Title: Cloud host secret key (ak/sk) leak and utilization case

Preface

As a tool to reduce enterprise resource costs, the cloud platform has become an indispensable and important part of today's major company system deployment scenarios. Since various applications need to communicate with other internal and external services or programs and use credentials or keys in large quantities, a type of vulnerability is often encountered in the process of vulnerability mining: cloud host key leakage. This vulnerability allows the attacker to take over the permissions of the cloud server and view or delete internal sensitive information. This article revolves around how to discover the secret key leak and how to use it after obtaining it.

0X01 Vulnerability Overview

The use of ak and sk after obtaining it, Alibaba Cloud and Tencent Cloud hosts use Access

Key Id/Secret Access Key encryption method to verify the sender identity of a request. Access Key

Id (AK) is used to identify the user, and Secret Access Key (SK) is the key used by the user to encrypt the authentication string and the cloud vendor to verify the authentication string, where the SK must be kept confidential.

After the cloud host receives the user's request, the system will use the same SK and the same authentication mechanism corresponding to the AK to generate the authentication string and compare it with the authentication string contained in the user's request. If the authentication string is the same, the system believes that the user has the specified operation permissions and performs relevant operations; if the authentication string is different, the system will ignore the operation and return the error code.

The AK/SK principle uses symmetric encryption and decryption.

0x02 Common scenarios for secret key leakage

Through the above description, we know that if the cloud host key is leaked, the cloud host will be controlled, which is very harmful.

There are several common leak scenarios during vulnerability mining:

1. Debugging on error page or debug information.

2. GITHUB keywords, FOFA, etc.

3. Website configuration file

4. Leaked in js file

5. Source code leak. APK and applets are decompiled global search query.

6. There may also be leaks when uploading and downloading files, such as uploading pictures, uploading documents, etc.

7. HeapDump file.

0x03 Practical Examples

Case 1: AK\sk leak in HeapDump file

The HeapDump file is a snapshot of the running memory of the JVM virtual machine. It is usually used for performance analysis, etc. but because it saves information related to objects, classes, etc. if it is leaked, it will also cause information leakage.

1. The secret key leakage caused by the Spring Actuator heapdump file.

Scan tool: https://github.com/F6JO/RouteVulScan

Unzip tool: https://github.com/wyzxxz/heapdump_tool

When visiting a certain website, you will test and find that there is spring unauthorized. At this time, check whether there is a heapdump file, download and decompress, and search globally to find the secret key leak.

2. Obtain through the breach path.

There will be some sensitive files leaks in the file storage location, such as packet capture and analysis when requesting to download a file on the cloud server. The file name can be broken at the request location, and the cloud server will return a sensitive file with the access key.

After obtaining the file address, access the download, and use the tool to crawl the content. Disclosure of ak\sk

Tool link: https://github.com/whwlsfb/JDumpSpider

Case 2: Js file leaks secret key

Tools for use: trufflehog

Visit a website and use the plug-in trufflehog to detect it, which will show whether there is any key leakage in the Findings location. (Asynchronous loading is also applicable)

Case 3: Function points such as mini program upload are leaked.

A small program opens and is located in the personal center avatar location

Click on the avatar to grab the packet:

You can see the accesskeyid\acesskeysecret leak.

During the penetration test, you can pay more attention to uploading pictures, downloading files, viewing pictures, etc. and maybe ak\sk will be leaked.

Case 4: AK\sk leak in configuration information

Common Nacos background configuration list. Open the example and you can see some configuration information. You can see that AK\sk is leaked.

0x04 exploit

1. ak\sk takes over the bucket.

Use tools or cloud host management platform to directly take over the bucket. After taking over the bucket, you can view, upload, edit, delete the information in the bucket.

OSS Browser--OSS graphical management tool provided by Alibaba Cloud

https://github.com/aliyun/oss-browser

You can see that after logging into the bucket, you can view, upload, delete and download files in the bucket, causing the damage to the bucket taking over.

Tencent Yunyun Host Takeover Platform:

https://cosbrowser.cloud.tencent.com/web/bucket

Xingyun Manager (supports multiple cloud host manufacturers):

You can choose to import cloud hosts from different manufacturers.

Select Host Import:

After taking over the host through Xingyun Manager, you can not only access the OSS service, but also directly reset the server password and take over the server.

You can restart, pause, modify host information and other operations.

2. After getting ak\sk, you can try to execute commands on the host.

CF Cloud Environment Utilization Framework

https://github.com/teamssix/cf/releases

Use cf to view the operation permissions that the host can do, and you can see that the commands can be executed.

cf tencent cvm exec -c whoami and so on.

Reference for details: https://wiki.teamssix.com/CF/ECS/exec.html

For Alibaba Cloud host rce

Tool link: https://github.com/mrknow001/aliyun-accesskey-Tools

Enter ak\sk to query the host, select the host name to fill in, and view the cloud assistant list is true or false, and it is true to execute the command.

Reprinted from the original link: https://forum.butian.net/share/2376