Researchers discovered critical vulnerabilities in six AWS services could have enabled account takeover, remote code execution, AI data manipulation, sensitive information disclosure, and more. The researchers from Aqua Security disclosed at Black Hat USA.
The discoveries by Aqua Security’s Nautilus research team were presented in the session “Breaching AWS Accounts Through Shadow Resources”.
The Shadow Resources attack vector stemmed from the automatic generation of S3 buckets by various AWS services, including CloudFormation, Glue, EMR, SageMaker, ServiceCatalog and CodeStar. Users may not be aware that these buckets are being created when they start a new project or file upload, and the bucket names follow a predictable naming scheme that could be exploited by an attacker.
In the CloudFormation service, this flaw allows an attacker to create their own S3 bucket using the predetermined name of a bucket yet to be created by the target. For CloudFormation, auto-generated S3 buckets followed a naming format that included a service-wide fixed prefix, a unique hash that remains consistent for a given AWS account, and the region that the bucket was created from.
If the unique hashes known by the attacker, they could create a bucket including the CloudFormation prefix, the hash, and any of the 33 AWS regions. No two S3 buckets can have the same name across any accounts, so when the targeted user’s account attempts to create a new bucket with the name claimed by the attacker, it will result in an error.
In case of CloudFormation, attempting to upload a template file from a region where an attacker has already claimed the predicted bucket name would cause the template to be placed in the attacker’s bucket, but only if the attacker configured the bucket to allow public access and read and write permissions for the CloudFormation service.
By gaining access to the victim’s uploaded file, not only could the attacker steal potentially sensitive information stored in the template, but they could also manipulate the template to inject a backdoor, leading to potential account takeover.
This allows a new admin role that can later be assumed by the attacker. However, the researchers note that such a backdoor can only be created if the victim user who uploaded the template, via the AWS Management Console, has permissions to create new admin roles.
Due to the vulnerability, attackers could essentially squat in “shadow buckets” automatically created by CloudFormation and potentially unknown to the target themselves, simply waiting for the target to create a new CloudFormation stack in a new region for the first time, triggering the Lambda function and backdoor injection.
Researchers continued their investigation to other AWS services and discovered that the Glue, EMR, SageMaker, ServiceCatalog, and CodeStar services were also affected by their own versions of the flaw.
All of these services created “shadow buckets” to store certain resources upon a new user action, such as creating a new Glue job, new EMR Studio or new SageMaker Canvas, and these buckets had predictable names including fixed prefixes, AWS account IDs and region codes.
Depending on the service, exploitation of the vulnerability could result in different impacts: manipulating the code of Glue jobs could lead to remote code execution (RCE), injecting code into Jupyter notebooks uploaded by EMR could enable cross-site scripting (XSS) attacks, reading and writing of SageMaker datasets could lead to theft or manipulation of AI training datasets and squatting of CodeStar S3 buckets can lead to denial-of-service (DoS) due to the inability to create new projects using another account’s bucket.
The attack success rate varied by creating “Bucket Monopoly,” claiming the names of all possible buckets in all regions for any known user hash or account ID. This way, any new bucket generated in any region by the target would lead to an attacker-controlled bucket.
Aqua Security reported these flaws to the AWS security team in February 2024, prompting a swift response that concluded with full resolution of all vulnerabilities by June 2024.
