S3 Bucket Misconfiguration in Amazon

Description

Divyanshu Shukla
Aug 11, 2018 · 3 min read

Summary:

While trying to access one of the contacts us page on https://www.amazon.in , I discovered one misconfigured s3 bucket. In this scenario where the misconfiguration of an S3 bucket allowed any user to upload and delete any file to the s3 bucket: https://bbcomm-mgr-ui-attachments-eu.s3.amazonaws.com

While looking to find out contact customer care, I saw page having upload functionality so why not try uploading some php shell. Turned my burp intercept on and tried to bypass the file upload. It allowed png, jpeg and gif. But everytime I tried to upload, it showed error response but then I started spider to find out any other page linked to this page. I saw there is one s3 bucket with same file I was trying to upload. After copying the link I was able to download my file.
Woaah! I was able to find misconfigured amazon bucket. It was bucket from which customer executives might be able to download attachment sent to them. When you ask retailer about invoice receipt, you can attach image,pdf,etc there. That attachments are uploaded to s3 bucket.

Target :

https://bbcomm-mgr-ui-attachments-eu.s3.amazonaws.com

Proof-of-concept

1) Visit URL:
https://bbcomm-mgr-ui-attachments-eu.s3.amazonaws.com/login2.html

2) Try writing and deleting files in the bucket:

a)Writing Command:
Using Curl writing index.html

curl -XPUT -d ‘<html><h1> Upload by justmorpheus</html>’ ‘https://bbcomm-mgr-ui- attachments-eu.s3.amazonaws.com/index.html

b)Using AWS CLI:
Move and Copy Command:

  1. aws s3 mv login.html s3://bbcomm-mgr-ui-attachments-eu — grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
  1. aws s3 cp login2.html s3://bbcomm-mgr-ui-attachments-eu — grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers

Deleting Command:

  1. aws s3 rm s3://bbcomm-mgr-ui-attachments-eu/login.html
  2. aws s3 rm s3://bbcomm-mgr-ui-attachments-eu/index.html

Result:
We now have full write/execute access to an Amazon.in S3 bucket.
Also tried bruteforcing directories using dirbuster and discovered a folder.
Which can be used to download confidential files and also for phishing purpose.

Solution:

Dont allow anyone for full read/write/execute access.
See the documentation: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-overview.html

Reference and Thanks:

https://blog.detectify.com/2017/07/13/aws-s3-misconfiguration-explained-fix/
https://medium.com/@jonathanbouman/how-i-hacked-apple-com-unrestricted-file-upload-bcda047e27e3

Special mention @kunal_mahar — Information security Analyst.

Timeline:

10/07/2018: Discovered and reported to Amazon.
10/07/2018: Bug confirmed and case id assigned.
03/08/2018: Bug fixed by the amazon security team.
12/08/2018: Published POC.

PS: No hall of fame or reward from Amazon as it works under coordinated disclosure policy
@justm0rph3u5


InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Divyanshu Shukla

Written by

Security Engineer | Threat Hunter | DevSecops | Linux Administrator

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Divyanshu Shukla

Written by

Security Engineer | Threat Hunter | DevSecops | Linux Administrator

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store