发布于2022年11月4日3年前 如何使用Red-Shadow扫描AWS IAM中的安全漏洞 关于Red-ShadowRed-Shadow是一款功能强大的AWS IAM漏洞扫描工具,该工具可以帮助你扫描AWS IAM中的错误配置与安全漏洞。该工具支持检测下列IAM对象中的错误配置:管理策略(Managed Policies)用户内联策略(Users Inline Policies)组内联策略(Groups Inline Policies)角色内联策略(Groups Inline Policies)运行机制针对应用于组的决绝策略,AWS IAM评估逻辑的工作方式与大多数安全工程师用于其他授权机制的工作方式不同。假设具有组资源的策略为显式拒绝,在这种情况下,这只会影响组操作,而不会影响用户操作。下面给出的是存在漏洞的JSON策略样例:{ "Version": "2012-10-17", "Statement": [ { "Sid": "ProtectManagersByDeny", "Effect": "Deny", "Action": "*", "Resource": "arn:aws:iam::123456789999:group/managers" } ] }在上面这个例子中,这个策略将会拒绝用户、组或策略绑定的任何角色执行任意IAM活动。但实际上,类似iam:ChangePassword这种简单的IAM操作是可以正常执行的,因此上述的拒绝策略将失效。安全检测AWS IAM在用户对象操作和组对象操作之间有明确的区分。以下列表包括工具正在扫描的影响组的拒绝策略上的用户对象操作(除通配符外):AWS_USER_ACTIONS = ["iam:CreateUser", "iam:GetUser", "iam:UpdateUser", "iam:DeleteUser", "iam:GetUserPolicy", "iam:PutUserPolicy", "iam:DeleteUserPolicy", "iam:ListUserPolicies", "iam:AttachUserPolicy", "iam:DetachUserPolicy", "iam:ListAttachedUserPolicies", "iam:SimulatePrincipalPolicy", "iam:GetContextKeysForPrincipalPolicy", "iam:TagUser", "iam:UpdateSSHPublicKey", "iam:UntagUser", "iam:GetSSHPublicKey", "iam:ListUserTags", "iam:DeleteSSHPublicKey", "iam:GetLoginProfile", "iam:GetAccessKeyLastUsed", "iam:UpdateLoginProfile", "iam:UploadSigningCertificate", "iam:DeleteLoginProfile", "iam:ListSigningCertificates", "iam:CreateLoginProfile", "iam:UpdateSigningCertificate", "iam:EnableMFADevice", "iam:DeleteSigningCertificate", "iam:ResyncMFADevice", "iam:ListServiceSpecificCredentials", "iam:ListMFADevices", "iam:ResetServiceSpecificCredential", "iam:DeactivateMFADevice", "iam:CreateServiceSpecificCredential", "iam:ChangePassword", "iam:UpdateServiceSpecificCredential", "iam:CreateAccessKey", "iam:DeleteServiceSpecificCredential", "iam:ListAccessKeys", "iam:PutUserPermissionsBoundary", "iam:UpdateAccessKey", "iam:DeleteUserPermissionsBoundary", "iam:DeleteAccessKey", "iam:ListGroupsForUser", "iam:ListSSHPublicKeys", "iam:UploadSSHPublicKey"]工具要求Red-Shadow基于Python 3和Boto3开发,并且需要以下依赖组件:操作系统环境变量中需配置IAM用户访问密钥。IAM用户需有足够的权限运行扫描工具。Python3和pip3。工具安装sudo git clone https://github.com/lightspin-tech/red-shadow.git cd red-shadow pip3 install -r requirements.txt工具使用python3 red-shadow.py分析结果++ Starting Red-Shadow ++ ++ AWS IAM Vulnerability Scanner ++ Red Shadow scans for shadow admins in AWS IAM based on misconfigured deny policies not affecting users in groups Step 1: Searching for IAM Group misconfigurations in managed policies Found potential misconfiguration at arn:aws:iam::123456789999:policy/ProtectManagers Progress: |██████████████████████████████████████████████████| 100.0% Complete Step 2: Searching for IAM Group misconfigurations in Users inline policies Progress: |██████████████████████████████████████████████████| 100.0% Complete Step 3: Searching for IAM Group misconfigurations in Groups inline policies Progress: |██████████████████████████████████████████████████| 100.0% Complete Step 4: Searching for IAM Group misconfigurations in Roles inline policies Progress: |██████████████████████████████████████████████████| 100.0% Complete Done上述终端输出中,我们可以看到ProtectManagers拒绝策略已失效,并且可能受到提权攻击等威胁。许可证协议本项目的开发与发布遵循Apache License 2.0开源许可证协议。项目地址Red-Shadow:【GitHub传送门】本文作者:Alpha_h4ck, 转载请注明来自FreeBuf.COM
创建帐户或登录后发表意见