You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
IMHO in the blog post, 13. Updating the code of an existing Lambda function could allow admin privilege escalation only if the function does run as admin, because lambda:UpdateFunctionCode does not allow you to change the role with which the function runs. This means that maybe you want to remove that from the script, or make the output look differently? For example: Partial privilege escalation?
On the other side, neither the blog post or code references lambda:UpdateFunctionConfiguration which does allow you to set the role with which the function will run as.
@SpenGietz I've read https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ and also the different escalation methods listed in
aws-pentest-tools/aws_escalate.py.IMHO in the blog post,
13. Updating the code of an existing Lambda functioncould allow admin privilege escalation only if the function does run as admin, becauselambda:UpdateFunctionCodedoes not allow you to change the role with which the function runs. This means that maybe you want to remove that from the script, or make the output look differently? For example:Partial privilege escalation?On the other side, neither the blog post or code references lambda:UpdateFunctionConfiguration which does allow you to set the role with which the function will run as.
What do you think about adding these to escalation_methods:
The text was updated successfully, but these errors were encountered: