search

RhinoSecurityLabs / pacu

The AWS exploitation framework, designed for testing the security of Amazon Web Services environments.
https://rhinosecuritylabs.com/aws/pacu-open-source-aws-exploitation-framework/
BSD 3-Clause "New" or "Revised" License
4.3k stars 689 forks source link

Feature/update cognito attack #406

Closed EduardSchwarzkopf closed 5 months ago

EduardSchwarzkopf commented 7 months ago

Summary

I've encountered an issue in the cognito__attack module of the Pacu framework — when attempting to exploit the vulnerable_cognito user pool, the script requests the familyName and givenName attributes repeatedly without progressing.

Upon running the cognito__attack, the module falls into a loop, asking for the name.familyName and name.givenName even after supplying the correct values. Additionally, it gives an error saying "Username should be an email," suggesting a deeper issue with how user attributes are handled.

It turns out the expected attribute keys should be family_name and given_name, not familyName and givenName.

Example code:

run cognito__attack --username vulnerablecognito@10minmail.de --email vulnerablecognito@10minmail.de --user_pool_clients 52077oo7e3h4fmklumdt4gn0ou@us-east-1_GUKqIkgg2
  Running module cognito__attack...
[cognito__attack] Attempting to sign up user in user pool client 52077oo7e3h4fmklumdt4gn0ou in region us-east-1 . . . 
[]
vulnerablecognito@10minmail.de
User attributes specified.
An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: name.givenName: The attribute name.givenName is required, name.familyName: The attribute name.familyName is required
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: name.givenName: The attribute name.givenName is required, name.familyName: The attribute name.familyName is required
Please enter the name of the invalid parameter: name.familyName
Please enter the value of the invalid parameter: Doe
[{'Name': 'email', 'Value': 'vulnerablecognito@10minmail.de'}]
vulnerablecognito@10minmail.de
User attributes specified.
An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Please enter the name of the invalid parameter: name.givenName
Please enter the value of the invalid parameter: John
[{'Name': 'email', 'Value': 'vulnerablecognito@10minmail.de'}, {'Name': 'email', 'Value': 'vulnerablecognito@10minmail.de'}]
vulnerablecognito@10minmail.de
User attributes specified.
An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Please enter the name of the invalid parameter: username

Changes

Additional Notes

I have not seen any test that I could provide so I didn't. All of my manual testing was OK, but this needs to be tested by somebody else as well.

davidkutz-marks commented 6 months ago

Thanks for the PR, Eduard! It is indeed clear that some change outside the Cognito main.py, whether in Pacu itself, Pacu dependencies, Cloudgoat, AWS code, or boto3, has resulted in duplicative "email" attributes when attempting to specify a username after beginning with "email" instead. I will work on fixing that now.

As far as your PR, I am running into the following error when beginning with "username" for vulnerable_cognito. The error does not occur in the Rhino master branch, where everything works fine. Here's the error. Could you take a look? in the meantime I will fix the "email" duplication/username issue.

Error:

My input:

run cognito__attack --username REDACTED+92@gmail.com --identity_pools us-east-1:REDACTED --user_pool_clients REDACTED@us-east-1_REDACTED

Your PR tree's response:

eu-south-2 us-east-1 Continue? (y/n) y [cognitoattack] Attempting unauthenticated retrieval of identity Id credentials [cognitoattack] NotAuthorizedException [cognitoattack] Skipping identity pool enumeration... [cognitoattack] Attempting to sign up user in user pool client REDACTED in region us-east-1 . . . [] False User attributes specified. Error signing up user REDACTED+92@gmail.com: Parameter validation failed: Invalid type for parameter UserAttributes[0].Value, value: False, type: <class 'bool'>, valid types: <class 'str'> List all custom attributes for all users in all user pools (y/n)?

EduardSchwarzkopf commented 6 months ago

@davidkutz-marks I've updated the code. The duplication of the email attribute is also fixed with this. I've also reverted my changes to the master branch and simplified the code since the correct attributes are now presented to the user.

I've encountered another issue when you don't specify a username in the run command, but later in the input. I will create an issue for this sometime later in a PR.

EDIT: issue - https://github.com/RhinoSecurityLabs/pacu/issues/412