【Web】Cloud security metadata service

Mobile 2023-10-01 11:09:06 views: null

Preface

When I was digging SRC again recently, I encountered an interface that was suspected to be SSRF, and I tried to access the metadata service. It worked. However, because I had less contact with it before, I had no idea for the time being, so I wrote the following article.

This article introduces in detail some knowledge points related to metadata, and how to leak metadata - obtain role information - obtain role temporary credentials - and further obtain resources through credentials .

related information

1. Cloud server instance

Refers to a virtual server running in a cloud computing environment. Instance is the basic unit of cloud computing. It is a virtual server created using virtualization technology on a physical server, which can provide various services such as computing, storage, and network.

From the user perspective, you first need to choose the model, region, configuration time, or billing method. After the purchase is successful, a cloud server instance will be generated.

2. Metadata

Metadata refers to the data that describes the data. It is a kind of information that describes the data, including the description of the definition, structure, format, attributes, etc. of the data. In other words, metadata is data about data, information used to describe and manage data.

Metadata can contain various types of information, such as data type, format, size, source, owner, version, creation time, modification time, etc. Metadata can also describe the relationship, grouping, classification and other information between data, as well as information on data usage and permission control.

On cloud service instances, metadata usually refers to data information describing the instance, such as the instance's ID, name, status, running time, operating system, network configuration, security group configuration, storage configuration, etc. These metadata are usually stored in the cloud service provider's metadata service and can be accessed and managed through the metadata service's API or command line tools.

It should be noted that on cloud service instances, metadata is usually read-only and users cannot modify metadata directly . However, users can change metadata by modifying the instance's configuration , such as changing the instance's name, network configuration, security group configuration, etc.

3. Common metadata query interfaces

Common cloud service metadata query interfaces include:

EC2 instance metadata query interface: The Amazon EC2 instance metadata query interface is a metadata service of Amazon Web Services (AWS) that can obtain the metadata of EC2 instances through HTTP requests. For example, you can  http://169.254.169.254/latest/meta-data/ access the instance's metadata using .

Google Cloud instance metadata query interface: The Google Cloud instance metadata query interface is a metadata service of Google Cloud Platform that can obtain instance metadata through HTTP requests. For example, you can  http://metadata.google.internal/computeMetadata/v1/ access the instance's metadata using .

Azure instance metadata query interface: The Azure instance metadata query interface is a metadata service of Microsoft Azure that can obtain instance metadata through HTTP requests. For example, you can  http://169.254.169.254/metadata/instance?api-version=2017-08-01 access the instance's metadata using .

4. 169.254.169.254

169.254.169.254 is a special IP address that is usually used to provide automatically configured services in a local area network. In a cloud computing environment, this address is usually used as the metadata service address of the cloud service instance.

Specifically, cloud service providers usually pre-configure the address 169.254.169.254 in the cloud service instance to provide metadata services for the instance. Users can obtain the metadata information of the instance by accessing this address.

It should be noted that 169.254.169.254 is a local link address and can only be accessed within the instance and cannot be accessed from the outside. In addition, different cloud service providers may have slightly different implementation and access methods for metadata services. Users need to consult the corresponding documents and guides to understand how to access and use metadata services.

5. /latest/meta-data/ 

http://169.254.169.254/latest/meta-data/  is the URL used to access Amazon EC2 instance metadata. The path part of this URL contains some subdirectories, and different metadata information is stored in each subdirectory. The following are some common subdirectories and corresponding metadata information:

  1. ami-id: The Amazon Machine Image (AMI) ID of the instance.
  2. ami-launch-index: The sequence number to launch the instance.
  3. ami-manifest-path: AMI manifest path.
  4. block-device-mapping/: Block device mapping information, including the instance's EBS volume and instance storage device.
  5. hostname: The hostname of the instance.
  6. instance-id: ID of the instance.
  7. instance-type: The type of instance.
  8. local-ipv4: The local IPv4 address of the instance.
  9. mac: MAC address of the instance.
  10. placement/: Instance placement information, including the region, availability zone, and location group where the instance is located.
  11. profile: The IAM role name of the instance.
  12. public-hostname: The public hostname of the instance.
  13. public-ipv4: The public IPv4 address of the instance.
  14. reservation-id: The reservation ID of the instance.
  15. security-groups: List of security groups to which the instance belongs.

6. Character name

In AWS, a role name is a resource identifier used to identify a role in AWS Identity and Access Management (IAM). An IAM role is an AWS resource that defines a set of permissions so that one AWS resource or service can access another AWS resource or service.

The role name is set to facilitate users to manage IAM roles. It usually consists of letters, numbers, and special characters, and the length does not exceed 64 characters. Users can set different names for different IAM roles to better distinguish and manage these roles.

IAM roles can be granted access to other AWS resources and services , such as EC2 instances, Lambda functions, API Gateway, and more. These resources can reference and access the corresponding IAM role through the role name, thereby obtaining corresponding permissions and access control.

In short, a role name is a resource identifier used to identify a role in AWS Identity and Access Management (IAM). It allows users to manage IAM roles and can also be used for access and authorization by other AWS resources and services.

7. Role temporary credentials

To obtain temporary credentials for a role, you can use the AWS Security Token Service (STS) AssumeRole API. The AssumeRole API allows you to obtain temporary security credentials to access AWS resources and services using the policies and permissions defined in an IAM role .

Includes an access key ID, a key access key, and a security token. These credentials are time-sensitive and can be used to access AWS resources and services within a certain period of time.

