Closed sethsec-bf closed 2 years ago
Hi there,
This was a really good catch. Here's the function at fault: https://github.com/nccgroup/PMapper/blob/253dc54d8c58bfbd2bd18a78f84a2538514a47b0/principalmapper/graphing/gathering.py#L725
I'll add a parameter to let folks include SCPs, then it should return the correct data.
Okay, took a shot at fixing with https://github.com/nccgroup/PMapper/commit/e0a1912335b9592b6d2e4ed63f49fa2b5686b175 in v1.1.4-dev
, would you be cool with verifying?
v1.1.4 is out, closing.
Describe the bug Applied an SCP that denies things like
iam:PassRole
,iam:Attach*
,iam:Put*
,iam:Create*
. Pmapper removes all of my privesc paths that depend on passrole which is awesome and expected, but some of the attach/put/create paths still show up in theprivesc *
query. In fact, looking more closely, i think this but might be related to the disinction you make between "administrative users and the other action based privesc paths, as all of the false positives are "administrative user/principal"To Reproduce SCP in the
playground
main org account:This SCP is applied to(targets) the
dev
account.Within the dev account, there is one privesc user/role for each of the these 21 privesc paths: https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws
The results:
The good news is that lots of other privesc paths were removed correctly when the scp was applied, so i think these are just a fwe that fell through the cracks.
Just to confirm it was not a fat finger on my SCP:
Also, just to add more data, here's an example policy applied to
role/privesc12-PutRolePolicy
:The rest follow that same approach. Only the required permission, with a resource of *.
Expected behavior Based on the SCP above, I would expect each of these users shown is a false positive.