S3 Bucket Misconfiguration in Amazon

Description

Summary:

While trying to access one of the contact-us page on https://www.amazon.in , I discovered one misconfigured s3 bucket. In this scenario where the misconfiguration of a S3 bucket allowed any user to upload and delete any file to the s3 bucket: https://bbcomm-mgr-ui-attachments-eu.s3.amazonaws.com

While looking to find out contact customer care, I saw page having upload functionality so why not try uploading some php shell. Turned my burp intercept on and tried to bypass the file upload. It allowed png, jpeg and gif. But everytime I tried to upload, it showed error response but then I started spider to find out any other page linked to this page. I saw there is one s3 bucket with same file I was trying to upload. After copying the link I was able to download my file. 
Woaah! I was able to find misconfigured amazon bucket. It was bucket from which customer executives might be able to download attachment sent to them. When you ask retailer about invoice receipt, you can attach image,pdf,etc there. That attachments are uploaded to s3 bucket.

Target :

https://bbcomm-mgr-ui-attachments-eu.s3.amazonaws.com

Proof-of-concept

1) Visit url:
https://bbcomm-mgr-ui-attachments-eu.s3.amazonaws.com/login2.html

2) Try writing and deleting files in bucket:

a)Writing Command:
 Using Curl writing index.html

curl -XPUT -d ‘<html><h1> Upload by justmorpheus</html>’ ‘https://bbcomm-mgr-ui- attachments-eu.s3.amazonaws.com/index.html

index.html

b)Using AWS CLI:
Move and Copy Command:

  1. aws s3 mv login.html s3://bbcomm-mgr-ui-attachments-eu — grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
  1. aws s3 cp login2.html s3://bbcomm-mgr-ui-attachments-eu — grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers

Deleting Command:

  1. aws s3 rm s3://bbcomm-mgr-ui-attachments-eu/login.html
  2. aws s3 rm s3://bbcomm-mgr-ui-attachments-eu/index.html

Result:
 We now have full write/execute access to an Amazon.in S3 bucket.
 Also tried bruteforcing directories using dirbuster and discovered a folder.
Which can be used to download confidential files and also for phishing purpose.

Solution:

Dont allow anyone for full read/write/execute access. 
 See the documentation: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-overview.html

Reference and Thanks:

https://blog.detectify.com/2017/07/13/aws-s3-misconfiguration-explained-fix/
https://medium.com/@jonathanbouman/how-i-hacked-apple-com-unrestricted-file-upload-bcda047e27e3

Special mention @kunal_mahar — Information security Analyst

Timeline:

10/07/2018: Discovered and reported to amazon
10/07/2018: Bug confirmed and case id assigned
 03/08/2018: Bug fixed by amazon security team
12/08/2018: Published POC

PS: No hall of fame or reward from amazon as it works under coordinated disclosure policy
@justmorpheus