感谢前段时间lake2的推荐,趁着周末有时间分享一些实用的干货给新老朋友们。
lake2,公众号:朴实无华lake2一些安全大佬的公众号推荐(1)
-
利用AWS的ECS服务的Task Definition新建容器并通过EC2的metadata API获取临时AK/SK提权:https://rhinosecuritylabs.com/aws/pillaging-ecs-task-definitions-two-new-pacu-modules/
-
通过AWS ECS Task Definition可以获取敏感信息(Task Definition类似于k8s的kubeconfig文件):https://rhinosecuritylabs.com/aws/weaponizing-ecs-task-definitions-steal-credentials-running-containers/
-
利用AWS API Gateway服务可以绕过IP黑名单的限制:https://rhinosecuritylabs.com/aws/bypassing-ip-based-blocking-aws/
-
滥用AWS VPC服务的TrafficMirror特性获取东西向流量中的敏感信息:https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/
-
CloudFormation(利用XXE读取本地文件和SSRF获取metadata):https://orca.security/resources/blog/aws-cloudformation-vulnerability/
-
Glue(利用assume role提权至Glue服务账号再结合其内部API的不安全配置获得其他使用了Glue服务的租户账号权限):https://orca.security/resources/blog/aws-glue-vulnerability/
-
S3漏洞利用(计算资源中列权限、过度依赖IAM防止数据泄露、非公开的桶中包含公开的存储对象):https://cloudsecurityalliance.org/blog/2020/06/18/3-big-amazon-s3-vulnerabilities-you-may-be-missing/
-
WorkSpace(利用第三方软件SDK漏洞):https://www.sentinelone.com/labs/usb-over-ethernet-multiple-privilege-escalation-vulnerabilities-in-aws-and-other-major-cloud-services/
-
云上资源的子域名接管:https://0xpatrik.com/subdomain-takeover-ns/
-
利用云服务的跨账号默认IAM权限配置不当,如允许修改资源arn,实现跨租户资源获取:https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Breaking-The-Isolation-Cross-Account-AWS-Vulnerabilities.pdf
-
AWS SageMaker Jupyter Notebook Instance Takeover(利用XSS->CSRF->安全恶意扩展->访问Metadata->获取AWS认证token):https://blog.lightspin.io/aws-sagemaker-notebook-takeover-vulnerability
-
CVE-2020-8897 SSRF Vulnerability in AWS KMS and Encryption SDK:https://github.com/google/security-research/security/advisories/GHSA-wqgp-vphw-hphf
-
AWS: In-band key negotiation issue in the AWS S3 Crypto SDK for golang:https://github.com/google/security-research/security/advisories/GHSA-7f33-f4f5-xwgw
-
利用GCP CloudBuild服务的Service Account账号的token(metatdata API中获取)实现IAM的提权,即利用云服务的默认过多的IAM权限实现IAM的低权限提升:https://rhinosecuritylabs.com/gcp/iam-privilege-escalation-gcp-cloudbuild/
-
利用GCP的各种服务特性实现IAM权限提升,即间接提权方式:https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation
-
利用k8s TLS Bootstapping机制进行提权:https://rhinosecuritylabs.com/cloud-security/kubelet-tls-bootstrap-privilege-escalation/
-
GCP VM takeover via DHCP PRNG:https://github.com/irsl/gcp-dhcp-takeover-code-exec
-
Privilege Escalation in Google Cloud Platform’s OS Login:https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-tech-notes/-/tree/master/oslogin-privesc-june-2020
-
GoldenSAML攻击主要针对联邦认证机制中使用的SAML Response的伪造:https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps
-
Azure Container Instances (ACI)服务跨账号容器接管:https://unit42.paloaltonetworks.com/azure-container-instances/
-
Azure Sphere漏洞(代码执行、拒绝服务、信息泄漏、权限提升等):https://blog.talosintelligence.com/2020/10/Azure-Sphere-Challenge.html
-
Azure Sphere内核利用:https://blog.talosintelligence.com/2021/11/an-azure-sphere-kernel-exploit-or-how-i.html
-
Azure NotLegit:https://blog.wiz.io/azure-app-service-source-code-leak/
-
Azure ChaosDB:https://blog.wiz.io/chaosdb-explained-azures-cosmos-db-vulnerability-walkthrough/
-
Azure OMIGOD – Azure OMI Management Interface Authentication Bypass (CVE-2021-38647):https://blog.wiz.io/update-everything-you-need-to-know-about-omigod-from-the-team-that-discovered-it/
-
Azure AAD:https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-cloud-vulnerability-credmanifest/
-
Azure AAD:https://msrc-blog.microsoft.com/2021/11/17/guidance-for-azure-active-directory-ad-keycredential-property-information-disclosure-in-application-and-service-principal-apis/
-
Azure Stack:https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-i/
-
Azure Stack:https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-ii/
-
Azure Office365 Exchange Online:https://portswigger.net/daily-swig/critical-zero-day-rce-in-microsoft-office-365-awaits-third-security-patch
-
突破网络隔离:传统的网络隔离边界(防火墙、路由器、交换机、VPN)、VPC(peering、endpoint、traffic mirror)、云专线(混合云、多云网络)、安全组等 -
突破资源隔离:虚拟机逃逸、容器逃逸、物理机CPU/芯片侧信道攻击等 -
突破权限隔离:IAM账号(AWS Landing Zone)、IAM策略(ABAC)、委托代理、联邦认证(AWS STS security tokens、SAML)等 -
突破架构隔离:物理多租(单租户独享)、逻辑多租(多租户共享)等
注:更多详情可点击“原文查看”!
查询和订阅最新安全事件,请关注”安全小飞侠“吧!
原文始发于微信公众号(安全小飞侠):云上攻防二三事(续)
