Hacking AWS for fun and profit

Earlier today I was requested to prove that AWS Lamba is running in shared resource space.

While select parts of this article will not feature how to break out of the jails in place out of respect for a few NDA’s and other contractual agreements I am under. Nor would we go into how to setup AWS Lamba as there are several articles already out there for that.

Initially I took the approach of a black box method of analysing the service. This lead to discover a few things about host running our code and the capabilities of our user.

Lamba Function

‘use strict’;
let exec = require(‘child_process’).exec;
exports.handler = (event, context, callback) => {
const child = exec(“id && cat /etc/passwd;cat /proc/1/cgroup && cat /proc/1/sched | head -n 1”, (error, stdout, stderr) => { 
 // Resolve with result of process
 if (error) callback(error, ‘Process complete!’);
 callback(error, stdout);
 });
// Log process stdout and stderr
 child.stdout.on(‘data’, console.log);
 child.stderr.on(‘data’, console.error);
};

Log output

:/sbin/nologin
sbx_user1086:x:461:460::/home/sbx_user1086:/sbin/nologin
sbx_user1087:x:460:459::/home/sbx_user1087:/sbin/nologin
sbx_user1088:x:459:458::/home/sbx_user1088:/sbin/nologin
sbx_user1089:x:458:457::/home/sbx_user1089:/sbin/nologin
sbx_user1090:x:457:456::/home/sbx_user1090:/sbin/nologin
sbx_user1091:x:456:455::/home/sbx_user1091:/sbin/nologin
sbx_user1092:x:455:454::/home/sbx_user1092:/sbin/nologin
sbx_user1093:x:454:453::/home/sbx_user1093:/sbin/nologin
sbx_user1094:x:453:452::/home/sbx_user1094:/sbin/nologin
sbx_user1095:x:452:451::/home/sbx_user1095:/sbin/nologin
sbx_user1096:x:451:450::/home/sbx_user1096:/sbin/nologin
sbx_user1097:x:450:449::/home/sbx_user1097:/sbin/nologin
sbx_user1098:x:449:448::/home/sbx_user1098:/sbin/nologin
sbx_user1099:x:448:447::/home/sbx_user1099:/sbin/nologin
sbx_user1100:x:447:446::/home/sbx_user1100:/sbin/nologin
sbx_user1101:x:446:445::/home/sbx_user1101:/sbin/nologin
sbx_user1102:x:445:444::/home/sbx_user1102:/sbin/nologin
sbx_user1103:x:444:443::/home/sbx_user1103:/sbin/nologin
sbx_user1104:x:443:442::/home/sbx_user1104:/sbin/nologin
sbx_user1105:x:442:441::/home/sbx_user1105:/sbin/nologin
sbx_user1106:x:441:440::/home/sbx_user1106:/sbin/nologin
sbx_user1107:x:440:439::/home/sbx_user1107:/sbin/nologin
sbx_user1108:x:439:438::/home/sbx_user1108:/sbin/nologin
sbx_user1109:x:438:437::/home/sbx_user1109:/sbin/nologin
sbx_user1110:x:437:436::/home/sbx_user1110:/sbin/nologin
sbx_user1111:x:436:435::/home/sbx_user1111:/sbin/nologin
sbx_user1112:x:435:434::/home/sbx_user1112:/sbin/nologin
sbx_user1113:x:434:433::/home/sbx_user1113:/sbin/nologin
sbx_user1114:x:433:432::/home/sbx_user1114:/sbin/nologin
sbx_user1115:x:432:431::/home/sbx_user1115:/sbin/nologin
sbx_user1116:x:431:430::/home/sbx_user1116:/sbin/nologin
sbx_user1117:x:430:429::/home/sbx_user1117:/sbin/nologin
sbx_user1118:x:429:428::/home/sbx_user1118:/sbin/nologin
sbx_user1119:x:428:427::/home/sbx_user1119:/sbin/nologin
sbx_user1120:x:427:426::/home/sbx_user1120:/sbin/nologin
sbx_user1121:x:426:425::/home/sbx_user1121:/sbin/nologin
sbx_user1122:x:425:424::/home/sbx_user1122:/sbin/nologin
sbx_user1123:x:424:423::/home/sbx_user1123:/sbin/nologin
sbx_user1124:x:423:422::/home/sbx_user1124:/sbin/nologin
sbx_user1125:x:422:421::/home/sbx_user1125:/sbin/nologin
sbx_user1126:x:421:420::/home/sbx_user1126:/sbin/nologin
sbx_user1127:x:420:419::/home/sbx_user1127:/sbin/nologin
sbx_user1128:x:419:418::/home/sbx_user1128:/sbin/nologin
sbx_user1129:x:418:417::/home/sbx_user1129:/sbin/nologin
sbx_user1130:x:417:416::/home/sbx_user1130:/sbin/nologin
sbx_user1131:x:416:415::/home/sbx_user1131:/sbin/nologin
sbx_user1132:x:415:414::/home/sbx_user1132:/sbin/nologin
sbx_user1133:x:414:413::/home/sbx_user1133:/sbin/nologin
sbx_user1134:x:413:412::/home/sbx_user1134:/sbin/nologin
sbx_user1135:x:412:411::/home/sbx_user1135:/sbin/nologin
sbx_user1136:x:411:410::/home/sbx_user1136:/sbin/nologin
sbx_user1137:x:410:409::/home/sbx_user1137:/sbin/nologin
sbx_user1138:x:409:408::/home/sbx_user1138:/sbin/nologin
sbx_user1139:x:408:407::/home/sbx_user1139:/sbin/nologin
sbx_user1140:x:407:406::/home/sbx_user1140:/sbin/nologin
sbx_user1141:x:406:405::/home/sbx_user1141:/sbin/nologin
sbx_user1142:x:405:404::/home/sbx_user1142:/sbin/nologin
sbx_user1143:x:404:403::/home/sbx_user1143:/sbin/nologin
sbx_user1144:x:403:402::/home/sbx_user1144:/sbin/nologin
sbx_user1145:x:402:401::/home/sbx_user1145:/sbin/nologin
sbx_user1146:x:401:400::/home/sbx_user1146:/sbin/nologin
sbx_user1147:x:400:399::/home/sbx_user1147:/sbin/nologin
sbx_user1148:x:399:398::/home/sbx_user1148:/sbin/nologin
sbx_user1149:x:398:397::/home/sbx_user1149:/sbin/nologin
sbx_user1150:x:397:396::/home/sbx_user1150:/sbin/nologin
9:perf_event:/
8:memory:/sandbox-c6f787
7:hugetlb:/
6:freezer:/sandbox-e28e26
5:devices:/
4:cpuset:/
3:cpuacct:/sandbox-543103
2:cpu:/sandbox-root-LL3fkc/sandbox-052bdb
1:blkio:/
node (25342, #threads: 9)

The result of the command above shows that there are multiple users on the same shared ec2 instance resource. Further discover shows that each process executed is locked within a cpu, process, blkio, and memory cgrouping. However network namespaces do not appear to be enabled and further evidence shows we are executing inside a docker container.

Several exploits exist for escaping out of docker and cgroup jails. All of which I leave to you the reader to discover on your own.