search

optiv / InsecureShop

An Intentionally designed Vulnerable Android Application built in Kotlin.
https://www.insecureshopapp.com
MIT License
230 stars 152 forks source link

AWS Cognito Misconfiguration buckets #3

Closed erev0s closed 2 years ago

erev0s commented 2 years ago

The given identity pool can access two buckets, from which one of them has full control granted to all users. Was that bucket supposed to contain something ? Based on the description here https://docs.insecureshopapp.com/insecureshop-challenges/aws-cognito-misconfiguration I thought that you probably had something different in mind (like give permission to write acl but not read - and the user should be first add the read permission to all users before seeing the files). Is that the case?

(also thought that someone before could have overwritten this for example and deleted any file you had there) In any case i dont know if the bucket is intentionally empty or not, hence this issue.

hax0rgb commented 2 years ago

Hi @erev0s

The bucket 84r4ppx76qhqj4bsgu8w is misconfigured and provides read access to all users. This is intentional. The bucket 84r4ppx76qhqj4bsgu8w contains a file called Congratulations.txt. But you are right, the bucket looks empty now. Looks like the file got deleted.

I don't plan to provide write access to the bucket. Only read access should be there. I'll also review the bucket settings now. Thanks for bringing this up.

hax0rgb commented 2 years ago

Hey @erev0s

I have re-uploaded the Congratulations.txt file. The bucket can only be used to list the objects and read files. You should not be able to write or delete data to the bucket.

erev0s commented 2 years ago

@0xgaurang thanks for the fast reply. Indeed i can verify that the congratulations.txt is available now.

There are two buckets in total with these creds

➜  InsecureShop git:(main) ✗ aws s3 ls                                                                                                                                 
2020-08-16 17:28:46 84r4ppx76qhqj4bsgu8w
2020-11-15 18:31:10 elasticbeanstalk-us-west-2-094222047775

and on the second one the permission is set to full control. I uploaded the apk of the app there as poc.

Congrats on the nice app you made. Keep going

hax0rgb commented 2 years ago

Hi @erev0s

Thank you for pointing out that you were able to upload files in elasticbeanstalk-us-west-2-094222047775 bucket. This is just a test bucket that I created for some research work. I have modified the permissions on this bucket and no one should be able to upload/delete files.

If Cognito Pool ID has list bucket permissions for unauthenticated entities, then you should be able to view the name of all the buckets owned by that organization. At this point, you need to identify which bucket has insecure permissions set.

Hope this resolves your query.