Internal AWS credentials dragged by researcher via SQL payload
Adam Bannister April 12, 2022 at 15:47 UTC
Updated: April 12, 2022 4:02 PM UTC
Amazon’s cloud service acts quickly to close a security hole in RDS
A security researcher said he captured the credentials of an internal AWS service by exploiting a local file read vulnerability on an EC2 instance of the relational database service (RDS).
Credit for the discovery goes to Gafnit Amiga, director of security research at Israeli cloud security firm Lightspin, who said The daily sip that the search was notable “because the final payload is all SQL commands”.
The impact was obscured by the fact that AWS refused to disclose the purpose or implementation of the vulnerable internal service, but told Amiga that any abuse would not have compromised customer data.
While acknowledging the appeal of AWS services, the finding showed that “wrapping third-party services like PostgreSQL and trying to provide users with advanced functionality is sometimes a double-edged sword,” Amiga said.
AWS addressed the vulnerability comprehensively and said it found no evidence of hostile exploitation, according to the researcher.
Path to breakthrough
Amiga began the research by creating an RDS instance using the Amazon Aurora PostgreSQL engine and connecting to the database using psql, according to a blog post documenting the process.
She decided to access the underlying machine running PostgreSQL, “so I looked for something that would allow me to run operating system commands, send network requests, or read local files” , explained the researcher.
YOU MIGHT ALSO LIKE TruffleHog v3: API key leak detection tool adds support for over 600 types
“After trying all the known simple techniques, I decided to review extensions.”
RDS supports many extensions for PostgreSQL, “but I felt the chances of them missing something there are higher because it’s not that easy to do secure integration with third-party code”, she continued.
The researcher looked at the functionality of 8-10 such extensions and the objects they created in Postgres before coming across the one that gave rise to a potential breakthrough: .
Using the extension, Amiga attempted path traversal when creating a foreign table, but this caused an exception stating “the specified log file path was invalid”.
After testing another relative path, she identified the source of the error as a validation function.
AWS has created a custom foreign data wrapper – which can get data from external files – for handler and validator functions.
A potential breakthrough came when it emerged that the validation function is optional for foreign data.
Learn about the latest cloud security news
Amiga potentially had permission to update the commit function using the role. “I was just hoping they only validate the path in the validation function,” she said.
This hope was realized when the searcher abandoned the validation function and the path traversal was successful.
She then found temporary Identity and Access Management (IAM) credentials on , including an and , which turned out to be connected to an internal role named .
Amiga was then able to discover and access a corresponding internal service, “Grover”.
The vulnerability was reported to AWS on December 9. AWS applied an initial patch for recent versions of the RDS and Aurora PostgreSQL engines on December 14, then confirmed on March 22 that all currently supported versions were fixed and potentially affected customers had received mitigation instructions. .
RECOMMENDED Attackers exploit Spring4Shell vulnerability to spread Mirai botnet malware