AWS - Route53 Privesc
{{#include ../../../../banners/hacktricks-training.md}}
For more information about Route53 check:
{{#ref}}
../../aws-services/aws-route53-enum.md
{{#endref}}
route53:CreateHostedZone, route53:ChangeResourceRecordSets, acm-pca:IssueCertificate, acm-pca:GetCertificate
Other permissions recommend but not required for the enumeration part: route53:GetHostedZone, route53:ListHostedZones, acm-pca:ListCertificateAuthorities, ec2:DescribeVpcs
Assuming there is an AWS VPC with multiple cloud-native applications talking to each other and to AWS API. Since the communication between the microservices is often TLS encrypted there must be a private CA to issue the valid certificates for those services. If ACM-PCA is used for that and the adversary manages to get access to control both route53 and acm-pca private CA with the minimum set of permissions described above, it can hijack the application calls to AWS API taking over their IAM permissions.
This is possible because:
- AWS SDKs do not have Certificate Pinning
- Route53 allows creating Private Hosted Zone and DNS records for AWS APIs domain names
- Private CA in ACM-PCA cannot be restricted to signing only certificates for specific Common Names
Potential Impact: Indirect privesc by intercepting sensitive information in the traffic.
Exploitation
Find the exploitation steps in the original research: https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/
{{#include ../../../../banners/hacktricks-training.md}}