SlideShare a Scribd company logo

Terraform Unleashed - Crafting Custom Provider Exploits for Ultimate Control

Cloud Village, profile picture
Cloud Village

The document discusses the expertise of Rupali Dash and Alex Foley in cybersecurity, specifically focusing on Terraform and custom provider exploits in cloud environments. It elaborates on the mechanisms of Terraform workflows, potential attack vectors using custom providers with filesystem access or code execution features, and the associated risks. Additionally, it emphasizes the importance of security measures to mitigate threats from malicious Terraform providers and insider attacks.

Technology
1 of 18
Download to read offline
1
2
3
4
5
6
7
Most read
8
9
10
11
12
13
14
Most read
15
16
17
18
Terraform Unleashed: Crafting custom Provider exploits for Ultimate control
Rupali Dash brings over 8 years of cybersecurity experience, specializing in penetration testing and red teaming. Currently a Lead Security Architect at Axl.net Security, she oversees cloud security and penetration testing engagements. Her credentials include notable certifications like OSCP, OSWE, AWS Security Specialist, and GCPN. She has presented at prominent conferences like Black Hat Asia, DevSecCon, and CoCon. Alex Foley is a broadly experienced security professional with over 25 years of experience in IT and cybersecurity. He is the founder and CEO of Axl.net Security. He has operated and continues to operate as the vCISO of multiple startup companies with the support of the team from Axl.net Security. Throughout his career, he's had the opportunity to wear many hats and do "all the things" within product development, operations, and security. This broad experience has enabled Alex to bring this depth of understanding to the CISO roles. Alex's skill set focuses on blue team operations, which complements Rupali's expertise in red team activities. Who Are We ??
Who Does The Talk Cater To Pen testers and Red-teamers who will be testing an cloud infrastructure. Security Architects managing the security posture of the cloud infrastructure.
Terraform Enterprise Deployment Architecture
Terraform Workflow
► - In-order to provision this code the user logs in to the terraform enterprise first and provides the AWS Credentials of the account for the resource provisioning . ► Upon Terraform Init the TFE Spins up the worker container in the TFE AWS account and Downloads the required provides specified in the provider block. ► During Terraform Plan, The Terraform API zips the IAC code and the Provided authentication credentials along with the terraform binary and stores it over the worker container. ► It also performs a state lock using dynamo DB for that specific workspace so that no two TFE plan can run simultaneously for a specific workspace and it ques the job. ► It also downloads the Sentinel policies associated with the workspace on to the worker container. ► During the Terraform plan once the sentinel policies are validated against the TFE plan out out, Terraform generates a newer set of credentials using the provided AWS credentials in the terraform file which will be used to provision the resource in the clients AWS account. ► Once the Apply is completed the worker container stores the generated terraform state file over the s3 bucket and destroyes the container.
Terraform Provider ►A terraform provider is a binary written in go that interacts with terraform binary over RPC & enables interaction with the provider API. This includes Cloud providers and Software-as-a-service providers. The providers are specified in the Terraform configuration code. They tell Terraform which services it needs to interact with.
Key-RISK Terraform binaries are executables which will be downloaded into the emphiral container during terraform init. Terraform Provider runs with the highest privilege on the worker container and hence have access to all the mounted file system as well as the AWS STS credentials. The TFE worker container needs to have the read access to the s3 and RDS instance where the TFE state file gets stored as a part of application. In a scenario where multiple providers are invoked for a specific Terraform Plan, Both the providers will have access to the TFE environment variables and the host file system.
Attack-1: Custom provider with filesystem access to gain access to the host file system ● In Golang Import os/exec and import syscall modules enables the binary to interact with the host file system. ● Create the data source to read an environment variable & register this new data source in your provider.go file. ● Use “go build” command to build the provider.
Exploit ( System File Read) Create a Terraform configuration file that uses the new data source to read the /etc/passwd file on the host.
Attack-2: Custom provider with Code Execution feature Terraform-provider-cmdexec is a custom built provider that provides command execution capability through Terraform Configuration. Below is the example of the main.tf file used to leverage the provider to execute the command. https://github.com/rung/terraform-provider-cmdexec https://alex.kaskaso.li/post/terraform-plan-rce
► Execute Commands on the Terraform container ► Provision highly privileged roles / resources by Bypassing sentinel policies to gain persistence. ► Exfiltrate Vaulted secrets from the TFE container. ► Manipulate state files resulting in deleting resources in the existing cloud accounts. ► Gain access to PII data in Production accounts. ► Supply chain threats to organizations using the malicious providers.
Why the Terraform Provider and not the Provisioners ? ►Terraform Provisioner has local_exec() and remote_exec() capability which helps to execute commands on the TFE infrastructure as a part of terraform apply. ►Terraform Provisioners are called only after a successful plan and prior to the Terraform Apply. Hence usage of sentinel policy can be leveraged to block those attacks. ►Terraform Provider block executes during the terraform plan and hence It cannot be blocked/restricted through Sentinel
Provider Security Risks ►1: Malevolence of the Binary: This is to ensure that the provider binary doesn’t contain any malware , packers or custom exploits. ►2: Impact on the TFE infrastructure: This will provide insight on the different functionalities and access level of the provider in the TFE infrastructure. ►3: Out bound Network communication: This will provide insight on the different end points/APIs embedded into the binary
Terraform Unleashed - Crafting Custom Provider Exploits for Ultimate Control
Terraform Unleashed - Crafting Custom Provider Exploits for Ultimate Control
Conclusions ● Provider Attack Types ○ Third Party Providers ○ Insider Threat ● Defense ○ Updated Training ○ Updated Detection Technology ○ Updated Processes
Questions? ►rdash@axl.net ►afoley@axl.net