Specifically, you can use the AWS SDK or the AWS CLI in command-line tools to use the role's temporary credentials to access AWS resources. Here are some example commands for accessing AWS resources using the AWS CLI:

  • List the objects in the S3 bucket using the name of the bucket:aws s3 ls s3://<bucket-name> --profile <profile-name>
  • List the tags of the instance using the EC2 instance ID:aws ec2 describe-tags --filters "Name=resource-id,Values=<instance-id>" --profile <profile-name>
  • List the function's configuration information using the Lambda function name:aws lambda get-function --function-name <function-name> --profile <profile-name>

In these commands, <profile-name> is the profile name in your AWS CLI profile that specifies which IAM role's temporary credentials to use . In the configuration file, you specify the role's ARN (Amazon Resource Name) and credential information such as the access key ID, key access key, and security token.

To use  aws configure commands to configure temporary credentials for an IAM role, you can follow these steps:

1. Sign in to the AWS Management Console and select the IAM role to use for temporary credentials.

2. In the role's permissions policy, ensure that the role has permissions to access the AWS resources you want to access.

3. Open the AWS CLI on a local terminal and run  aws configure the command.

4. Follow the prompts to enter the configuration information, including:

  • AWS access key ID and key access key: You can create and manage these credentials using the IAM console or the AWS CLI.
  • Default Region: Specify the AWS Region you want to use. If you are not sure which region should be used, leave it blank to use the default value.
  • Output format: Specify the format of the AWS CLI output results. It is recommended to use  json a format that makes it easier to parse and process the output results.

5. For  AWS Access Key ID and  AWS Secret Access Key, enter the access key ID and key access key from the IAM role's temporary credentials into the  AWS Access Key ID and  AWS Secret Access Key fields respectively.

6. For  Default region name, you can enter the name of the AWS region you want to use. If you are not sure which region should be used, leave it blank to use the default value.

7. For  Default output format, suggest inputs  jsonto make it easier to parse and process the output results.

8. After completing the input, follow the prompts to confirm.

Once you complete the above steps, you can use  aws command-line tools to access AWS resources without manually providing temporary credentials for the IAM role. For example, you can use the following command to list the objects in an S3 bucket:

aws s3 ls s3://<bucket-name>

8. IAM

IAM is the authentication and access management service in AWS (Amazon Web Services). Its full name is Identity and Access Management. IAM allows you to create and manage AWS users and their permissions to access AWS resources. Using IAM, you can assign individual credentials to each user and define which AWS resources the user can access and how. IAM can also help you protect your AWS resources by ensuring that only authorized users can access them.

The core concepts of IAM include users, groups, roles, and policies. A user is an entity in AWS that represents a person or an application who needs to access AWS resources. A group is a collection of users who can be granted the same permissions. A role is an entity in AWS that represents an AWS service or application and defines which AWS resources the service or application can access and how. A policy is a set of JSON-formatted rules that define permissions for users, groups, and roles, and controls access to these entities.

IAM can help you implement security and compliance requirements for AWS resources and ensure that your AWS resources are only accessed by authorized users.

9. Instance Metadata API

The instance metadata service also provides some other APIs for accessing IAM-related information about the instance. The following are some commonly used APIs:

  • http://169.254.169.254/latest/meta-data/iam/: Used to obtain the IAM metadata information of the instance.
  • http://169.254.169.254/latest/meta-data/iam/security-credentials/: Used to obtain temporary credentials for the IAM role currently used by the instance.
  • http://169.254.169.254/latest/meta-data/iam/info: Used to obtain the IAM instance configuration information of the instance.
  • http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>: Used to obtain temporary credentials for the specified IAM role, where  <role-name> is the name of the role.
  • http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>/: Used to obtain temporary credentials for the specified IAM role. The difference between this API and the previous API is that it adds a slash at the end of the URL  /.

10. Metadata attack ideas

Here are some common metadata attack ideas:

Step 1 : SSRF, RCE, and file reading attacks based on metadata services  : The attacker constructs a malicious request to cause the application in the cloud service instance to send an HTTP request to the server controlled by the attacker to obtain the metadata information of the instance. . http://169.254.169.254/latest/meta-data/iam/info : IAM instance configuration information, mainlyrole-name

Step 2:  Exploit sensitive information in the metadata service role-name: An attacker can obtain sensitive information of the instance through the metadata service, for example:

  • Keys, certificates, passwords
  • Temporary credentials:http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>

Step 3: Use the temporary credentials obtained in Step 2 to obtain sensitive information about the instance.

If you successfully obtain temporary credentials for the IAM role, you can use these credentials to access sensitive data in your AWS S3 bucket. Here are some possible attacks:

  • Download files: Using your role's temporary credentials, you can use the AWS CLI or SDK to download files stored in an S3 bucket. You can use the following command to download the file:
aws s3 cp s3://<bucket-name>/<object-key> <local-file-path> --profile <role-profile>
  • List files: Using the role's temporary credentials, you can use the AWS CLI or SDK to list all files stored in an S3 bucket. You can use the following command to list files:
aws s3 ls s3://<bucket-name> --profile <role-profile>
  • Upload files: Using the role's temporary credentials, you can use the AWS CLI or SDK to upload files to an S3 bucket. The command to upload a file is similar to the command to download a file, but you need to specify the local file path and the name and object key of the target S3 bucket.

Afterword

Through records, we found that this is just an attack link, and there are many other points that can be exploited. For example, the metadata does not only contain temporary credentials, but may also contain key certificates or passwords. This involves the use of various other APIs. This is a topic for later, I will record it later in the article.

Guess you like

Origin blog.csdn.net/xiru9972/article/details/131039754
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com