-
AWS ECR Public Vulnerability
I discovered a critical AWS Elastic Container Registry Public (ECR Public) vulnerability that allowed external actors to delete, update, and create ECR Public images, layers, and tags in registries and repositories that belong to other AWS Accounts, by abusing undocumented internal ECR Public API actions.
-
Azure Cloud Shell Command Injection Stealing User’s Access Tokens
Azure Cloud Shell is an interactive, authenticated, browser-accessible shell for managing Azure resources. This post describes how I took over an Azure Cloud Shell trusted domain and leveraged it to inject and execute commands in other users’ terminals. Using the executed code, I accessed the Metadata service attached to the terminal and obtained the user’s access token. This access token provides an attacker the Azure permissions of the victim user and enables them to perform operations on its behalf.
-
Exploiting Authentication in AWS IAM Authenticator for Kubernetes
During my research on the AWS IAM Authenticator component, I found several flaws in the authentication process that could bypass the protection against replay attacks or allow an attacker to gain higher permissions in the cluster by impersonating other identities. In this blog post I will explain about three vulnerabilities detected in the AWS IAM Authenticator where all of them were caused by the same code line.
-
AWS RDS Vulnerability Leads to AWS Internal Service Credentials
In this post I will tell on how I obtained credentials to an internal AWS service by exploiting a local file read vulnerability on the RDS EC2 instance using the log_fdw extension. The internal AWS service was connected to AWS internal account, related to the RDS service.
-
AWS SageMaker Jupyter Notebook Instance Takeover
I found that an attacker can run any code on a victim’s SageMaker JupyterLab Notebook Instance across accounts. This means that an attacker can access the Notebook Instance metadata endpoint and steal the access token for the attached role.