search

RhinoSecurityLabs / pacu

The AWS exploitation framework, designed for testing the security of Amazon Web Services environments.
https://rhinosecuritylabs.com/aws/pacu-open-source-aws-exploitation-framework/
BSD 3-Clause "New" or "Revised" License
4.3k stars 689 forks source link

Issue 412 username overwrite #413

Closed EduardSchwarzkopf closed 3 months ago

EduardSchwarzkopf commented 5 months ago

This should cover the issue #412

davidkutz-marks commented 4 months ago

Thanks again Eduard! Code looks good at a glance (only noticed that "response" is misspelled" resposne" on 409, 417 and 442) but there still seems to be some variation on the original username overwriting. Here's the error I get during testing, along with stacktrace pointing back to 442 (aws.authenticate_user()). Note that the error occurs for me whether I set the email value to the same as the username value or leave it blank. Tomorrow I'll make sure my identity pool and other details are same as before to ensure the error isn't on my end. Just wanted to reach out after finally getting to this PR!

Pacu (052024:No Keys Set) > import_keys default Imported keys as "imported-default" Pacu (052024:imported-default) > run cognitoattack --username randomuser --email [redacted] --identity_pools us-east-1:[redacted] --user_poolclients [redacted]@us-east-1[redacted] Running module cognitoattack... Automatically targeting regions: ap-northeast-1 eu-central-1 eu-north-1 eu-south-1 me-south-1 sa-east-1 us-east-2 us-gov-east-1 us-gov-west-1 us-west-1 ap-east-1 ap-northeast-2 ap-northeast-3 ap-south-1 ap-southeast-1 ap-southeast-3 cn-north-1 eu-west-1 eu-west-3 il-central-1 af-south-1 ap-south-2 ap-southeast-2 ca-central-1 ca-west-1 cn-northwest-1 eu-central-2 eu-west-2 me-central-1 us-west-2 ap-southeast-4 eu-south-2 us-east-1 Continue? (y/n) y [cognitoattack] Attempting unauthenticated retrieval of identity Id credentials [cognitoattack] NotAuthorizedException [cognitoattack] Skipping identity pool enumeration... [cognitoattack] Attempting to sign up user in user pool client [redacted] in region us-east-1 . . . An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email. Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email. Please enter the name of the invalid parameter: Username Please enter the value of the invalid parameter: [redacted]+9999999@gmail.com An error occurred (InvalidParameterException) when calling the SignUp operation: User email should be empty or same as username, since username attribute is email. Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: User email should be empty or same as username, since username attribute is email. Please enter the name of the invalid parameter: email Please enter the value of the invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: given_name: The attribute is required family_name: The attribute is required

Enter value for given_name: tester An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: family_name: The attribute is required

Enter value for family_name: mester Successfully signed up user [redacted]+9999999@gmail.com. Enter verification code for user [redacted]+9999999@gmail.com in user pool client [redacted]: 858651 Successfully verified user [redacted]+9999999@gmail.com

[2024-05-07 18:17:57] Pacu encountered an error while running the previous command. Check [redacted]/052024/error_log.txt for technical details. [LOG LEVEL: MINIMAL]

<class 'botocore.errorfactory.NotAuthorizedException'>: An error occurred (NotAuthorizedException) when calling the RespondToAuthChallenge operation: Incorrect username or password.

File "[redacted]/052024/pacu/pacu/modules/cognito__attack/main.py", line 442, in main tokens = aws.authenticate_user() ^^^^^^^^^^^^^^^^^^^^^^^ File "[redacted]/site-packages/pycognito/aws_srp.py", line 278, in authenticate_user tokens = boto_client.respond_to_auth_challenge( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "[redacted]/site-packages/botocore/client.py", line 535, in _api_call return self._make_api_call(operation_name, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "[redacted]/site-packages/botocore/client.py", line 980, in _make_api_call raise error_class(parsed_response, operation_name) <class 'botocore.errorfactory.NotAuthorizedException'>: An error occurred (NotAuthorizedException) when calling the RespondToAuthChallenge operation: Incorrect username or password.

EduardSchwarzkopf commented 4 months ago

I encountered a little issue, where the user was already registered, but not confirmed yet. I've added the exception handling, so you can get a new token if you want to retry with the same user. As for your provided exception, I could not recreate it. When I run the command similar to yours with the cloudgoat scenario vulnerable_cognito everything works fine on my end: 

