Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

S3 misconfiguration

0

Hii , i was doing a security research for an organization , and one one endpoint i got this <Error> <Code>SignatureDoesNotMatch</Code> <Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message> and in addition to this i got

<AWSAccessKeyId>XXXXXXXXXXXXXXXXX</AWSAccessKeyId> <StringToSign>AWS4-HMAC-SHA256 20240117T095347Z 20240117/us-east-1/s3/aws4_request 1e0f232543f9e0eccb5b9154102100476546cd64fc29f59d11c61db7cb03a98a</StringToSign> <SignatureProvided>b4c5ff5b5f5dffa6fca1d1157b01a39db471d8fcafb11ce293cbf9b0c7767553</SignatureProvided> <StringToSignBytes>41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 32 34 30 31 31 37 54 30 39 35 33 34 37 5a 0a 32 30 32 34 30 31 31 37 2f 75 73 2d 65 61 73 74 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 31 65 30 66 32 33 32 35 34 33 66 39 65 30 65 63 63 62 35 62 39 31 35 34 31 30 32 31 30 30 34 37 36 35 34 36 63 64 36 34 66 63 32 39 66 35 39 64 31 31 63 36 31 64 62 37 63 62 30 33 61 39 38 61</StringToSignBytes> <CanonicalRequest>GET /assets/no_op%3Bjsessionid%3D host:prod-XXXX-assets.s3.amazonaws.com x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 x-amz-date:20240117T095347Z host;x-amz-content-sha256;x-amz-date e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</CanonicalRequest> <CanonicalRequestBytes>47 45 54 0a 2f 61 73 73 65 74 73 2f 6e 6f 5f 6f 70 25 33 42 6a 73 65 73 73 69 6f 6e 69 64 25 33 44 0a 0a 68 6f 73 74 3a 70 72 6f 64 2d 72 61 70 79 64 2d 61 73 73 65 74 73 2e 73 33 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 0a 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35 0a 78 2d 61 6d 7a 2d 64 61 74 65 3a 32 30 32 34 30 31 31 37 54 30 39 35 33 34 37 5a 0a 0a 68 6f 73 74 3b 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3b 78 2d 61 6d 7a 2d 64 61 74 65 0a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35</CanonicalRequestBytes> <RequestId>0XVQCSCNG0HE56RX</RequestId> <HostId>hrqGvfmicnxhq/TRgTnyf/+kpYcAG9/DvLrZbifnB0OMvaS8nNy4JuP81UVapq75FPK5q7s5PGDXgMKB44zdBQ==</HostId> which i want to know , is this intentionally leaking the AWSAccessKeyId ??

Themen
SpeicherSicherheit, Identität & KonformitätAWS Framework mit guter Struktur
Tags
Amazon S3-GlacierAWS Identity and Access ManagementAWS Sicherheits-HubAWS GeheimnismanagerSicherheit
Sprache
English
Martiz
gefragt vor 4 Monaten212 Aufrufe
1 Antwort
2
Akzeptierte Antwort

Hi,

It is not leaking anything that you don't know as the requester: the SigV4 protocol imposes you to supply the AccessKey in http header x-amz-credential. See https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-authentication-HTTPPOST.html for the http frame structure.

So, the error message that you see is just returning you something that you provided as input: it is not divulging anything additional.

To know more about SigV4 process: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html

Best,

Didier

profile pictureAWS
EXPERTE
Didier_Durand
beantwortet vor 4 Monaten
profile picture
EXPERTE
Oleksii Bebych
überprüft vor 2 Monaten
  • Didier_Durand EXPERTE
    vor 4 Monaten

    Hi Martiz, you may be indeed rising an interesting question!! Are you in touch with AWS security folks to explore your point? Please, reach me out via LinkedIn at https://www.linkedin.com/in/ddurand/. I'll try to route you to appropriate folks

  • Martiz
    vor 4 Monaten

    sure , i really appreciate the help , my linked name is Tarun Joshi

  • Martiz
    vor 4 Monaten

    Hey thanks for the clarification , as i said I'm a security researcher and i found a subdomain where i saw this <Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> <RequestId>NAKC65RQYHR95FWQ</RequestId> <HostId>UEgZWwl7PyMQXMV2fgIUqEnpBKuh9lydxmpSkRtpavESWjOACCNh49RpQXRceshWCYzAB11BY2M=</HostId> </Error> but after some content discovery i found the endpoint which i appended to the subdomain juste like this
    https://icon.domain.net/... and got this in response <AWSAccessKeyId>XXXXXXXXXXXXXXXXX</AWSAccessKeyId> <StringToSign>AWS4-HMAC-SHA256 20240117T095347Z 20240117/us-east-1/s3/aws4_request 1e0f232543f9e0eccb5b9154102100476546cd64fc29f59d11c61db7cb03a98a</StringToSign> <SignatureProvided>b4c5ff5b5f5dffa6fca1d1157b01a39db471d8fcafb11ce293cbf9b0c7767553</SignatureProvided> <StringToSignBytes>41 57 53 34 1</StringToSignBytes> <CanonicalRequest>GET /assets/no_op%3Bjsessionid%3D host:prod-XXXX-assets.s3.amazonaws.com x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 x-amz-date:20240117T095347Z host;x-amz-content-sha256;x- so i just wanted to ask the aws access key id is real .. right and belongs to the organization ?

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt