Hacking Exposed EBS Volumes
0 likes330 views
The document discusses vulnerabilities in AWS EBS volumes that can lead to the exposure of sensitive information such as AWS keys, PII, and private SSH keys from publicly available snapshots. It outlines how attackers can exploit these vulnerabilities by attaching exposed snapshots to EC2 instances and searching for secrets, showcasing multiple examples of data that can be found. The speaker emphasizes the importance of taking immediate action if unencrypted public disks containing sensitive information are discovered and provides a tool for assessing AWS environments.
![{
“UserId”: “AIDA[REDACTED]”,
“Account”: “[REDACTED]”,
“Arn”: “arn:aws:iam::[REDACTED]:user/robot”
}
DISK A - I AM ROBOT
Valid AWS key inside of a path:
/var/aws/userdata.config](https://image.slidesharecdn.com/morekeysthanthejanitor-defcon-slides-07-190814211939/85/Hacking-Exposed-EBS-Volumes-7-320.jpg)
![root@ip-172-31-0-0:~# aws sts get-caller-identity
{
“UserId”: “AIDA[REDACTED]”,
“Account”: “[REDACTED]”,
“Arn”: “arn:aws:iam::[REDACTED]:user/root”
}
Could result in in total compromise of the AWS account
DISK B - w00t w00t](https://image.slidesharecdn.com/morekeysthanthejanitor-defcon-slides-07-190814211939/85/Hacking-Exposed-EBS-Volumes-10-320.jpg)
![root@ip-172-31-17-203:~# aws sts get-caller-identity
{
“Account”: “[REDACTED]”,
“UserId”: “AIDA[REDACTED]”,
“Arn”: “arn:aws:iam::[REDACTED]:user/kumar”
}
DISK C - HAROLD & BOTNET GO TO WHITE CASTLE](https://image.slidesharecdn.com/morekeysthanthejanitor-defcon-slides-07-190814211939/85/Hacking-Exposed-EBS-Volumes-12-320.jpg)
Hacking Exposed EBS Volumes
- 1. HACKING EXPOSED AWS EBS VOLUMES BY BEN MORRIS MORE KEYS THAN THE JANITOR
- 2. • No post-exploitation was performed. • Everything sensitive discussed in this talk was gathered from the EBS volumes themselves, which are publicly available. • Metadata stored has been anonymized. I don’t want your secrets, and I delete them after marking them as valid or expired. • I’m releasing the tool in two weeks to give companies a chance to pull up their pants. Disclaimer (Hello FBI)
- 3. WHAT IS AWS EBS? https://aws.amazon.com/ebs/ Virtual hard disks in the cloud Usually private
- 5. HOW CAN THIS HAPPEN? AWS dashboard has a Permissions tab Once a volume’s here, it’s compromised
- 6. LOOT!
- 7. { “UserId”: “AIDA[REDACTED]”, “Account”: “[REDACTED]”, “Arn”: “arn:aws:iam::[REDACTED]:user/robot” } DISK A - I AM ROBOT Valid AWS key inside of a path: /var/aws/userdata.config
- 8. Detective Work Leads us to a SaaS Company Tracking ISIL Social Media Border Interdiction Robot’s Keys Exposed DISK A - I AM ROBOT
- 9. DISK B - w00t w00t Found AWS Keys in a Docker File Ran Some Golang Binary
- 10. root@ip-172-31-0-0:~# aws sts get-caller-identity { “UserId”: “AIDA[REDACTED]”, “Account”: “[REDACTED]”, “Arn”: “arn:aws:iam::[REDACTED]:user/root” } Could result in in total compromise of the AWS account DISK B - w00t w00t
- 11. DISK C - HAROLD & BOTNET GO TO WHITE CASTLE
- 12. root@ip-172-31-17-203:~# aws sts get-caller-identity { “Account”: “[REDACTED]”, “UserId”: “AIDA[REDACTED]”, “Arn”: “arn:aws:iam::[REDACTED]:user/kumar” } DISK C - HAROLD & BOTNET GO TO WHITE CASTLE
- 13. DISK C - HAROLD & BOTNET GO TO WHITE CASTLE Large Software Company Does Work For: Salesforce Apple FIS
- 14. • Leaked Source Code: -- Government contractors -- Large tech companies • SSH Private Keys -- Major businesses -- IoT companies • PII (Emails and Passwords) -- SQL files containing tens of thousands of records, including email and hashed passwords • Wordpress Installations -- Password hashes,API tokens, etc. • VPN Creds -- OpenVPN connection files • AWS Keys, Google OAuth Tokens, Email Passwords -- Something called “SurveillanceApp” WALL OF SHEEP
- 15. HOW DID I FIND ALL THIS?
- 16. Exploitation process is simple on the surface 01: Pick an exposed snapshot 02: Attach the volume to your EC2 instance 03: Search the disk for secrets ...but there’s just way too much data! JUNK IN THE TRUNK
- 17. ARCHITECTURE AWS EBS API SQS Master Determines if Snapshot is a Candidate Query for Public Snapshots SECRETS DB us-east-2 Worker us-east-1 Worker us-west-2 Worker
- 18. 01 WHAT TO READ?
- 19. Tons of Hidden Failure Points Metadata URL Failure Mounting Disks Filesystem Issues 02 THE “AWS BUTTERFLY EFFECT”
- 21. Have Tests for Your Code AWS butterfly effect is real AWS Will Return Errors you Don’t Expect Ex: Metadata URL can fail! Design for Multi-Region Up Front LESSONS LEARNED
- 22. REMEDIATION
- 23. • If you find a disk that is: -- Unencrypted -- Public -- Contains sensitive information 01. Take down the snapshot 02. Rotate any creds on it 03. Investigate how you got here EXPOSED DISK DISCOVERED Check your AWS environment: https://github.com/bishopfox/dufflebag “Coming Soon...in two weeks”
- 24. MORE LOOT • Passwords -- My favorite: nug!L0v3r • Captured the Flag -- root@ip-172-31-0-0:~# cat /mnt/snap-0489 716372dc4b8c3/1/home/ec2-user/.flag_here -- flag::NSSCloudHackLabFLAG53::6a55505df2550 fb680b1e0b23df42293fd099cf9ac5d7ae94ef0b938 • Bitcoin Miners -- wallet.dat • SSH Private Keys -- Lots of Windows disks
- 25. CONCLUSIONS 50 CONFIRMED EXPOSURES Manually validated in one AWS region ~750-1,250 TOTAL EXPOSURES Estimated across all AWS regions WIDE-RANGING INDUSTRIES IMPACTED Government contractors, software, healthcare, etc. TOTAL COST: $300 + R&D Time
- 26. THANK YOU! SPECIAL THANKS TO Dan Petro, Jake Miller, Cici Tran Zach Glick at Amazon for the great responsible disclosure process (Hi Mom, Hi Dad, Hi Nick)