> import_keys default
  Imported keys as "imported-default"
Pacu (test:imported-default) > run cognito__attack --username random --email trash@mail.com  --identity_pools us-east-1:[redacted] --user_pool_clients [redacted]@us-east-1_[redacted]
  Running module cognito__attack...
Automatically targeting regions:
  ap-northeast-1
  eu-central-1
  eu-north-1
  eu-south-1
  me-south-1
  sa-east-1
  us-east-2
  us-gov-east-1
  us-gov-west-1
  us-west-1
  ap-east-1
  ap-northeast-2
  ap-northeast-3
  ap-south-1
  ap-southeast-1
  ap-southeast-3
  cn-north-1
  eu-west-1
  eu-west-3
  il-central-1
  af-south-1
  ap-south-2
  ap-southeast-2
  ca-central-1
  ca-west-1
  cn-northwest-1
  eu-central-2
  eu-west-2
  me-central-1
  us-west-2
  ap-southeast-4
  eu-south-2
  us-east-1
Continue? (y/n) y
[cognito__attack] Attempting unauthenticated retrieval of identity Id credentials
[cognito__attack]   NotAuthorizedException
[cognito__attack]   Skipping identity pool enumeration...
[cognito__attack] Attempting to sign up user in user pool client [redacted] in region us-east-1 . . . 
An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Username should be an email.
Please enter the name of the invalid parameter: username
Please enter the value of the invalid parameter: trash@mail.com
An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: name.givenName: The attribute name.givenName is required, name.familyName: The attribute name.familyName is required
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: name.givenName: The attribute name.givenName is required, name.familyName: The attribute name.familyName is required
Please enter the name of the invalid parameter: given_name
Please enter the value of the invalid parameter: test
An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: name.familyName: The attribute name.familyName is required
Invalid parameter: An error occurred (InvalidParameterException) when calling the SignUp operation: Attributes did not conform to the schema: name.familyName: The attribute name.familyName is required
Please enter the name of the invalid parameter: family_name
Please enter the value of the invalid parameter: test
Successfully signed up user trash@mail.com.
Enter verification code for user trash@mail.com in user pool client [redacted]: 286306
Successfully verified user trash@mail.com
[cognito__attack] You're signed in as trash@mail.com!
[cognito__attack] Your access token is: [redacted]
[cognito__attack] Your ID token is: [redacted]
[cognito__attack] Your refresh token is: [redacted]
[cognito__attack] Your token type is: Bearer
Attempting authenticated retrieval of identity Id
Identity ID: {'IdentityId': 'us-east-1:[redacted]', 'ResponseMetadata': {'RequestId': 'c3e787c1-e195-47dc-98a3-d54caabe3375', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Thu, 09 May 2024 12:20:16 GMT', 'content-type': 'application/x-amz-json-1.1', 'content-length': '63', 'connection': 'keep-alive', 'x-amzn-requestid': 'c3e787c1-e195-47dc-98a3-d54caabe3375', 'strict-transport-security': 'max-age=31536000; includeSubDomains'}, 'RetryAttempts': 0}}
Attempting authenticated retrieval of temporary credentials
Access Key ID found.
[redacted]
Secret Key found.
[redacted]
Session Token found.
[redacted]
Expiration found.
2024-05-09 15:20:16+02:00
[cognito__attack] Temporary credentials retrieved!
[cognito__attack] {
  "Region": "us-east-1",
  "IdentityPoolId": "us-east-1:[redacted]",
  "AccessKeyId": "[redacted]",
  "SecretKey": "[redacted]",
  "SessionToken": "[redacted]",
  "Expiration": "2024-05-09 15:20:16+02:00"
}
Custom attribute(s) found! Changing these may lead to privilege escalation.
Changing basic attributes such as email may lead to account takeover if they are used to identify users. 
Printing all current attributes: 
[{'Name': 'email', 'Value': 'trash@mail.com'}, {'Name': 'email_verified', 'Value': 'true'}, {'Name': 'family_name', 'Value': 'test'}, {'Name': 'given_name', 'Value': 'test'}, {'Name': 'custom:access', 'Value': 'reader'}, {'Name': 'sub', 'Value': '14e87468-70d1-70ac-e432-767ab21506ac'}]
davidkutz-marks commented 3 months ago

Running into what is probably a list/dictionary mixup now, naybe caused by the BaseClient addition you just made:

Enter verification code for user davidkutzmarks+lmao@gmail.com in user pool client 3lotnnp48p5t6ikj8r97lnb0dt: 010749 Successfully verified user davidkutzmarks+lmao@gmail.com

[2024-05-24 16:49:55] Pacu encountered an error while running the previous command. Check /root/.local/share/pacu/05242024/error_log.txt for technical details. [LOG LEVEL: MINIMAL]

<class 'TypeError'>: list indices must be integers or slices, not str

Traceback (most recent call last): File "/home/david/rhino/newestpacu/pacu-issue-412-username-overwrite/pacu/main.py", line 1826, in run_gui self.idle() File "/home/david/rhino/newestpacu/pacu-issue-412-username-overwrite/pacu/main.py", line 1683, in idle self.idle() File "/home/david/rhino/newestpacu/pacu-issue-412-username-overwrite/pacu/main.py", line 1683, in idle self.idle() File "/home/david/rhino/newestpacu/pacu-issue-412-username-overwrite/pacu/main.py", line 1681, in idle self.parse_command(command) File "/home/david/rhino/newestpacu/pacu-issue-412-username-overwrite/pacu/main.py", line 600, in parse_command self.parse_exec_module_command(command) File "/home/david/rhino/newestpacu/pacu-issue-412-username-overwrite/pacu/main.py", line 786, in parse_exec_module_command self.exec_module(command) File "/home/david/rhino/newestpacu/pacu-issue-412-username-overwrite/pacu/main.py", line 1003, in exec_module summary_data = module.main(command[2:], self) File "/home/david/rhino/newestpacu/pacu-issue-412-username-overwrite/pacu/modules/cognito__attack/main.py", line 636, in main if tokens["ChallengeName"] == "MFA_SETUP": <class 'TypeError'>: list indices must be integers or slices, not str

EduardSchwarzkopf commented 3 months ago

Will take a look

EduardSchwarzkopf commented 3 months ago

alight, the problem was that the tokens were missing after a failed authentication attempt. I've added my function for this now and added an abort statement if the authentication fails. This can be because of use aborted the process or the function encountered any other issue. I've also added the ability to resend the verification token if needed

DaveYesland commented 3 months ago

I was able to run through this with no errors will merge this. @davidkutz-marks if you want to double check that would be great. @EduardSchwarzkopf thanks for the fixes and work on this!