Cloud Village, profile picture
Uploaded byCloud Village
101 views

Terraform Unleashed - Crafting Custom Provider Exploits for Ultimate Control

The document discusses the expertise of Rupali Dash and Alex Foley in cybersecurity, specifically focusing on Terraform and custom provider exploits in cloud environments. It elaborates on the mechanisms of Terraform workflows, potential attack vectors using custom providers with filesystem access or code execution features, and the associated risks. Additionally, it emphasizes the importance of security measures to mitigate threats from malicious Terraform providers and insider attacks.

Technologyâ—¦

Embed presentation

Download to read offline
Terraform Unleashed: Crafting custom Provider exploits for Ultimate control
Rupali Dash brings over 8 years of cybersecurity experience, specializing in penetration testing and red teaming. Currently a Lead Security Architect at Axl.net Security, she oversees cloud security and penetration testing engagements. Her credentials include notable certifications like OSCP, OSWE, AWS Security Specialist, and GCPN. She has presented at prominent conferences like Black Hat Asia, DevSecCon, and CoCon. Alex Foley is a broadly experienced security professional with over 25 years of experience in IT and cybersecurity. He is the founder and CEO of Axl.net Security. He has operated and continues to operate as the vCISO of multiple startup companies with the support of the team from Axl.net Security. Throughout his career, he's had the opportunity to wear many hats and do "all the things" within product development, operations, and security. This broad experience has enabled Alex to bring this depth of understanding to the CISO roles. Alex's skill set focuses on blue team operations, which complements Rupali's expertise in red team activities. Who Are We ??
Who Does The Talk Cater To Pen testers and Red-teamers who will be testing an cloud infrastructure. Security Architects managing the security posture of the cloud infrastructure.
Terraform Enterprise Deployment Architecture
Terraform Workflow
â–ş - In-order to provision this code the user logs in to the terraform enterprise first and provides the AWS Credentials of the account for the resource provisioning . â–ş Upon Terraform Init the TFE Spins up the worker container in the TFE AWS account and Downloads the required provides specified in the provider block. â–ş During Terraform Plan, The Terraform API zips the IAC code and the Provided authentication credentials along with the terraform binary and stores it over the worker container. â–ş It also performs a state lock using dynamo DB for that specific workspace so that no two TFE plan can run simultaneously for a specific workspace and it ques the job. â–ş It also downloads the Sentinel policies associated with the workspace on to the worker container. â–ş During the Terraform plan once the sentinel policies are validated against the TFE plan out out, Terraform generates a newer set of credentials using the provided AWS credentials in the terraform file which will be used to provision the resource in the clients AWS account. â–ş Once the Apply is completed the worker container stores the generated terraform state file over the s3 bucket and destroyes the container.
Terraform Provider â–şA terraform provider is a binary written in go that interacts with terraform binary over RPC & enables interaction with the provider API. This includes Cloud providers and Software-as-a-service providers. The providers are specified in the Terraform configuration code. They tell Terraform which services it needs to interact with.
Key-RISK Terraform binaries are executables which will be downloaded into the emphiral container during terraform init. Terraform Provider runs with the highest privilege on the worker container and hence have access to all the mounted file system as well as the AWS STS credentials. The TFE worker container needs to have the read access to the s3 and RDS instance where the TFE state file gets stored as a part of application. In a scenario where multiple providers are invoked for a specific Terraform Plan, Both the providers will have access to the TFE environment variables and the host file system.
Attack-1: Custom provider with filesystem access to gain access to the host file system ● In Golang Import os/exec and import syscall modules enables the binary to interact with the host file system. ● Create the data source to read an environment variable & register this new data source in your provider.go file. ● Use “go build” command to build the provider.
Exploit ( System File Read) Create a Terraform configuration file that uses the new data source to read the /etc/passwd file on the host.
Attack-2: Custom provider with Code Execution feature Terraform-provider-cmdexec is a custom built provider that provides command execution capability through Terraform Configuration. Below is the example of the main.tf file used to leverage the provider to execute the command. https://github.com/rung/terraform-provider-cmdexec https://alex.kaskaso.li/post/terraform-plan-rce
â–ş Execute Commands on the Terraform container â–ş Provision highly privileged roles / resources by Bypassing sentinel policies to gain persistence. â–ş Exfiltrate Vaulted secrets from the TFE container. â–ş Manipulate state files resulting in deleting resources in the existing cloud accounts. â–ş Gain access to PII data in Production accounts. â–ş Supply chain threats to organizations using the malicious providers.
Why the Terraform Provider and not the Provisioners ? â–şTerraform Provisioner has local_exec() and remote_exec() capability which helps to execute commands on the TFE infrastructure as a part of terraform apply. â–şTerraform Provisioners are called only after a successful plan and prior to the Terraform Apply. Hence usage of sentinel policy can be leveraged to block those attacks. â–şTerraform Provider block executes during the terraform plan and hence It cannot be blocked/restricted through Sentinel
Provider Security Risks ►1: Malevolence of the Binary: This is to ensure that the provider binary doesn’t contain any malware , packers or custom exploits. ►2: Impact on the TFE infrastructure: This will provide insight on the different functionalities and access level of the provider in the TFE infrastructure. ►3: Out bound Network communication: This will provide insight on the different end points/APIs embedded into the binary
Conclusions â—Ź Provider Attack Types â—‹ Third Party Providers â—‹ Insider Threat â—Ź Defense â—‹ Updated Training â—‹ Updated Detection Technology â—‹ Updated Processes
Questions? â–şrdash@axl.net â–şafoley@axl.net

