Amazon researchers said they seized credentials for an internal AWS service by exploiting a local file to real the vulnerability on a Relational Database Service (RDS) EC2 instance.
The credit for this innovation goes to Gafnit Amiga, director of security research at the Israeli cloud security firm Light spin, who told the Daily Swig that the research was “important because the final payload is all SQL commands”.
AWS refuses to disclose the intent or implementation of malicious internal service, but the effect is ambiguous, given the fact that Amiga claims that any misuse will not harm customer data.
Recognizing the appeal of AWS services, Amiga says, “Search has sometimes found that wrapping third-party services such as PostgreSQL and trying to provide advanced features to customers is a double-edged sword.”
According to the researcher, AWS has comprehensively addressed the vulnerability and no evidence of enemy exploitation has been found. They began research by rotating the RDS example using the Amazon Aurora Postgrace SQL engine and connecting to the database using pSQL, according to a blog post documenting the process.
Before the researcher achieved the functionality and potential improvement of such 8-10 extensions, they examined the objects they created in PostGrease: log_fdw. Using the log_fdw extension, they tried Path Travels while creating the foreign table, but this triggered the exception that the specified log file path is invalid.
After testing another relative path, she identified the source of the error as a verification function. AWS has created a custom foreign data wrapper for log_fdw with handler and validator functions – it can retrieve data from external files. Potential progress was made when it became clear that the validator function was optional for foreign data.
