Article by Nick Frichette.
Steal IAM Credentials and Event Data from Lambda
-
Technique seen in the wild
Reference: Compromised Cloud Compute Credentials: Case Studies From the Wild
In Lambda, IAM credentials are passed into the function via environment variables. The benefit for the adversary is that these credentials can be leaked via file read vulnerabilities such as XML External Entity attacks or SSRF that allows the file protocol. This is because "everything is a file".
IAM credentials can be accessed via reading /proc/self/environ.
Note
In the event that /proc/self/environ is blocked by a WAF, check if you can read the environment variables of other processes. This can be done by reading /proc/#/environ where '#' is some number often between 1 and 20.
In addition to IAM credentials, Lambda functions also have event data that is passed to the function when it is started. This data is made available to the function via the runtime interface. Unlike IAM credentials, this data is accessible over standard SSRF at http://localhost:9001/2018-06-01/runtime/invocation/next.
This will include information about what invoked the Lambda function and may be valuable depending on the context.
Note
Unlike IAM credentials associated with EC2 instances, there is no GuardDuty alert for stolen Lambda credentials.