Skip to content

Article by Nick Frichette.

Steal IAM Credentials and Event Data from Lambda

In Lambda, IAM credentials are passed into the function via environment variables. The benefit for the adversary is that these credentials can be leaked via file read vulnerabilities such as XML External Entity attacks or SSRF that allows the file protocol. This is because "everything is a file".

IAM credentials can be accessed via reading /proc/self/environ.

Credentials

Note

In the event that /proc/self/environ is blocked by a WAF, check if you can read the environment variables of other processes. This can be done by reading /proc/#/environ where '#' is some number often between 1 and 20.

In addition to IAM credentials, Lambda functions also have event data that is passed to the function when it is started. This data is made available to the function via the runtime interface. Unlike IAM credentials, this data is accessible over standard SSRF at http://localhost:9001/2018-06-01/runtime/invocation/next.

This will include information about what invoked the Lambda function and may be valuable depending on the context.

Note

Unlike IAM credentials associated with EC2 instances, there is no GuardDuty alert for stolen Lambda credentials.