S3 Bucket Misconfiguration in Amazon
While trying to access one of the contact-us page on https://www.amazon.in , I discovered one misconfigured s3 bucket. In this scenario where the misconfiguration of a S3 bucket allowed any user to upload and delete any file to the s3 bucket: https://bbcomm-mgr-ui-attachments-eu.s3.amazonaws.com
While looking to find out contact customer care, I saw page having upload functionality so why not try uploading some php shell. Turned my burp intercept on and tried to bypass the file upload. It allowed png, jpeg and gif. But everytime I tried to upload, it showed error response but then I started spider to find out any other page linked to this page. I saw there is one s3 bucket with same file I was trying to upload. After copying the link I was able to download my file.
Woaah! I was able to find misconfigured amazon bucket. It was bucket from which customer executives might be able to download attachment sent to them. When you ask retailer about invoice receipt, you can attach image,pdf,etc there. That attachments are uploaded to s3 bucket.
2) Try writing and deleting files in bucket:
Using Curl writing index.html
curl -XPUT -d ‘<html><h1> Upload by justmorpheus</html>’ ‘https://bbcomm-mgr-ui- attachments-eu.s3.amazonaws.com/index.html’
b)Using AWS CLI:
Move and Copy Command:
- aws s3 mv login.html s3://bbcomm-mgr-ui-attachments-eu — grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
- aws s3 cp login2.html s3://bbcomm-mgr-ui-attachments-eu — grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
- aws s3 rm s3://bbcomm-mgr-ui-attachments-eu/login.html
- aws s3 rm s3://bbcomm-mgr-ui-attachments-eu/index.html
We now have full write/execute access to an Amazon.in S3 bucket.
Also tried bruteforcing directories using dirbuster and discovered a folder.
Which can be used to download confidential files and also for phishing purpose.
Don’t allow anyone for full read/write/execute access.
See the documentation: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-overview.html
Reference and Thanks:
Special mention @kunal_mahar — Information security Analyst
10/07/2018: Discovered and reported to amazon
10/07/2018: Bug confirmed and case id assigned
03/08/2018: Bug fixed by amazon security team
12/08/2018: Published POC
PS: No hall of fame or reward from amazon as it works under coordinated disclosure policy