Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Local user who can assume an admin role not in graph #114

Open
Kamerabuilt opened this issue Apr 7, 2022 · 6 comments
Open

Local user who can assume an admin role not in graph #114

Kamerabuilt opened this issue Apr 7, 2022 · 6 comments
Labels
bug Something isn't working

Comments

@Kamerabuilt
Copy link

I created a local IAM user, with the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::000000000000:role/Admin-Role"
}
]
}

The "Admin-Role" has an Administrator policy attached, and the following Trust-policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::000000000000:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}

When generating an svg with pmapper --account 000000000000 visualize, the produced image does not include any links or arrows between that local IAM user, and the Admin-Role.

If you need further info, please let me know.
@Kamerabuilt Kamerabuilt added the bug Something isn't working label Apr 7, 2022
@ncc-erik-steringer
Copy link
Collaborator

Hello @Kamerabuilt ,

First look, I'm guessing it's the aws:MultiFactorAuthPresent condition that's tripping things up. The relevant source code is https://github.com/nccgroup/PMapper/blob/master/principalmapper/graphing/sts_edges.py#L84-L86 . If that's not working, then all the MFA stuff might be broken and that'd be a bigger problem.

Please confirm the following:

  • Which version of PMapper are you're using?
  • Is the user is able to assume the role (i.e. no mispellings in any of the policies)?
  • Does the user has an MFA device configured?
  • Is this for a live AWS account or a mock account on LocalStack?

@Kamerabuilt
Copy link
Author

  1. I am using the latest PMapper version (I reinstalled it from scratch today). Is there a way to confirm which version exactly? I tried running -v (version), but it does not seem to be supported.
  2. Yes, user can assume the role and execute the admin privileges associated with that role (through MFA)
  3. Yes, and it is needed to assume the role per the Trust policy
  4. It is a live AWS account (my personal account)

ncc-erik-steringer pushed a commit that referenced this issue Apr 12, 2022
fix for #114, including a test case
06f1dc1
@ncc-erik-steringer
Copy link
Collaborator

Added a fix in v1.2.0-dev with 06f1dc1 . This issue actually extends to any edge-checks that involves resource policies that can be affected by MFA. Probably gonna have to do some more fixing here before releasing v1.2.0.

@Kamerabuilt
Copy link
Author

Can I test the 1.2.0-dev (if so how)?

Is there a way to display the current version of PMapper?

@ncc-erik-steringer
Copy link
Collaborator

Sure can! Just clone the repo and checkout the 1.2.0-dev branch. Then do pip install . from the PMapper directory after you finish cloning. If you run pip show principalmapper it should show you the current version, and v1.2.0 will have a --version arg.

@Kamerabuilt
Copy link
Author

Nice work!

Looks like its fixed :)

wdahlenburg pushed a commit to wdahlenburg/PMapper that referenced this issue Sep 5, 2022
@Frichetten
Merge pull request nccgroup#114 from Hacking-the-Cloud/update_ec2_cre…
f63d03c 
…dential_exfiltration

Updated EC2 credential exfiltration description for new bypass
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Kamerabuilt @ncc-erik-steringer