More Related Content

PPTX
Hashicorp-Certified-Terraform-Associate-v3-edited.pptx
ssuser0d6c88
 
PDF
Hashicorp-Terraform-Deep-Dive-with-no-Fear-Victor-Turbinsky-Texuna.pdf
ssuser705051
 
PDF
Terraform-2.pdf
rutiksankapal21
 
PDF
Terraform modules and some of best-practices - March 2019
Anton Babenko
 
PDF
leboncoin DataEngineering / Terraform - beginner to advanced
leboncoin engineering
 
PDF
Terraform AWS modules and some best-practices - May 2019
Anton Babenko
 
PPTX
Hashicorp-Certified-Terraform-Associate_V1
kodecloud86
 
PDF
Terraform AWS modules and some best practices - September 2019
Anton Babenko
 
Hashicorp-Certified-Terraform-Associate-v3-edited.pptx
ssuser0d6c88
 
Hashicorp-Terraform-Deep-Dive-with-no-Fear-Victor-Turbinsky-Texuna.pdf
ssuser705051
 
Terraform-2.pdf
rutiksankapal21
 
Terraform modules and some of best-practices - March 2019
Anton Babenko
 
leboncoin DataEngineering / Terraform - beginner to advanced
leboncoin engineering
 
Terraform AWS modules and some best-practices - May 2019
Anton Babenko
 
Hashicorp-Certified-Terraform-Associate_V1
kodecloud86
 
Terraform AWS modules and some best practices - September 2019
Anton Babenko
 

Similar to Terraform Unleashed - Crafting Custom Provider Exploits for Ultimate Control (20)

PPTX
Infrastructure as Code with Terraform.pptx
Samuel862293
 
PDF
OSDC 2019 | Terraform best practices with examples and arguments by Anton Bab...
NETWAYS
 
PDF
DevOps Braga #9: Introdução ao Terraform
DevOps Braga
 
PPTX
Terraform - The Road to Self-Service
Ryan Boyce
 
PDF
Infrastructure as Code with Terraform
Pedro J. Molina
 
PDF
Terraform: Check Your Source
Jay Wallace
 
PDF
Terraform modules and best-practices - September 2018
Anton Babenko
 
PDF
Managing AWS Using Terraform AWS Atlanta 2018-07-18
Derek Ashmore
 
PDF
APIsecure 2023 - How to abuse Terraform to elevate access, Mike McCabe
apidays
 
PDF
Managing AWS Using Terraform AWS Chicago-Suburbs 2018-01-18
Derek Ashmore
 
PDF
Microservices with Terraform, Docker and the Cloud. JavaOne 2017 2017-10-02
Derek Ashmore
 
PDF
Manage any AWS resources with Terraform 0.12 - April 2020
Anton Babenko
 
PPTX
Iniciando com Terraform
Mateus Dubiela Oliveira
 
PPTX
Terraform - Shared Definitions and Variable Inheritance
Dave Rix
 
PDF
Terraform at Scale - All Day DevOps 2017
Jonathon Brouse
 
PPTX
"Continuously delivering infrastructure using Terraform and Packer" training ...
Anton Babenko
 
PPTX
Terraform Abstractions for Safety and Power
Calvin French-Owen
 
PDF
Microservices with Terraform, Docker and the Cloud. Chicago Coders Conference...
Derek Ashmore
 
PPTX
Terraform infrastructure as code for mere mortals
Anderson Carvalho
 
PPTX
Reusable, composable, battle-tested Terraform modules
Yevgeniy Brikman
 
Infrastructure as Code with Terraform.pptx
Samuel862293
 
OSDC 2019 | Terraform best practices with examples and arguments by Anton Bab...
NETWAYS
 
