Closed Techbrunch closed 2 years ago
Rackme
commented
3 years ago @Techbrunch try v1.1.1-dev branch, I had no trouble so far for privesc audit.
Is it because no role can be exploited to get administrator access ?
Role have Trust Relationship policy, can you share more details about this Role ?
ncc-erik-steringer
commented
3 years ago There are a couple questions here, I'll tackle the first one in this comment:
It looks like your IAM Users user1 and user2 are already admins by virtue of assigning them IAMFullAccess. With that managed policy, they can simply grant themselves access to whatever they want to call by assigning themselves more inline policies or attaching the AdministratorAccess policy to themselves. PMapper likely saw this and designated them as admins. I believe that if you run the privesc query without the -s flag, it'll report all of your users/roles.
I think you've found a bug in analysis, because for some reason it's explaining how those users to get to other admin users (i.e. each other) rather than saying "hey these are already admins".
ncc-erik-steringer
commented
3 years ago Regarding:
I just realized that PMapper does not report some privesc reported by ScoutSuite. For example in the same account there is a user with a policy allowing iam:PassRole for all resources but it is not listed by PMapper.
Is it because no role can be exploited to get administrator access ?
ScoutSuite will report IAM Policies with that use the unsafe pattern "iam:PassRole for resource *" which might yield a privesc vulnerability. PMapper goes and actually simulates the different authorization checks to confirm that some user could pass some role and gain access to that role + it's permissions. PMapper answers the question "If I assign broad passrole access to this user, what can it actually go and access?".
ncc-erik-steringer
commented
3 years ago Just released v1.1.1 with a fix for this, pushed it to the master branch and dropped it onto PyPI.
Techbrunch
commented
3 years ago @ncc-erik-steringer
It looks like your IAM Users user1 and user2 are already admins by virtue of assigning them IAMFullAccess. With that managed policy, they can simply grant themselves access to whatever they want to call by assigning themselves more inline policies or attaching the AdministratorAccess policy to themselves. PMapper likely saw this and designated them as admins. I believe that if you run the privesc query without the -s flag, it'll report all of your users/roles.
Is there a list of what is considered an admin "by virtue" ? I think it makes sense that AdministratorAccess is considered admin by virtue but I think it can be argued that IAMFullAccess should be considered a privesc since it requires multiple steps to get AdministratorAccess. That's why I was expecting something like this:
* user/user1 can escalate privileges by using the policy `IAMFullAccess`
* user/user2 can escalate privileges by using the policy `IAMFullAccess`For PMapper, an admin is anyone that can modify their own IAM Policies (being able to attach AdministratorAccess to themselves or adding an inline policy to themselves). In other words, admins are users/roles that can call any action for any resource either directly or by modifying their own permissions. Here's the current code that does that check: https://github.com/nccgroup/PMapper/blob/f047d19bf6eb9444180d109c77d1d215edfc4410/principalmapper/graphing/gathering.py#L668
The hard part here is intent. I could see someone setting up their account by having a dedicated "make other users/roles" administrative IAM User and assigning it IAMFullAccess. Could that user be abused by granting itself extra permissions? Sure, as it could do by creating other users/roles and attaching policies to them, but that's also the point of that user is to be a high-level principal. Then again, someone might toss IAMFullAccess onto a user because they needed to pass a role to an EC2 instance.
The best option, in my opinion, is to mark these principals as admins. Users of PMapper can run the privesc query or use visualize and those admins will get highlighted for the users to inspect and handle according to their intents.
All that aside, there's room for improvement here. Something I've been mulling for v1.2.X is either adding an attribute or modifying is_admin for Node objects that states a reason why a given user/role is an admin.
ncc-erik-steringer
commented
2 years ago In v1.1.5, we added the wrongadmin query that I think covers the gap here. This preset query identifies principals that have admin permissions, but don't have the AdministratorAccess (or equiv. inline policy) attached. I'm closing this issue as a result.
Describe the bug
Running the query with
preset privesc *doesn't return anything.Running analysis does return something:
The analysis is a bit confusing.
Note:
user1anduser2have the policyIAMFullAccessTargetAdminRoleandtarget-adminhave theAdministratorAccesspolicy (note that they also both list a trusted entity)Expected behavior
I'm probably missing something but I expected to see something like this:
Should both role be mentionned since using the
AdministratorAccesspolicy is not really a privilege escalation ?EDIT:
I just realized that PMapper does not report some privesc reported by ScoutSuite. For example in the same account there is a user with a policy allowing
iam:PassRolefor all resources but it is not listed by PMapper.Is it because no role can be exploited to get administrator access ?
Thanks for the awesome tool.