search

nccgroup / PMapper

A tool for quickly evaluating IAM permissions in AWS.
GNU Affero General Public License v3.0
1.37k stars 169 forks source link

SCP - Unexpected False Positives #94

Closed sethsec-bf closed 2 years ago

sethsec-bf commented 2 years ago

Describe the bug Applied an SCP that denies things like iam:PassRole, iam:Attach*, iam:Put*, iam:Create*. Pmapper removes all of my privesc paths that depend on passrole which is awesome and expected, but some of the attach/put/create paths still show up in the privesc * query. In fact, looking more closely, i think this but might be related to the disinction you make between "administrative users and the other action based privesc paths, as all of the false positives are "administrative user/principal"

To Reproduce SCP in the playground main org account: 

  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Deny",
      "Action": [
        "iam:Create*",
        "iam:Update*",
        "iam:Put*",
        "iam:Attach*",
        "iam:PassRole"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

This SCP is applied to(targets) the dev account.

Within the dev account, there is one privesc user/role for each of the these 21 privesc paths: https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws

The results: 

└─$ pmapper query --scps 'preset privesc *'
user/privesc1-CreateNewPolicyVersion-user is an administrative principal
user/privesc10-PutUserPolicy-user is an administrative principal
user/privesc11-PutGroupPolicy-user is an administrative principal
user/privesc7-AttachUserPolicy-user is an administrative principal
user/privesc8-AttachGroupPolicy-user is an administrative principal
...non false positives omitted...
role/privesc1-CreateNewPolicyVersion-role is an administrative principal
role/privesc12-PutRolePolicy-role is an administrative principal
role/privesc9-AttachRolePolicy-role is an administrative principal

The good news is that lots of other privesc paths were removed correctly when the scp was applied, so i think these are just a fwe that fell through the cracks.

Just to confirm it was not a fat finger on my SCP: 

└─$ aws iam attach-user-policy --user-name seth --policy-arn arn:aws:iam::aws:policy/AmazonRedshiftDataFullAccess

An error occurred (AccessDenied) when calling the AttachUserPolicy operation: User: arn:aws:iam::ACCOUNTID:user/dev-admin is not authorized to perform: iam:AttachUserPolicy on resource: user seth with an explicit deny

Also, just to add more data, here's an example policy applied to role/privesc12-PutRolePolicy:

Version = "2012-10-17"
    Statement = [
      {
        Action = "iam:PutUserPolicy"
        Effect   = "Allow"
        Resource = "*"

The rest follow that same approach. Only the required permission, with a resource of *.

Expected behavior Based on the SCP above, I would expect each of these users shown is a false positive.

ncc-erik-steringer commented 2 years ago

Hi there,

This was a really good catch. Here's the function at fault: https://github.com/nccgroup/PMapper/blob/253dc54d8c58bfbd2bd18a78f84a2538514a47b0/principalmapper/graphing/gathering.py#L725

I'll add a parameter to let folks include SCPs, then it should return the correct data.

ncc-erik-steringer commented 2 years ago

Okay, took a shot at fixing with https://github.com/nccgroup/PMapper/commit/e0a1912335b9592b6d2e4ed63f49fa2b5686b175 in v1.1.4-dev, would you be cool with verifying?

ncc-erik-steringer commented 2 years ago

Oops, also needed https://github.com/nccgroup/PMapper/commit/8bfe6ce6d10b44002ca02e6e071592be2aa9484f .

ncc-erik-steringer commented 2 years ago

v1.1.4 is out, closing.