Showing Posts From

Cloud Security

CloudWatch Dashboard (Over)Sharing

A security vulnerability was discovered in AWS CloudWatch dashboard sharing that allowed unauthorized viewers to access EC2 tags. The issue stemmed from a misconfiguration in Cognito Identity Pools' authentication flow, specifically an undefined setting for the Classic authentication flow. By exploiting this misconfiguration, attackers could retrieve sensitive account information through a multi-step authentication process.

  • 12 Apr 2024

Exploiting the AWS Client VPN on macOS for Local Privilege Escalation (CVE-2024-30165)

A local privilege escalation vulnerability was discovered in AWS Client VPN 3.9.0 for macOS. The flaw stemmed from an XPC service lacking proper client verification, allowing an attacker to uninstall the application and execute malicious scripts with root privileges. The vulnerability enabled unauthorized root-level actions through the XPC service's insufficient validation of message origins.

  • 11 Oct 2023

Enumerating Cognito Clients Exposed to the internet

This article details a methodology for discovering and enumerating potential misconfigurations in AWS Cognito at scale. The approach involves finding ways to identify vulnerable Cognito instances using SEO backlink tools, AWS CLI commands, and systematic scanning techniques. The project highlights the challenges of cloud service security and the potential for large-scale vulnerability discovery through programmatic scanning.

Dangers of a Service as a Principal in AWS Resource-Based Policies

A critical AWS security vulnerability involves overly permissive resource-based policies that can allow cross-account access to services like SNS and Lambda. These policies enable attackers to interact with resources without direct account permissions, potentially bypassing network restrictions. The attack can exploit AWS service principals to gain unauthorized access to sensitive resources across different AWS accounts.

Detecting Attacks against Azure DevOps

This article explores detection opportunities for attacks against Azure DevOps, focusing on telemetry sources and logging limitations. It details how malicious actors can exploit Azure AD applications, steal Personal Access Tokens (PAT), and compromise DevOps pipelines. The research emphasizes the importance of multi-source logging and contextual analysis to detect sophisticated DevOps security incidents.

Performing and Preventing Attacks on Azure Cloud Environments through Azure DevOps

This article explores potential attack paths in Azure DevOps by demonstrating how an unprivileged user can compromise cloud environments. The attack scenario involves phishing a Personal Access Token (PAT) to gain access to Azure DevOps repositories and pipelines. By manipulating pipeline code, an attacker can exfiltrate Service Principal credentials and gain unauthorized access to Azure cloud resources.

  • 28 Apr 2021

Attack Detection Fundamentals 2021: Azure - Lab #1

This article demonstrates a consent phishing attack in Azure, showing how an attacker can trick a user into granting malicious application permissions to access sensitive resources. The walkthrough covers setting up a lab environment using Terraform, deploying Azure resources, and using the O365 Attack Toolkit to generate a phishing link. Azure AD audit logs are explored to detect the attack and understand the permissions granted during the consent phishing process.

  • 28 Apr 2021

Attack Detection Fundamentals 2021: Azure - Lab #2

An Azure security lab demonstrated privilege escalation by exploiting insecure Logic App workflow configurations. By leveraging a service principal with Reader permissions, sensitive credentials embedded in clear text were discovered. The attack allowed escalation from Reader to Contributor-level access in the Azure resource group.

  • 28 Apr 2021

Attack Detection Fundamentals 2021: Azure - Lab #3

This article demonstrates a stealthy method of data collection from an Azure VM by creating a snapshot of a target VM's disk and mounting it to an attack VM. The technique allows accessing sensitive information without directly interacting with the original VM, minimizing detection risks. The lab concludes by highlighting the importance of monitoring Azure activity logs for detecting such lateral movement techniques.

Attack Detection Fundamentals 2021: AWS - Lab #1

This article demonstrates AWS attack detection fundamentals through a lab exploring IAM reconnaissance techniques. The lab uses a deliberately misconfigured AWS environment to show how an attacker might enumerate user permissions using AWS CLI and CloudTrail log analysis with Athena. The walkthrough highlights the risks of overly permissive IAM policies and the importance of monitoring user activities in cloud environments.

Attack Detection Fundamentals 2021: AWS - Lab #2

This article details an AWS security lab demonstrating how an attacker can add an access key and login profile to a compromised user account. The lab explores using Pacu to create additional AWS credentials and gain web console access. CloudTrail log analysis reveals key detection indicators, including changes in user agent and console login without multi-factor authentication.

Attack Detection Fundamentals 2021: AWS - Lab #3

This article details an AWS security lab demonstrating an attack scenario involving unauthorized S3 bucket access. The walkthrough covers exfiltrating customer data, modifying user permissions, and deleting files in an S3 bucket. Detection methods using CloudTrail and S3 access logs are explored to track malicious activities and understand the attack's forensic evidence.

  • 17 Jan 2020

Misadventures in AWS

This article details manual techniques for AWS security assessment and privilege escalation during penetration testing. The approach involves generating temporary access keys for multiple AWS roles and systematically collecting data across different accounts using AWS CLI tools. The methodology demonstrates how an attacker with limited initial access can enumerate AWS resources, analyze IAM policies, and potentially escalate privileges within an AWS environment.

AWS: Such auspices are very hard to read

awspx is a proof-of-concept tool designed to visualize and analyze complex AWS access management relationships. The tool helps identify potential attack paths by mapping out resource interactions and effective access within AWS cloud infrastructure. It addresses the challenge of understanding intricate AWS policy interactions by creating a graph-based representation of resource and action relationships.

  • 15 Feb 2019

Ventures into Hyper-V - Fuzzing hypercalls

A technical investigation explored fuzzing Hyper-V hypercalls using a custom kernel driver called Virdian Fuzzer (VIFU). The research systematically tested both documented and undocumented hypercalls in Microsoft's virtualization platform. The project involved complex technical analysis of hypercall mechanisms, address translation, and potential vulnerabilities in the Hyper-V architecture.

EC2 Policies: security, freedom, and both

This article explores how to balance security and flexibility when configuring AWS EC2 permissions. It demonstrates how carefully crafted IAM policies can enable precise infrastructure management while maintaining granular access controls. The solution involves using AWS policy conditions and resource tags to create specific permission boundaries for EC2 instance management.

  • 3 Nov 2016

A Penetration Tester’s Guide to the Azure Cloud

This presentation provides a comprehensive guide to security assessment of Microsoft Azure Cloud services. It explores key security components, controls, and configurations across Azure deployments. The talk introduces Azurite, a tool for collecting and visualizing Azure infrastructure information.

  • 25 Apr 2013

MWR HackLab - Chubby Data

A team analyzed a massive 9TB internet scan dataset using cloud and NoSQL technologies. Multiple approaches were explored to make the data searchable, including Amazon CloudSearch for FTP banners, SQL databases for NBTStat scan results, and NoSQL databases like CouchDB and ElasticSearch for HTTP headers. The project focused on developing efficient parsing and search techniques for large-scale internet infrastructure data.

DefCon16 - Virtually Hacking

A presentation by John Fitzpatrick from MWR InfoSecurity at DefCon 16 explored VMware security vulnerabilities. The talk focused on potential attack vectors in virtualized environments. The full presentation is available for download from the MWR InfoSecurity labs website.