CVE-2025-5277:AWS MCP 服务器中的命令注入漏洞
CVE-2025-5277:AWS MCP 服务器中的命令注入漏洞
Ots安全 2025-06-01 07:29
-
漏洞描述
:AWS MCP 服务器(可能与 Amazon Q Developer CLI 相关)存在一个命令注入漏洞,允许客户端通过 CLI 提示(prompt)在 AWS 主机系统上执行任意命令。 -
影响范围
:目标是 AWS MCP 服务器,可能影响使用该服务器的 AI 应用或代理(agent),尤其是通过 Amazon Bedrock 或 Amazon Q Developer CLI 构建的应用。 -
漏洞成因
:漏洞源于
validate_aws_command()
函数在验证命令时未能充分过滤危险的shell元字符(shell metacharacters)或敏感命令(例如涉及 root 或 admin 的操作)。
网址
https://github.com/advisories/GHSA-m4qw-j7mx-qv6h
目标
- AWS MCP 服务器
解释
AWS MCP 服务器项目中发现的命令注入漏洞的详细信息已被披露,该漏洞使 AI 能够执行 AWS CLI 命令。
该漏洞存在于通过诸如、之类的函数execute_aws_command()执行通过客户端提示传递或生成的命令execute_pipe_command()之前执行验证的函数中。validate_aws_command()
defvalidate_aws_command(command: str) -> None: """Validate that the command is a proper AWS CLI command. Args: command: The AWS CLI command to validate Raises: CommandValidationError: If the command is invalid """ cmd_parts = shlex.split(command) ifnot cmd_parts or cmd_parts[0].lower() != "aws": raise CommandValidationError("Commands must start with 'aws'") if len(cmd_parts) < 2: raise CommandValidationError("Command must include an AWS service (e.g., aws s3)") # Optional: Add a deny list for potentially dangerous commands dangerous_commands = ["aws iam create-user", "aws iam create-access-key", "aws ec2 terminate-instances", "aws rds delete-db-instance"] if any(command.startswith(dangerous_cmd) for dangerous_cmd in dangerous_commands): raise CommandValidationError("This command is restricted for security reasons")
该函数执行以下验证:
1. cmd_parts[0].lower() != “aws”:检查是否以 aws 开头
1. len(cmd_parts) < 2:检查是否有第二个参数
1. command.startswith(dangerous_cmd):针对特定危险命令的拒绝列表验证
但是该函数不会检查是否包含可用于命令注入的shell元字符,或者与root或admin相关的敏感命令。
asyncdefexecute_aws_command(command: str, timeout: int | None = None) -> CommandResult: """Execute an AWS CLI command and return the result. ... """ # ... # Validate the command validate_aws_command(command) # ... try: # Split command safely for exec cmd_parts = shlex.split(command) # Create subprocess using exec (safer than shell=True) process = await asyncio.create_subprocess_exec(*cmd_parts, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE) # ...
validate_aws_command通过 验证命令后,shlex.split命令之间以空格 至 分隔create_subprocess_exec,再以 执行。 但是由于shell=True没有使用 而直接传递的方法,*cmd_parts在shell解释包含shell元字符的命令的过程中会发生任意命令插入。利用此漏洞的攻击者可以泄露有关 root 和 admin 等敏感用户的信息,以及泄露系统配置文件。
defvalidate_aws_command(command: str) -> None: """Validate that the command is a proper AWS CLI command. ... """#... # Check regex rules first (these apply regardless of service) error_message = check_regex_rules(command, service) if error_message: raise ValueError(error_message) # Check against dangerous commands for this service if service in SECURITY_CONFIG.dangerous_commands: # Check each dangerous command pattern for dangerous_cmd in SECURITY_CONFIG.dangerous_commands[service]: if command.startswith(dangerous_cmd): # If it's a dangerous command, check if it's also in safe patterns if is_service_command_safe(command, service): return# Command is safe despite matching dangerous pattern # Command is dangerous, raise an error raise ValueError( f"This command ({dangerous_cmd}) is restricted for security reasons. " f"Please use a more specific, read-only command or add 'help' or '--help' to see available options." ) logger.debug(f"Command validation successful: {command}")#... defcheck_regex_rules(command: str, service: Optional[str] = None) -> Optional[str]:More actions """Check command against regex rules. Args: command: The command to check service: The AWS service being used, if known Returns: Error message if command matches a regex rule, None otherwise """ # Check general rules that apply to all commands if"general"in SECURITY_CONFIG.regex_rules: for rule in SECURITY_CONFIG.regex_rules["general"]: pattern = re.compile(rule.pattern) if pattern.search(command): logger.warning(f"Command matches regex rule: {rule.description}") return rule.error_message # Check service-specific rules if service is provided if service and service in SECURITY_CONFIG.regex_rules: for rule in SECURITY_CONFIG.regex_rules[service]: pattern = re.compile(rule.pattern) if pattern.search(command): logger.warning(f"Command matches service-specific regex rule for {service}: {rule.description}") return rule.error_message returnNone
validate_aws_command()该补丁将函数内部使用的现有列表dangerous_command分离到配置中进行扩展,添加了需要验证的命令,check_regex_rules还通过添加使用正则表达式执行验证的函数来加强验证。下面dangerous_command是包含正则表达式验证和列表的配置文件。
– SECURITY_CONFIG(示例)
#...
