Skip to content

Glue Job PassRole Privesc #188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Frichetten merged 1 commit into from
Sep 5, 2022
Merged

Glue Job PassRole Privesc #188

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions content/aws/exploitation/iam_privilege_escalation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,12 @@ Another (stealthier) example would be to perform all your API operations at once
## iam:PassRole, glue:CreateDevEndpoint
With access to the [iam:PassRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html) and [glue:CreateDevEndpoint](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/glue/create-dev-endpoint.html) permissions, an adversary can create a new Glue development endpoint and pass in a more privileged role. It is worth noting that to do this the AWS account must already contain a role that can be assumed by Glue and that role must have greater privileges (or at least different ones) than the principal the adversary controls.

## iam:PassRole, glue:CreateJob
With access to the [iam:PassRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html) and [glue:CreateJob](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/glue/create-job.html) permissions, an adversary can create a new Glue job and pass in a more privileged role. The AWS account must already contain a role that can be assumed by Glue and that role must have greater privileges (or at least different ones) than the principal the adversary controls. The [glue:StartJobRun](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/glue/start-job-run.html) privilege would allow for the job to be run.

## iam:PassRole, glue:UpdateJob
With access to the [iam:PassRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html) and [glue:UpdateJob](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/glue/update-job.html) permissions, an adversary can update the role and command associated with a Glue job. The AWS account must already contain a role that can be assumed by Glue and that role must have greater privileges (or at least different ones) than the principal the adversary controls. The [glue:StartJobRun](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/glue/start-job-run.html) privilege or some pre-existing trigger could cause the job to run.

## iam:PassRole, lambda:AddPermission, lambda:CreateFunction
With access to the [iam:PassRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html), [lambda:AddPermission](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html), and [lambda:CreateFunction](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/create-function.html) permissions, an adversary can create a Lambda function with an existing role. This function could then by updated with lambda:AddPermission to allow another principal in another AWS account the permission to invoke it. It is worth noting that the AWS account must already contain a role that can be assumed by Lambda.

Expand Down