DevOps Braga #9: Introdução ao Terraform
DevOps Braga
 
Terraform - The Road to Self-Service
Ryan Boyce
 
Infrastructure as Code with Terraform
Pedro J. Molina
 
Terraform: Check Your Source
Jay Wallace
 
Terraform modules and best-practices - September 2018
Anton Babenko
 
Managing AWS Using Terraform AWS Atlanta 2018-07-18
Derek Ashmore
 
APIsecure 2023 - How to abuse Terraform to elevate access, Mike McCabe
apidays
 
Managing AWS Using Terraform AWS Chicago-Suburbs 2018-01-18
Derek Ashmore
 
Microservices with Terraform, Docker and the Cloud. JavaOne 2017 2017-10-02
Derek Ashmore
 
Manage any AWS resources with Terraform 0.12 - April 2020
Anton Babenko
 
Iniciando com Terraform
Mateus Dubiela Oliveira
 
Terraform - Shared Definitions and Variable Inheritance
Dave Rix
 
Terraform at Scale - All Day DevOps 2017
Jonathon Brouse
 
"Continuously delivering infrastructure using Terraform and Packer" training ...
Anton Babenko
 
Terraform Abstractions for Safety and Power
Calvin French-Owen
 
Microservices with Terraform, Docker and the Cloud. Chicago Coders Conference...
Derek Ashmore
 
Terraform infrastructure as code for mere mortals
Anderson Carvalho
 
Reusable, composable, battle-tested Terraform modules
Yevgeniy Brikman
 
Ad

More from Cloud Village (18)

PPTX
Unexpected Leaks in AWS Transit Gateways
Cloud Village
 
PDF
The Rise of the Planet of the Agents: LLM-based AI Agents and Cloud Security ...
Cloud Village
 
PDF
Creating Azure Policy Compliant Backdoor
Cloud Village
 
PPTX
Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities f...
Cloud Village
 
PDF
Cloud Tripwires: fighting stealth with stealth
Cloud Village
 
PPTX
Connecting the Dots - Mastering Alert Correlation for Proactive Defense in th...
Cloud Village
 
PDF
Runtime Reachability: Prioritizing Vulnerabilities with eBPF & Continuous Pro...
Cloud Village
 
PPTX
Revealing Choke Points - Practical Tactics for Boosting Cloud Security
Cloud Village
 
PDF
Finding Holes in Conditional Access Policies
Cloud Village
 
PPTX
One Click, Six Services - Abusing The Dangerous Multi-service Orchestration P...
Cloud Village
 
PPTX
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Cloud Village
 
PDF
DC 32: Epyon - Attacking DevOps environments
Cloud Village
 
PDF
Exploit K8S via Misconfiguration .YAML in CSP environments
Cloud Village
 
PDF
Cloud Offensive Breach and Risk Assessment (COBRA)
Cloud Village
 
PDF
One Port to Serve Them All - Google GCP Cloud Shell Abuse
Cloud Village
 
PDF
The Oracle Awakens: Demystifying Privilege Escalation in the cloud
Cloud Village
 
PDF
Catch them all! Detection engineering and purple teaming in the cloud
Cloud Village
 
PDF
Gone in 60 Seconds… How Azure AD/Entra ID Tenants are Compromise
Cloud Village
 
Unexpected Leaks in AWS Transit Gateways
Cloud Village
 
The Rise of the Planet of the Agents: LLM-based AI Agents and Cloud Security ...
Cloud Village
 
Creating Azure Policy Compliant Backdoor
Cloud Village
 
Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities f...
Cloud Village
 
Cloud Tripwires: fighting stealth with stealth
Cloud Village
 
Connecting the Dots - Mastering Alert Correlation for Proactive Defense in th...
Cloud Village
 
Runtime Reachability: Prioritizing Vulnerabilities with eBPF & Continuous Pro...
Cloud Village
 
Revealing Choke Points - Practical Tactics for Boosting Cloud Security
Cloud Village
 
Finding Holes in Conditional Access Policies
Cloud Village
 
One Click, Six Services - Abusing The Dangerous Multi-service Orchestration P...
Cloud Village
 
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
Cloud Village
 
DC 32: Epyon - Attacking DevOps environments
Cloud Village
 
Exploit K8S via Misconfiguration .YAML in CSP environments
Cloud Village
 
Cloud Offensive Breach and Risk Assessment (COBRA)
Cloud Village
 
One Port to Serve Them All - Google GCP Cloud Shell Abuse
Cloud Village
 
The Oracle Awakens: Demystifying Privilege Escalation in the cloud
Cloud Village
 
Catch them all! Detection engineering and purple teaming in the cloud
Cloud Village
 
Gone in 60 Seconds… How Azure AD/Entra ID Tenants are Compromise
Cloud Village
 
Ad

Recently uploaded (20)

PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Cloud computing and distributed systems.
kkkkkhan
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 