More Related Content

PPTX
Hashicorp-Certified-Terraform-Associate-v3-edited.pptx
byssuser0d6c88
 
PDF
Terraform-2.pdf
byrutiksankapal21
 
PDF
Hashicorp-Terraform-Deep-Dive-with-no-Fear-Victor-Turbinsky-Texuna.pdf
byssuser705051
 
PDF
Terraform modules and some of best-practices - March 2019
byAnton Babenko
 
PDF
leboncoin DataEngineering / Terraform - beginner to advanced
byleboncoin engineering
 
PDF
Terraform AWS modules and some best-practices - May 2019
byAnton Babenko
 
PPTX
Hashicorp-Certified-Terraform-Associate_V1
bykodecloud86
 
PDF
Terraform AWS modules and some best practices - September 2019
byAnton Babenko
 
Hashicorp-Certified-Terraform-Associate-v3-edited.pptx
byssuser0d6c88
 
Terraform-2.pdf
byrutiksankapal21
 
Hashicorp-Terraform-Deep-Dive-with-no-Fear-Victor-Turbinsky-Texuna.pdf
byssuser705051
 
Terraform modules and some of best-practices - March 2019
byAnton Babenko
 
leboncoin DataEngineering / Terraform - beginner to advanced
byleboncoin engineering
 
Terraform AWS modules and some best-practices - May 2019
byAnton Babenko
 
Hashicorp-Certified-Terraform-Associate_V1
bykodecloud86
 
Terraform AWS modules and some best practices - September 2019
byAnton Babenko
 

Similar to Terraform Unleashed - Crafting Custom Provider Exploits for Ultimate Control

PPTX
Infrastructure as Code with Terraform.pptx
bySamuel862293
 
PDF
OSDC 2019 | Terraform best practices with examples and arguments by Anton Bab...
byNETWAYS
 
PDF
DevOps Braga #9: Introdução ao Terraform
byDevOps Braga
 
PPTX
Terraform - The Road to Self-Service
byRyan Boyce
 
PDF
Infrastructure as Code with Terraform
byPedro J. Molina
 
PDF
Terraform: Check Your Source
byJay Wallace
 
PDF
Terraform modules and best-practices - September 2018
byAnton Babenko
 
PDF
Managing AWS Using Terraform AWS Atlanta 2018-07-18
byDerek Ashmore
 
PDF
APIsecure 2023 - How to abuse Terraform to elevate access, Mike McCabe
byapidays
 
PDF
Managing AWS Using Terraform AWS Chicago-Suburbs 2018-01-18
byDerek Ashmore
 
PDF
Microservices with Terraform, Docker and the Cloud. JavaOne 2017 2017-10-02
byDerek Ashmore
 
PDF
Manage any AWS resources with Terraform 0.12 - April 2020
byAnton Babenko
 
PPTX
Iniciando com Terraform
byMateus Dubiela Oliveira
 
PPTX
Terraform - Shared Definitions and Variable Inheritance
byDave Rix
 
PDF
Terraform at Scale - All Day DevOps 2017
byJonathon Brouse
 
PPTX
"Continuously delivering infrastructure using Terraform and Packer" training ...
byAnton Babenko
 
PPTX
Terraform Abstractions for Safety and Power
byCalvin French-Owen
 
PDF
Microservices with Terraform, Docker and the Cloud. Chicago Coders Conference...
byDerek Ashmore
 
PPTX
Terraform infrastructure as code for mere mortals
byAnderson Carvalho
 
PPTX
Reusable, composable, battle-tested Terraform modules
byYevgeniy Brikman
 
Infrastructure as Code with Terraform.pptx
bySamuel862293
 
OSDC 2019 | Terraform best practices with examples and arguments by Anton Bab...
byNETWAYS
 
