Cloudsplaining false negatives on multi policy privesc paths

Question

Cloudsplaining false negatives on multi policy privesc paths

sethsec opened this issue 4 years ago · 1 comments

If i am not mistaken, Cloudsplaining takes a policy-centric approach to evaluating privesc paths. If a policy meets the logic that defines a privesc path, this policy is identified as allowing privesc. Any principal that has that policy applied is highlighted as well, which is great! However, a principal that has two or more policies that each contain part of the privesc conditions, is not highlighted, which causes detection misses for privesc paths.

Example of successful detection:

policy_privesc3: Allows ec2:RunInstances + iam:Passrole 

role_test1: has policy_privesc3 attached

Results:

policy_privesc3 will be detected as a privesc path - CORRECT
role_test1 will be detected as having a privesc path - CORRECT

Example of false negative:

policy_privesc-runInstances: Allows ec2:RunInstances only
policy_privesc-passrole: Allows iam:Passrole only

role_test2: policy_privesc-runInstances & policy_privesc-passrole attached

Results:

Neither policy will be detected as a privesc path - CORRECT
role_test2 will not be detected as having a privesc path -  INCORRECT

I know adding support for this is not a small task. Also, pmapper does a great job at identifying these combo cases. However, I love the Cloudsplaining UI, how straightforward it is to use, all of the supporting documentation, and really just think Cloudsplaining should catch these cases as well.

Also, it might be a good idea to list this limitation in the documentation to make sure poeple know what the tool does a great job of catching, and what the current blind spots are.

Answer 1 · 2021-04-26T21:03:22.000Z

This is a great point and would be super valuable. Also, I am glad you like the UI :)

If someone wants to pick this up, here are some implementation suggestions: I would suggest some kind of merge_policies function that would accept any number of PolicyDocument objects (from cloudsplaining.scan.policy_document). Then if a principal has multiple policies attached, run merge_policies, and from that result, determine if there are any new PrivEsc dict keys from PolicyDocument.allows_privilege_escalation compared to the PrivEsc dict keys from the other policies attached. If the keys are different, then it's a finding specific to that principal.