Exploiting misconfigured AWS S3 Buckets !
I found a misconfigured s3 bucket in a global customer service tech company where the misconfiguration of the S3 bucket allowed any authenticated user to upload and delete files to their s3 bucket.
Am redacting the bucket name/company name to “<xyz>” as per request from the affected company.
Bucket : https://<xyz>-uploads.s3-eu-west-1.amazonaws.com/
Proof-of-concept:
- Configure AWS CLI in your Windows/Linux/Mac machine.
- Execute the below commands from the CLI
Uploading a file — aws s3 cp test.html s3://<xyz>-uploads/
Deleting a file — aws s3 rm s3://<xyz>-uploads/test.html
Listing the files — aws s3 ls s3://<xyz>-uploads/
3. I received an email from the VP of engineering that they have fixed the issue, below is my confirmation to them.
Recommendation:
- Review the bucket ACLs to verify
WRITE
andWRITE_ACP
are only set on specific users, never on groups such asAllUsers
orAuthenticatedUsers
. - Take a look and see how you are uploading objects to S3 buckets and make sure you set the proper ACLs on both buckets and objects.
Note: Newly created Amazon S3 buckets and objects are private and protected by default.
Happy Hacking!