# Commands considered dangerous by security category# Keys are AWS service names, values are lists of command prefixes to blockdangerous_commands:# Identity and Access Management - core of security iam: # User management (potential backdoor accounts) - "aws iam create-user" # Creates new IAM users that could persist after compromise - "aws iam update-user" # Updates existing user properties # Credential management (theft risk) - "aws iam create-access-key" # Creates long-term credentials that can be exfiltrated - "aws iam update-access-key" # Changes status of access keys (enabling/disabling) - "aws iam create-login-profile" # Creates console passwords for existing users - "aws iam update-login-profile" # Updates console passwords # Authentication controls - "aws iam create-virtual-mfa-device"# Creates new MFA devices - "aws iam deactivate-mfa-device" # Removes MFA protection from accounts - "aws iam delete-virtual-mfa-device"# Deletes MFA devices - "aws iam enable-mfa-device" # Enables/associates MFA devices # Privilege escalation via policy manipulation - "aws iam attach-user-policy" # Attaches managed policies to users - "aws iam attach-role-policy" # Attaches managed policies to roles - "aws iam attach-group-policy" # Attaches managed policies to groups - "aws iam create-policy" # Creates new managed policies - "aws iam create-policy-version" # Creates new versions of managed policies - "aws iam set-default-policy-version"# Changes active policy version # Inline policy manipulation (harder to detect) - "aws iam put-user-policy" # Creates/updates inline policies for users - "aws iam put-role-policy" # Creates/updates inline policies for roles - "aws iam put-group-policy" # Creates/updates inline policies for groups # Trust relationship manipulation - "aws iam update-assume-role-policy"# Changes who can assume a role - "aws iam update-role" # Updates role properties# Security Token Service - temporary credentials sts: - "aws sts assume-role" # Assumes roles with potentially higher privileges - "aws sts get-federation-token" # Gets federated access tokens# AWS Organizations - multi-account management organizations: - "aws organizations create-account"# Creates new AWS accounts - "aws organizations invite-account-to-organization"# Brings accounts under org control - "aws organizations leave-organization"# Removes accounts from organization - "aws organizations remove-account-from-organization"# Removes accounts from organization - "aws organizations disable-policy-type"# Disables policy enforcement - "aws organizations create-policy" # Creates organization policies - "aws organizations attach-policy" # Attaches organization policies# ---------------------------------------------------------------------------------# 🔍 Audit and Logging Security Rules# ---------------------------------------------------------------------------------# These rules prevent attackers from covering their tracks by:# - Disabling or deleting audit logs (CloudTrail)# - Turning off compliance monitoring (Config)# - Disabling threat detection (GuardDuty)# - Removing alarm systems (CloudWatch)# ---------------------------------------------------------------------------------# CloudTrail - AWS activity logging cloudtrail: - "aws cloudtrail delete-trail" # Removes audit trail completely - "aws cloudtrail stop-logging" # Stops collecting audit logs - "aws cloudtrail update-trail" # Modifies logging settings (e.g., disabling logging) - "aws cloudtrail put-event-selectors"# Changes what events are logged - "aws cloudtrail delete-event-data-store"# Deletes storage for CloudTrail events# AWS Config - configuration monitoring config: - "aws configservice delete-configuration-recorder"# Removes configuration tracking - "aws configservice stop-configuration-recorder" # Stops recording configuration changes - "aws configservice delete-delivery-channel" # Stops delivering configuration snapshots - "aws configservice delete-remediation-configuration"# Removes auto-remediation# GuardDuty - threat detection guardduty: - "aws guardduty delete-detector" # Disables threat detection completely - "aws guardduty disable-organization-admin-account"# Disables central security - "aws guardduty update-detector" # Modifies threat detection settings# CloudWatch - monitoring and alerting cloudwatch: - "aws cloudwatch delete-alarms" # Removes security alarm configurations - "aws cloudwatch disable-alarm-actions"# Disables alarm action triggers - "aws cloudwatch delete-dashboards"# Removes monitoring dashboards# Complex pattern matching using regular expressionsregex_rules:# Global security patterns (apply to all services) general: # Identity and authentication risks - pattern: "aws .