Improperly configured reverse proxy servers vulnerable to data leaks
New proof of concept attack enables unauthenticated hackers to steal user credentials from misconfigured reverse proxy servers. The proof of concept attack targets major cloud customers of services such as AWS, Microsoft Azure and Google Cloud. Hackers can use the stolen user credentials to delete, change or extract data from websites and applications. Similar to improperly configured storage buckets that plagued businesses with leaky data, this PoC attack takes advantage of a common default configuration used by leading cloud services and too often unchanged by website admins.
The PoC targets APIs that provide access to the metadata associated with identity services such AWS' Identity and Access Management, Microsoft's Azure Managed Service Identity, and Google's Cloud Cloud IAM. These features simplify the task of creating and distributing credentials and are popular features with developers. Hackers can also abuse them. For example, WordPress servers use credentials to connect to other cloud services. A website might use IAM credentials to automatically connect to an AWS storage bucket to backup daily transaction data. IAM credentials rely on web server APIs to link cloud services. By using a simple CURL command, IAM role credentials are freely available for programs to obtain.
The PoC attack creates a typical configuration for a web server or application server using a reverse proxy server running a default NGINX installation. NGINX is web server software that can also be used as a reverse proxy. A reverse proxy server is a type of server that retrieves resources on behalf of a client from one or more servers. The PoC attack is based on the idea that some reverse proxies in AWS, MS Azure, and Google Cloud environments are set up so that anyone can set the host header to call the instance metadata API and obtain credentials. When an HTTP request is made to a proxy server, it contains instructions to the host. What researchers observed was that the proxy server is reading a value from the host header and going to that destination and fetching a webpage. A Hacker can manipulate the header to ask it to fetch other data on proxy server, such as credential data from the API endpoint.
Malware or potential hackers can use a simple CURL command via a specific URL to access IAM role credentials. The credential data can be used to access third-party cloud services linked to the website or application such as data stores, databases or website backups. Researchers think that the number of misconfigured servers vulnerable to this type of attack is huge given reverse proxies are common in public cloud environments and in organizations moving on-premise applications to the cloud.
The PoC has another means of exploitation even that's even scarier, and involves more social engineering and malicious Docker images. The PoC is based on Docker creating an open source tool that can package an application and its dependencies in a virtual container that can run on any Linux server. Developers share docker images on stores such as Docker Hub, allowing developers to save time by using pre-built images for conventional tasks allowing them to focus on their areas of expertise. If some smart hacker creates a helpful, free to download docker image and posts on Docker Hub along with millions of other popular resources, then after thousands of downloads, the hacker can modify and upload an updated version with malicious code. Using the instance metadata API, every application built upon nefarious docker image will run this new code in the dependent program and request IAM role credentials.