Remote Code Execution in LocalStack 0.12.6
Due to the lack of sanitization on user input on the Lambda API handler field whilst spawning Lambda functions and the way Docker containers are insecurely spawned, an injection can be provided through AWS CLI in the --handler option to be executed by root process whilst creating and spawning Lambda Docker containers in version 0.12.6. This attack vector is only applicable if the host has enabled Lambda functionality and if an attacker knows the Lambda endpoint for connections with AWS CLI.
This has been patched in later versions.
An example scenario is available on HackTheBox platform on a machine I created called Stacked.
PoCs:
See Ippsec: https://youtu.be/aWXfEDIYZu8?t=2970
See 0xdf: https://0xdf.gitlab.io/2022/03/19/htb-stacked.html#shell-as-root-on-localstack