Terraform Unleashed - Crafting Custom Provider Exploits for Ultimate Control

  • 1. Terraform Unleashed: Crafting custom Provider exploits for Ultimate control
  • 2. Rupali Dash brings over 8 years of cybersecurity experience, specializing in penetration testing and red teaming. Currently a Lead Security Architect at Axl.net Security, she oversees cloud security and penetration testing engagements. Her credentials include notable certifications like OSCP, OSWE, AWS Security Specialist, and GCPN. She has presented at prominent conferences like Black Hat Asia, DevSecCon, and CoCon. Alex Foley is a broadly experienced security professional with over 25 years of experience in IT and cybersecurity. He is the founder and CEO of Axl.net Security. He has operated and continues to operate as the vCISO of multiple startup companies with the support of the team from Axl.net Security. Throughout his career, he's had the opportunity to wear many hats and do "all the things" within product development, operations, and security. This broad experience has enabled Alex to bring this depth of understanding to the CISO roles. Alex's skill set focuses on blue team operations, which complements Rupali's expertise in red team activities. Who Are We ??
  • 3. Who Does The Talk Cater To Pen testers and Red-teamers who will be testing an cloud infrastructure. Security Architects managing the security posture of the cloud infrastructure.
  • 6. ► - In-order to provision this code the user logs in to the terraform enterprise first and provides the AWS Credentials of the account for the resource provisioning . ► Upon Terraform Init the TFE Spins up the worker container in the TFE AWS account and Downloads the required provides specified in the provider block. ► During Terraform Plan, The Terraform API zips the IAC code and the Provided authentication credentials along with the terraform binary and stores it over the worker container. ► It also performs a state lock using dynamo DB for that specific workspace so that no two TFE plan can run simultaneously for a specific workspace and it ques the job. ► It also downloads the Sentinel policies associated with the workspace on to the worker container. ► During the Terraform plan once the sentinel policies are validated against the TFE plan out out, Terraform generates a newer set of credentials using the provided AWS credentials in the terraform file which will be used to provision the resource in the clients AWS account. ► Once the Apply is completed the worker container stores the generated terraform state file over the s3 bucket and destroyes the container.
  • 7. Terraform Provider ►A terraform provider is a binary written in go that interacts with terraform binary over RPC & enables interaction with the provider API. This includes Cloud providers and Software-as-a-service providers. The providers are specified in the Terraform configuration code. They tell Terraform which services it needs to interact with.
  • 8. Key-RISK Terraform binaries are executables which will be downloaded into the emphiral container during terraform init. Terraform Provider runs with the highest privilege on the worker container and hence have access to all the mounted file system as well as the AWS STS credentials. The TFE worker container needs to have the read access to the s3 and RDS instance where the TFE state file gets stored as a part of application. In a scenario where multiple providers are invoked for a specific Terraform Plan, Both the providers will have access to the TFE environment variables and the host file system.
  • 9. Attack-1: Custom provider with filesystem access to gain access to the host file system ● In Golang Import os/exec and import syscall modules enables the binary to interact with the host file system. ● Create the data source to read an environment variable & register this new data source in your provider.go file. ● Use “go build” command to build the provider.
  • 10. Exploit ( System File Read) Create a Terraform configuration file that uses the new data source to read the /etc/passwd file on the host.
  • 11. Attack-2: Custom provider with Code Execution feature Terraform-provider-cmdexec is a custom built provider that provides command execution capability through Terraform Configuration. Below is the example of the main.tf file used to leverage the provider to execute the command. https://github.com/rung/terraform-provider-cmdexec https://alex.kaskaso.li/post/terraform-plan-rce
  • 12. ► Execute Commands on the Terraform container ► Provision highly privileged roles / resources by Bypassing sentinel policies to gain persistence. ► Exfiltrate Vaulted secrets from the TFE container. ► Manipulate state files resulting in deleting resources in the existing cloud accounts. ► Gain access to PII data in Production accounts. ► Supply chain threats to organizations using the malicious providers.
  • 13. Why the Terraform Provider and not the Provisioners ? ►Terraform Provisioner has local_exec() and remote_exec() capability which helps to execute commands on the TFE infrastructure as a part of terraform apply. ►Terraform Provisioners are called only after a successful plan and prior to the Terraform Apply. Hence usage of sentinel policy can be leveraged to block those attacks. ►Terraform Provider block executes during the terraform plan and hence It cannot be blocked/restricted through Sentinel
  • 14. Provider Security Risks ►1: Malevolence of the Binary: This is to ensure that the provider binary doesn’t contain any malware , packers or custom exploits. ►2: Impact on the TFE infrastructure: This will provide insight on the different functionalities and access level of the provider in the TFE infrastructure. ►3: Out bound Network communication: This will provide insight on the different end points/APIs embedded into the binary
  • 17. Conclusions ● Provider Attack Types ○ Third Party Providers ○ Insider Threat ● Defense ○ Updated Training ○ Updated Detection Technology ○ Updated Processes