more details on Lambda

2024-02-25 14:21:35 +01:00 · 2024-02-25 14:21:35 +01:00 · 6982101821
parent 1293a6009b
commit 6982101821
1 changed files with 57 additions and 8 deletions
--- a/Enumeration/AWS.md
+++ b/Enumeration/AWS.md
@ -530,9 +530,10 @@ table of CIDRs or Managed Prefix Lists.

 An attacker may add VPC endpoints to exfiltrate data to S3 buckets under his control.

-List available endpoints via aws cli.
+List available vpcs, and endpoints via aws cli.

 ```sh
+aws ec2 describe-vpcs
 aws ec2 describe-vpc-endpoints
 ```

@ -813,7 +814,14 @@ aws s3 sync --no-sign-request s3://<bucket-name> .

 #### Check Permissions of a bucket

-Use a `PUT` method to see if the bucket may be writeable to upload a file via
+Check the Policy of the bucket via aws cli.
+
+```sh
+aws s3api get-bucket-policy --bucket <bucketname> --query Policy --output text | jq .
+```
+
+Or ghetto style, use a `PUT` method to see if the bucket may be writeable to
+upload a file via

 ```sh
 curl -vvv -X PUT $BUCKET_URL  --data "Test of write permissions"
@ -849,6 +857,12 @@ The ARN of a the function invoked is structured in the following way.
 arn:aws:lambda:<region>:<AccountId>:function:<functionName>
 ```

+List Lambda functions via aws cli.
+
+```sh
+aws lambda list-functions |  jq .
+```
+
 Execute a lambda function via aws cli.

 ```sh
@ -875,9 +889,9 @@ aws lambda get-function --function-name arn:aws:lambda:<region>:<AccountId>:func
 #### Lambda Buildup

 The executed code is frequently stored in a zip file inside an S3 bucket. A
-file name is set so the handler can execute it. The zip file is queried through
-the API before a functions execution is triggered. The zip file contains a file
-name which is called by the handler.
+file name is set so the handler can execute it, e.g. `function.py`.
+The zip file is queried through the API before a functions execution is
+triggered. The zip file contains a file name which is called by the handler.

 Events can be tested through the web console.

@ -903,7 +917,41 @@ usual.
 Lambda functions have 500MB of disk space inside the container's /tmp directory
 or can have an Elastic File System attached (EFS).

+Lambda has layers for code sharing. These layers can be found under `/opt`.

+Lambda functions can be queried through HTTP. The scheme of such a uniquely
+identified URL is like the following. The request has to be signed if
+authentication is required.
+
+```sh
+https://<urlId>.lambda-url.<region>.on.aws
+```
+
+#### Lambda Vulnerabilities
+
+Vulnerabilities include
+
+* Missing input validation on the event sent as user input to the Lambda function
+* Sensitive data written to stdout and stderr, which is then sent to CloudWatch
+* Permissive roles for function execution
+* Privilege escalation through access to environment variables `$AWS_ACCESS_KEY_ID`, `$AWS_SECRET_ACCESS_KEY` and `$AWS_SESSION_TOKEN` inside the Lambda container from function execution or from the webc console
+* Access to the unencrypted secrets inside environment variables through function execution inside the container
+* Use of `lambda:*` instead of `lambda:invokeFunction` as part of a resource policy
+* Use of `Principal: *` inside an IAM policy
+
+Check invocation policies of lambda functions via aws cli.
+
+```sh
+aws lambda get-policy --query Policy --output text --function-name arn:aws:lambda:<region>:<AccountId>:function:<functionName> | jq .
+```
+
+* Modifying Lambda layers through malicious code
+* Use the concurrency of Lambda functions as a DoS measurement
+* Get the function ZIP file through the URL or the following aws cli line to iinspect the code for sensitive data
+
+```sh
+aws lambda get-function --function-name arn:aws:lambda:<region>:<AccountId>:function:<functionName>
+```

 ### CloudFront

@ -1304,7 +1352,8 @@ aws route53 list-hosted-zones

 A subdomain can be useful for regular users and an attacker alike.

-Create a file named `create_record.json` containing certificate details from the aws acm desription.
+Create a file named `create_record.json` containing certificate details from
+the aws acm desription.

 ```json
 {
@ -1312,10 +1361,10 @@ Create a file named `create_record.json` containing certificate details from the
  "Changes": [
    {
      "Action": "CREATE",
-      "ResourceRecordSet": 
+      "ResourceRecordSet":
        {
          "Name": "<ResourceRecord/Name>",
-          "Type": "CNAME", 
+          "Type": "CNAME",
          "TTL": 300,
          "ResourceRecords": [
            {