Lab Walkthrough - Overly Permissive Permission
What is Overly Permissive Permission?
The majority of AWS attacks make use of roles or accounts’ attached permissions. Because the administrator did not adhere to the idea of minimum privileges when establishing roles and permissions, this can be seen as misconfiguration.
Take into account the case where a user in AWS is authorised to attach user policy. Due to their ability to attach policies to it, the same user has the ability to increase the privileges. This wrong setting also gives the user administrative rights.
All you need to do is, look for the ARN for the Administrator role and try to assign it to the same user.
Before we get into the code and application of Overly Permissive Permission, let’s first talk about the security risks that come with it.
Security threats due to Overly Permissive Permission
- The attacker could potentially disable multi-factor authentication.
- It may be capable of creating new administrator assets with administrator permissions.
- The attacker may be able to delete any identity objects, such as roles.
- The attacker might be able to change passwords, password policies or security configuration.
How to take advantage of this misconfiguration and try to create a new user
Step 1: Visit the given link and click on the “Run” button to get the AWS lab access credentials.
Step 2: Configure our AWS CLI to interact with the resources on AWS.
Following the execution of this command, we must provide AWS Access Key ID and AWS Secret Access Key to configure AWS CLI on our machine.
We can also set our default region and output format.
Step 3: As we have successfully configured the AWS CLI to our machine, let’s list the policies attached to the student user.
NOTE: For the sake of simplicity, we will refer to our current user as “student” throughout this blog.
aws iam list-attached-user-policies --user-name student
We can see, student user has two attached policies, “IAMReadOnlyAccess” policy and “Service” policy. We are interested in Service policy.
Step 4: Check the policy details for the Service policy.
aws iam get-policy --policy-arn arn:aws:iam::607486832336:policy/Service
We can see that the Service policy has v1 as DefaultVersionId. Now, let’s try to see the details of the v1 version of the Service policy. (follow Step 5)
Step 5: Check whether the student user has permission to attach the policy or not. Let’s view the policy details for the v1 version of the Service policy.
aws iam get-policy-version --policy-arn arn:aws:iam::607486832336:policy/Service --version-id v1
We can see from the policy that the user has the ability to attach policies to the user. See the Action and Resource statements for more information.
Because we have the ability to attach policies, let’s look for the ARN of the Administrator Access Policy and attach it to the user. But before that, let’s try to create a new user Bob and see what happens. Can you guess?
Step 6: Before looking for an administrator role ARN, let’s see if we can create a new user (Bob) with the current attached policy.
aws iam create-user --user-name Bob
As you might have guessed, user creation failed due to insufficient privileges.
Step 7: In order to attach the AdministratorAccess policy to the student user first, we need to get the ARN for the administrator role policy.
aws iam list-policies | grep ‘AdministratorAccess’
Now, copy that ARN and try to attach the administrator role policy to the student user. (follow Step 8)
Step 8: Attach administrator role policy to the current user and confirm by listing the policies.
aws iam attach-user-policy --user-name student --policy-arn arn:aws:iam::aws:policy/AdministratorAccessaws iam list-attached-user-policies --user-name student
The policy has been successfully attached, and you can now put your administrative abilities to the test by creating a new user.
Because of a misconfiguration in the role, a normal user can elevate its permission.
Step 9: Finally, after assigning the administrator role policy to the student user, let’s try creating a new user (Bob) to verify Administrator Access and see what happens.
aws iam create-user --user-name Bob
Voila! We successfully performed a privileged operation and created a new user by taking advantage of the misconfiguration.
In this article, we saw how we can take advantage of Overly Permissive Permission misconfiguration and attach an administrative role to the current user and create a new user with the help of the newly attached policy.
I hope you enjoyed this article. Happy learning!