would assume the role that gives it access to Temporary tokens that it would use for that S3 access this is what the trust policy would look like right it would say that the ec2 service is allowed to assume this role easy peasy um and then once he assumes the role that entity is allowed to read objects from this bu again straightforward so trust policy permissions how do you assign if am rules are so great how do we assign them

to ec2 instances we use what's known as an instance profile I think about it as a rapper around R haven't found a more useful analogy it's basically RO with some additional metadata that's how I think about it um it would give you it would give give you access to Temporary tokens just like we said you get with IMR you can only assign one profile to an E2 instance at the time so let's make even that example a bit more concrete so I am the administrator of an AWS environment as security person I have to provision permissions for developer developers who want to build applications I go in and I create a role that grants access to the bucket that

has the card pictures right and I said a developer if you want to build that application please assume this instant profile get pics it would allow you to get access to photos so developer wres application application wants to talk to this bracket it goes and it retries credentials and it uses those credentials to fetch the cat photos and we are all happy on the internet

right so I glossed over a bit of the detail here I said he would get credentials well where is the getting Guard from the getting is Guard from the instance metadata service I just made up that um instance metadata server by default on either every ec2 instance that you launch in AWS we were running a web server at 169.254 169.254 I like how that Wes makes it easy to remember 169 254 169 254 that's because it's running on a link local IP address it should not be accessible outside of the E instance link local IP addresses are like27 that's should not be rable on your land should not be rable on uh Azure and GCB also have the

construct of instant metadata Service as well but those are not quite as vulnerable as um the imds in ews is so today we'll be talking about the AWS imds not the asual gcp so imds I'm back to our example It's s running at 169.254 169.254 Al line in your application code wants to go fet fetch cat photos to display to the user who's come to enjoy some lovely card photos um the application will make a get get request to um this URL so 1690 254 latest T metadata T am security credentials slash the name of the role specific provision um the instance met server will return temporary credentials to the application so it will be

Asia um sopix um access key IDs and then an access key secret so if you see access key IDs that start with Asia those are temporary tokens as opposed to eia um access key IDs that are permanent that are more permanent access key toen so it gets the credentials and then it uses the credentials to make call to three fet card photos and everyone is happy on the internet you know how I said earlier the instance metadata server by Logic should not be accessible outside of the ec2 instance because is running on link local IP addresses well sometimes you might have a problem that problem will be called a web application vulnerability and if you

have that problem your instance metadata server might be accessible outside of ec2 instance and one of those problems are called server side request forgies serers side request forgy is web application very busy like I said as with all web app fonts I think um untrusted user input and improp input sanitization is probably what you can point to as well what an vulnerability allows um an attacker to do is to be able to make calls to backend services that you may not have intended for the web application to process request and send back to the user it sounds abstract let's make it more concrete so say m Mr attaka wants to get to a database server

that I have running somewhere um as good security professional we've configure this database credentials really locked down Security Group rules and all that fun stuff so the attacker is not able to get access to the um server but on our PHP server here we have a server side request for D vulnerability the attacker might be able to send requests to our web server and make those requests look like they're coming directly from the because for reasons of business logic we need to allow this web server to be able to talk to the D server right that's how applications run we've allowed this attacker sends a request um to web server web sends it to database returns

everything from select star back to the attacker and now you have a data TR your hands right ssrf spad if you don't remember any other back back and John just take my word for it um Evan Johnson manager of product security and Cloud fair just after the um Capital One Bridge also reemphasized that ssrf and Cloud are a very toxic what can we do uh first off a bit more explanation about srfs and why you make it o with the cloud you have your application running in your ec2 instance um Ser side request for D on attacker will be able to make request and talk to the imds imds returns temporary credentials to the attacker and now the attacker has

direct access so an S3 bucket that you've configured with people's maybe Social Insurance Number personal Health Data all that stuff that you don't want attack has access to because your application needs to talk to that um S3 server it provision with access now the access SSRS plus Cloud bad that's the sumary of this how bad can it get well in 2019 Capital One gold bridge I I suspect everyone here would have heard this story by now so a sure of hands who has not heard about the Capital One bridge is just been sarcastic so everybody knows the Capital One Bridge 100 million records of credit card uh applicant in the US 6 million in Canada

um at some point capital B had to pay an $8 million fine none and $190 million to settle a class action lawsuit I don't know about the place where you work but where I work this is um a big chunk of change and if we had to pay this kind of FS I I'm not sure I'll be continue to be employed that my ability to keep being employed will be sustainable right so not good not good but the folks at Capital One surprisingly are actually quite good at security so they were not being willfully negligent um if you go and set your open source Community there are lots of security tools the most the one example that comes to mind is cloud

