A persistent privilege escalation approach in AWS that enables attackers with restricted permissions to execute code underneath higher-privileged execution roles on EC2 situations and SageMaker pocket book situations.
First documented by Grzelak in 2016 for EC2, the tactic exploits modifiable boot-time configurations to inject malicious payloads, bypassing customary IAM controls like PassRole.
Current evaluation from Safety researcher Daniel Grzelak confirms the sample persists throughout AWS companies, highlighting ongoing dangers in cloud compute environments.
Attackers with ec2:StartInstances, ec2:StopInstances, and ec2:ModifyInstanceAttribute permissions goal current EC2 situations connected to highly effective occasion profiles.
SageMaker Privilege Escalation
By stopping the occasion, they modify the userData attribute utilizing a #cloud-boothook directive, which triggers script execution on each reboot.
Restarting the occasion runs the injected code, similar to credential exfiltration, within the context of the occasion’s execution position, granting entry to its full permissions.
This system stays viable right now, as AWS documentation nonetheless permits userData modifications post-launch. CloudTrail logs reveal the assault by sequences like StopInstances → ModifyInstanceAttribute → StartInstances from surprising principals.
Mitigation calls for proscribing ec2:ModifyInstanceAttribute to trusted directors, treating it as equal to arbitrary code execution underneath the goal position.
Amazon SageMaker pocket book situations, powered by managed Jupyter environments, introduce a parallel vector through lifecycle configurations, shell scripts executed on begin or creation.
Permissions for sagemaker:StopNotebookInstance, sagemaker:UpdateNotebookInstance (with lifecycle-config-name), and sagemaker:StartNotebookInstance allow the escalation: halt a pocket book, create or connect a malicious lifecycle config with base64-encoded credential-stealing code, then restart.
Daniel Grzelak of Plerion offered proof-of-concept bash code demonstrating the complete chain, from config creation to exfiltration through a callback endpoint.
SageMaker’s complexity, spanning notebooks, domains, and studios, amplifies publicity, as execution roles typically carry broad knowledge science permissions like S3 entry or mannequin deployment.
Rhino Safety Labs beforehand famous comparable SageMaker abuses, however lifecycle updates signify a subtler, post-configuration modification.
The core flaw stems from PassRole checks occurring solely at useful resource creation, decoupling position task from runtime code adjustments. Comparable patterns have an effect on Lambda (through UpdateFunctionCode), CloudFormation change units, and doubtlessly SageMaker Studios.
Attackers can systematically hunt for AWS API endpoints with execution position dependencies, enabling widespread exploitation.
Detection depends on CloudTrail monitoring for Cease → Replace → Begin patterns on compute sources, primarily from non-operational identities.
Prevention includes least-privilege scoping round config-modifying actions, Service Management Insurance policies (SCPs) denying broad execution position passages, and approval workflows for restarts.
AWS classifies these as configuration points underneath the shared duty mannequin, urging groups to audit execution position assumptions rigorously.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