* --profile\\s+(root|admin|administrator)" description: "Prevent use of sensitive profiles" error_message: "Using sensitive profiles (root, admin) is restricted for security reasons." # Protocol security risks - pattern: "aws .* --no-verify-ssl" description: "Prevent disabling SSL verification" error_message: "Disabling SSL verification is not allowed for security reasons." # Data exposure risks - pattern: "aws .* --output\\s+text\\s+.*--query\\s+.*Password" description: "Prevent password exposure in text output" error_message: "Outputting sensitive data like passwords in text format is restricted." # Debug mode risks - pattern: "aws .* --debug" description: "Prevent debug mode which shows sensitive info" error_message: "Debug mode is restricted as it may expose sensitive information."# IAM-specific security patterns iam: # Privileged user creation - pattern: "aws iam create-user.*--user-name\\s+(root|admin|administrator|backup|security|finance|billing)" description: "Prevent creation of privileged-sounding users" error_message: "Creating users with sensitive names is restricted for security reasons." # Privilege escalation via policies - pattern: "aws iam attach-user-policy.*--policy-arn\\s+.*Administrator" description: "Prevent attaching Administrator policies" error_message: "Attaching Administrator policies is restricted for security reasons." - pattern: "aws iam attach-user-policy.*--policy-arn\\s+.*FullAccess" description: "Prevent attaching FullAccess policies to users" error_message: "Attaching FullAccess policies directly to users is restricted (use roles instead)." # Unrestricted permissions in policies - pattern: "aws iam create-policy.*\"Effect\":\\s*\"Allow\".*\"Action\":\\s*\"\*\".*\"Resource\":\\s*\"\*\"" description: "Prevent creation of policies with * permissions" error_message: "Creating policies with unrestricted (*) permissions is not allowed." # Password policy weakening - pattern: "aws iam create-login-profile.*--password-reset-required\\s+false" description: "Enforce password reset for new profiles" error_message: "Creating login profiles without requiring password reset is restricted." - pattern: "aws iam update-account-password-policy.*--require-uppercase-characters\\s+false" description: "Prevent weakening password policies" error_message: "Weakening account password policies is restricted."# S3 security patterns s3: # Public bucket exposure - pattern: "aws s3api put-bucket-policy.*\"Effect\":\\s*\"Allow\".*\"Principal\":\\s*\"\*\"" description: "Prevent public bucket policies" error_message: "Creating public bucket policies is restricted for security reasons." # Disabling public access blocks - pattern: "aws s3api put-public-access-block.*--public-access-block-configuration\\s+.*\"BlockPublicAcls\":\\s*false" description: "Prevent disabling public access blocks" error_message: "Disabling S3 public access blocks is restricted for security reasons." # Public bucket creation outside approved regions - pattern: "aws s3api create-bucket.*--region\\s+(?!eu|us-east-1).*--acl\\s+public" description: "Prevent public buckets outside of allowed regions" error_message: "Creating public buckets outside allowed regions is restricted."# EC2 network security patterns ec2: # Open security groups for sensitive ports - pattern: "aws ec2 authorize-security-group-ingress.*--cidr\\s+0\\.0\\.0\\.0/0.*--port\\s+(?!80|443)[0-9]+" description: "Prevent open security groups for non-web ports" error_message: "Opening non-web ports to the entire internet (0.0.0.0/0) is restricted." # Unsafe user-data scripts - pattern: "aws ec2 run-instances.*--user-data\\s+.*curl.*\\|.*sh" description: "Detect potentially unsafe user-data scripts" error_message: "Running scripts from remote sources in user-data presents security risks."# CloudTrail integrity patterns cloudtrail: # Disabling global event logging - pattern: "aws cloudtrail update-trail.*--no-include-global-service-events" description: "Prevent disabling global event logging" error_message: "Disabling CloudTrail logging for global service events is restricted." # Making trails single-region - pattern: "aws cloudtrail update-trail.*--no-multi-region" description: "Prevent making trails single-region" error_message: "Changing CloudTrail trails from multi-region to single-region is restricted."
感谢您抽出
.
.
来阅读本文
点它,分享点赞在看都在这里