custodian I love CL Cloud custodian it was built by the folks that come so they knew what they were doing is it's just you had that toxic brew that somehow no one had anticipated and planned for hopefully you be better prepared at the end of this um conversation well technical details of what happened was there's a mod security Waf Appliance you know what wafs do the filter request going to back an application the W was not properly configured and it was basically not filtering for um web requests potentially exploiting ssfs application running on any2 instance had an SRS vulnerability this W was supposed to be protecting the application protection gone attacker sends a request hits the application gets imds tokens

that allowed access to an S3 bucket That was supposed to be protected so it wasn't a case of S3 buckets not permissions not be properly configured it was not a publicly accessible was well protected but because the application needed to talk talk to S3 bucket it had permissions and by exploiting the ssrf now the attacker has just as much permission as the applications so again I don't need to say what that means that means you have a data reach on your head right um like I said over flogged example everybody talks about ssrf and imds and the in I can guarantee in the first sentence you're likely to hear Capital One but that's just because when

you have lawsuits people have to talk right and when people talk you get all the details lots of other organizations have been breached by similar scenario we just don't have it in the public because there's been no lawsuits um I found links to resources from the folks at um unit 42 at poo networks and also this link that um Aggregates data breaches in the cloud you find references to threat actors that are known to specifically um try to use imds and ssrf to exploit AWS environments right I also found links to two um um what are this called B bounties on pack one for exploitation SSR class one was few more examples if you want to see

all this is point could follow this URL if POS if you're capable of following URLs eyes um so it's almost time for the demo but first I want to introduce Cloud Goods um when I was submitting my RFP the the person I was thinking about access as attending this talk was someone new is to the cloud trying to stumble their way through like I'm doing right now and they wanting ways to learn one of the things you could do is to learn about exploiting Cloud applications is cloud Goods um I love Cloud good because it abstracts a way the complexity of deploying really complicator application so you might have an intentionally vulnerable application I need to say and you have

an application that pulls together pieces like using authentication with Cognito running um containers in kubernetes you don't need to to know how to set up any of that you just point a single command and Cloud go and it goes and deploy that stuff for you and you can go hacking and then when you're done one single command it tears it down Cloud gos under the hood uses terraform to deploy the application so if you go learn a little bit of terraform and you want to see how the cookies made you can actually go in there and see the terraform deployment templat well you don't need to know terraform to use cloud you just say cloud good create

like you saw me do at the start of his demo he creates it and then when I'm done I just run Cloud good destroy destroys and if you want to know how to get to this thing that is better than sliced bread in my opinion you can fully destroy all you get access

to I have to drink a lot of water because I'm yeah just that out here um so time for demo um if you haven't gone to this uh URL please um Point your cameras at that um car code and you can just save it to look at it later I promise there's no mware it's just Ting URL to page so let's do the

demo am I out of time okay that was very that was say we haven't even started the phone part okay struggle to find so let's do clear the screen my apologies um I realize me doing this is not the most optimal way but you know this is a volunteer conference and this is this is how we're able to patch things together to get it to work after like an hour of troubleshooting this morning so please be with us thank you very much um I've already um done all of these beats I cloned the repo I configured Cloud Goods I set up a vir environment done all of that fun stuff Pi taking so long to

render um we've already created the scenario as well um so what I want to do is look at the credentials from that scenario I think I need to run if I don't feel like running commands I just

copy once upon a time I was um learning to be a developer uh and someone told me that good developers right code and great developers copy so I'm just going to cop what I want to do I want to split [Music] view screen a second hopefully I can find it if I can't I would open up V okay I'll get the SP need need here P paste things into

it this is good paste okay so we have those credentials and assume that somehow you had an environment where improper secur management developer committed Cod to GitHub attacker SC GitHub gets those credentials and now they want to see what they have access to right so we we the attacker who so that we're about to configure the AWS CLI U to and

type

so what I'm just doing here I'm configuring my AWS CLI but I don't want it to use the default user I want it to use a named user I tell it to do that it asks me for the access key ID which already soone here in case anyone is in the audience and looking their lips at me showing credentials today um I SP of this AWS account couple of days ago for this demo and I'm going to tear down thank you very much for not hacking my

accounts and I will skip through there of the details just use the default us one right everybody uses us got okay and I want Json output right so what do I have access to as the attacker will just um store ceds I want to see profile I told you to use the profile name see CG

start so STS get colide identity I think of that as the Unix envir equivalent of who am I right you get access to an environment you want to know what's your user what's the name of video BS account if you have access to call this um API you can get all of that detail so I already know the accounts that I compromise for example I know the account ID from that number sequence I know the username the slash after the account ID in the Amazon resource names so uh yeah actually let's try that so I want the PHS the terminal it sounds like something that should be view make text bigger better thanks Bry okay so what do I have access

to after compromising this try doing this sorry online folks I hope you're still able to hear me

uh so attackers are after at the end of the day what attackers really want is data all of that messing around with infrastructure is a way to get to the data as an attacker if I get into an environment and I can get to the data directly I'm not even going to bother to explore any of the controls I have on the environment so I'm a Restless attacker I'm in this account I want to see if I have access to S3 DK access denied um next thing I want to see is maybe they have misconfigured databases right let's Pro for uh CG start start RDS describe databased instances permission denied as well so I don't have access to any data want what

can I do right in reality attackers now are not going to be doing all of this manually they just point it to like P and enumerate and right away they know what they have access to and they start trying to P so I'm just doing this like a that's not how it's done in the world but it's going to be a lot like faster faster um so I don't have access to storage let's see if we can start at compute right um so let's try Lambda functions yeah those are quite popular nowadays in environment so let's see if we have access to Lambda uh

list so I can see right away that I have access to a Lambda function here and uh whenever I'm running in AWS uh CLI action and I get results it's always nice just pip through GQ you get a nice pry printed result pretty printed results and uh like I can already see stuff that makes my eyes glow right someone configured environment variables for this Lambda function with access to K as the attacker I'm happy I want I want people to do that right so let's P this credentials and let's see what they give us access

to let's call This Cloud L right I'm just stealing the names from when I practic them earlier CU I get that completion that way in case you're wondering if I'm able to type that okay copy this paste

it

this Su okay default default so I go through those same sequence of actions right uh

access theight I don't have permissions to data yet so for my illustration said I was going to keep doing this and then get to the point but let's just try to save some time cuz um we might be running out of time so now do I need this yet no I don't think I I can minimize it out of the way and just do copy paste like good Security Professionals uh so yeah okay so I've configured this user uh H let's let's let's see what's up with the user so cheal identity in reality we already kind of skip the step but we see the again see thews account we see the username that provision for this user

that we've somehow managed to compromise um and then let's say for whatever reason at some point we decided to enumerate ec2 instances uh so let's go herey and paste it uh

okay so what I essentially did was um if you follow the demo step by step at some point I find out that I have an ec2 instance that is running a web server that has a public IP address so I see an E2 instance that has a public IP address um I filter for that public IP address and it make you get they make a request to that IP address to see what's running and I get this response back from whatever is running in that2 instance I can see right away that this must be a web server like I'm getting HTML responses right that's how I know and then as pentesters uh if you talk to any

pentester they love error messages because error messages are what gives everything away don't we all he that so if you pay attention to this error messages telling you URL must be a string uh URL what's Ur what's URL string I didn't provide any um it says you provided undefined so as an attacker I will probably know to say okay maybe this needs a URL parameter to the to be input to it as well um and if I just go back to this let's go to copy paste okay so sorry I'm doing the copy past because of my t scenario so now I providing a URL as input to that request right and now it says uh

they had to make it obvious that they have tried to De in a web application but it says I wanted to be useful I tried to find google.com that I but I couldn't so what this tells you is it's taking obviously taking the input that I provide to it and somehow trying to fetch resources from that URL like and as an attacker in the cloud once you see that your eyes should light up cuz you know what to try next right if it has an SSRI vulnerability just I'm going straight to 169 254 what's in

there so this is what if you go to the uh top level page for the imds server this is what the response would look like those number sequences are for the various versions of the imbs and then um if you always want to point to the latest one you just go to SL latest so going to replay the previous command and go to slash the test right and yeah I'm already getting all of that stuff that I should be expecting to get from the imds server and specifically for the one that contains the ru that I want I think I this one past this

why is the internet so slow so what what should come back from this request is it would show the name of the role that was provision for this particular scenario so it would be security credential SL particular role name name um when when Cloud go deploys the infrastructure for you it's it name things according to a certain convention so anything deploy with Cloud go to start with the CG and then it might have depending on the type of resource it would have like a resource name perfect so in this case saying there's an ec2 RO for ssrf and then some random string at the end to ensure that if you're running cloud and I'm running Cloud if

you use the same name you know best three sources for example canot have name conflicts the internet is fun fun

fun why a good that one without internet problems okay maybe I should kill it then try to be oh yeah okay interesting

um not I have oh yeah

oh okay um I guess we have to talk through them I did not plan for this but um let's give you one last try

see I do have a backup to um yeah as one should do when they're doing a live demo I made um I made a little bit of a screen recording of me so let's let's let's let's this I can just talk TR right let's see here let's see what am I doing here so yes um just before I get the value credentials from the yeah first really really close where we start um eventually what I what I end up doing between that let's go back here so if the request to that had been successful in the live demo you'd have seen um I an IM role name that looks like this in the um security

