Closed sethsec closed 3 years ago
Thank you for the report! Just a couple follow-up questions:
v1.1.3-dev
branch code, can you try it out and see if the issue persists?graph create
subcommand, are you including the region the Lambda function is in (--include-regions
/--exclude-regions
args)?Additional context, here's the source code that is supposed to detect this type of Edge: https://github.com/nccgroup/PMapper/blob/v1.1.3-dev/principalmapper/graphing/lambda_edges.py#L139-L176
Found the issue, applied a fix in 05504a756a0b444023112c529f012c1e5d5ba4a8 and verified it worked on my machine. This has affected all v1.1.X up until this point. Please try the latest release (master
branch of the repo or v1.1.3 from PyPI) and verify that it is working for you as well.
Confirmed on my end. Nice work!
Brief Description I can't get pmapper to trigger on
EditExistingLambdaFunctionWithRole
even though I have have verified the exploit path manually (simulator results pasted below).For additional context,
PassExistingRoleToNewLambdaThenInvoke
andPassRoleToNewLambdaThenTriggerWithNewDynamo
are both detected correctly!Side note: Pmapper is awesome! I love the recent improvements and the new detections!
IAM Action, Resource, and Condition Being Authorized & IAM Policies Attached to Principal Here's the IAM policy attached to my caller principal:
This policy is attached to the role
arn:aws:iam::[ACCOUNT]:role/privesc17-EditExistingLambdaFunctionWithRole-role
.There is one lambda in the account, and that lambba has a high privileged role attached to it:
Lambda:
Here is the policy attached to
"Role": "arn:aws:iam::[ACCOUNT]:role/privesc-high-priv-lambda-role2"
Expected Behavior This should be detected as a privesc, but it is not detected.
AWS IAM Policy Simulation Result
Simulator confirms it is allowed