credentials folder of the imds server and if I call this URL with the name of the role it returns temporary tokens back to me and like I said how do I know they are temporary tokens you see that right here um the access key ID prefix stat Asia um this is a secur access key and then in in addition to that when you call the imds through a ro to get temporary tokens you get an actual token as well so access KY ID secret and a token then you to make API calls you need the combination of that those three as opposed to just two that you need for permanent AIA credentials and what the

token basically does the token actually encodes any specific permissions that you have configured on that user it includes all of that so that's how when you make API request they know to like match that to what permissions you you should have access to when you assume that true so explain so I what I'm doing here I'm copying those credentials that I got from the imds uh server I'm pasting it somewhere then configuring my ews CLI to use those credentials right which is what you see me model through for the next little bit right I'm exporting because they are um temporary tokens right I don't want to configure those as users on my aw so the

other way you can configure the awli to use tokens is just set those tokens as environment variables which is what I'm doing here so rather than saying AWS configure AWS configure a user I'm just exporting those credentials that I get here I export the access key ID I export the access key secret and then I eventually also end up I'll end up exporting the session token as well Skip Skip Skip Skip Skip Skip

Skip see how long it takes me just to copy and paste things

in almost there okay so now two seconds back okay let me just this so what I want to show is um after exporting all of those credentials if I then make an get color identity uh up call I would also get reference in the result that would probably reveal to me that I'm assuming and I am will are supposed to using long time

tokens we're almost out of time fun times uh maybe I'll just tell a few more minutes skip forward okay So eventually what I find out is after I configur those um credentials that I just stole from the IMD server now I have access to S3 buckets in the account and one particular S3 bucket here has been configured with uh uh even as an attack like if I see something named Secret in your environment I know it's it's either something really good or it's something that I should totally avoid it could be hor token but attack would probably go look at what whatever his name secret and I eventually find out that I have access to that S3 bucket I can um list

was inside of the S3 bucket I see a token a file called that window txt at that point like your eyes would light up right if you a pentester what the admin. txe credentials eventually gives you access to is um you be able to call that original Lambda function from the beginning that we started and that's how you capture the flag for those you end up happy and feel excited when you walk through that demo so um that's our demo um I think the summary of what the demo wanted to say we can still kind of say it without walking through every step and then eventually when I get home I'm going to not to down this in so back to

our slides let's try to get through that as quickly as we can um this was the attack chain initial access VI compromised credentials we found Lambda environment variables we compromised those um use that to find an easy to instance exploited vulnerability we got access to an S3 bucket and you can think of as a security professional different controls that you could have implemented at various stages to try to um kill that attack chain and one of those controls could have been to like um um do better absec for your application so that you don't end up with ssrf but proper management of the imds Ser would have also helped to mitigate that and how you really manage

that in reality is to use imds V2 I'm in a hurry trying to rush through this slides but uh okay um how I the difference between imds V1 and imds V2 maybe that's the thing that I should I should just say that and end my top is that rather than just making straight get request to get those tokens is it does like an authentication bit so it calls a particular endpoint passing a header that says how long he wants credentials to be valid for he gets a token back and then he uses that token to make requests to actually get the credentials that will be able to access resources and what does that what that essentially

does for you is you cannot exploit um an open w because most open WS don't support put requests so that first request here is not a get request is a put request and also it's when it give the response you can set a hop limit on the response that you get so if you set a TTL equal to one any packets that are coming back from the imds cannot flow Beyond um the ec2 instance and then the imds server for version two would also drop any packet that has an X forwarded for header and X any if you're using reverse proxy in front of a web application it would always append an X forwarded for header because that's how

it knows which original client sented that request so by using imds V1 the V2 essentially you kind of help to mitigate that um um ssrf plus imds vulnerability that we're going to exploit in this demos um and that's why you should use imds V2 and not use imds V1 um that's the summary of what the rest of the slides we're going to say I will make the slides available so you can refer to that content it works you through if you're provisioning instances with AWS cloud formation terraform or even from the ec2 console how to ensure that you are launching those instances with just imds V2 and not accidentally imds V1 I also I also show how to use a service

control policy to actually make it impossible for developers to launch instances with imds V1 in the first instance and I think AWS just announced a couple of weeks ago that they change default for ec2 instances from sometime next year to be mdsv to hopefully that helps to mitigate this scenario because um people like default and if you give them unsafe default Muslim they just leave it because if he works why mess with it right um that's my talk hopefully we're able to have fun despite the [Music] technological