DevOps Braga #9: Introdução ao Terraform
byDevOps Braga
 
Terraform - The Road to Self-Service
byRyan Boyce
 
Infrastructure as Code with Terraform
byPedro J. Molina
 
Terraform: Check Your Source
byJay Wallace
 
Terraform modules and best-practices - September 2018
byAnton Babenko
 
Managing AWS Using Terraform AWS Atlanta 2018-07-18
byDerek Ashmore
 
APIsecure 2023 - How to abuse Terraform to elevate access, Mike McCabe
byapidays
 
Managing AWS Using Terraform AWS Chicago-Suburbs 2018-01-18
byDerek Ashmore
 
Microservices with Terraform, Docker and the Cloud. JavaOne 2017 2017-10-02
byDerek Ashmore
 
Manage any AWS resources with Terraform 0.12 - April 2020
byAnton Babenko
 
Iniciando com Terraform
byMateus Dubiela Oliveira
 
Terraform - Shared Definitions and Variable Inheritance
byDave Rix
 
Terraform at Scale - All Day DevOps 2017
byJonathon Brouse
 
"Continuously delivering infrastructure using Terraform and Packer" training ...
byAnton Babenko
 
Terraform Abstractions for Safety and Power
byCalvin French-Owen
 
Microservices with Terraform, Docker and the Cloud. Chicago Coders Conference...
byDerek Ashmore
 
Terraform infrastructure as code for mere mortals
byAnderson Carvalho
 
Reusable, composable, battle-tested Terraform modules
byYevgeniy Brikman
 

More from Cloud Village

PPTX
Unexpected Leaks in AWS Transit Gateways
byCloud Village
 
PDF
The Rise of the Planet of the Agents: LLM-based AI Agents and Cloud Security ...
byCloud Village
 
PDF
Creating Azure Policy Compliant Backdoor
byCloud Village
 
PPTX
Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities f...
byCloud Village
 
PDF
Cloud Tripwires: fighting stealth with stealth
byCloud Village
 
PPTX
Connecting the Dots - Mastering Alert Correlation for Proactive Defense in th...
byCloud Village
 
PDF
Runtime Reachability: Prioritizing Vulnerabilities with eBPF & Continuous Pro...
byCloud Village
 
PPTX
Revealing Choke Points - Practical Tactics for Boosting Cloud Security
byCloud Village
 
PDF
Finding Holes in Conditional Access Policies
byCloud Village
 
PPTX
One Click, Six Services - Abusing The Dangerous Multi-service Orchestration P...
byCloud Village
 
PPTX
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
byCloud Village
 
PDF
DC 32: Epyon - Attacking DevOps environments
byCloud Village
 
PDF
Exploit K8S via Misconfiguration .YAML in CSP environments
byCloud Village
 
PDF
Cloud Offensive Breach and Risk Assessment (COBRA)
byCloud Village
 
PDF
One Port to Serve Them All - Google GCP Cloud Shell Abuse
byCloud Village
 
PDF
The Oracle Awakens: Demystifying Privilege Escalation in the cloud
byCloud Village
 
PDF
Catch them all! Detection engineering and purple teaming in the cloud
byCloud Village
 
PDF
Gone in 60 Seconds… How Azure AD/Entra ID Tenants are Compromise
byCloud Village
 
Unexpected Leaks in AWS Transit Gateways
byCloud Village
 
The Rise of the Planet of the Agents: LLM-based AI Agents and Cloud Security ...
byCloud Village
 
Creating Azure Policy Compliant Backdoor
byCloud Village
 
Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities f...
byCloud Village
 
Cloud Tripwires: fighting stealth with stealth
byCloud Village
 
Connecting the Dots - Mastering Alert Correlation for Proactive Defense in th...
byCloud Village
 
Runtime Reachability: Prioritizing Vulnerabilities with eBPF & Continuous Pro...
byCloud Village
 
Revealing Choke Points - Practical Tactics for Boosting Cloud Security
byCloud Village
 
Finding Holes in Conditional Access Policies
byCloud Village
 
One Click, Six Services - Abusing The Dangerous Multi-service Orchestration P...
byCloud Village
 
Workshop: Hands-On Container Image Security Mastering Sigstore for Unbreachab...
byCloud Village
 
DC 32: Epyon - Attacking DevOps environments
byCloud Village
 
Exploit K8S via Misconfiguration .YAML in CSP environments
byCloud Village
 
Cloud Offensive Breach and Risk Assessment (COBRA)
byCloud Village
 
One Port to Serve Them All - Google GCP Cloud Shell Abuse
byCloud Village
 
The Oracle Awakens: Demystifying Privilege Escalation in the cloud
byCloud Village
 
Catch them all! Detection engineering and purple teaming in the cloud
byCloud Village
 
Gone in 60 Seconds… How Azure AD/Entra ID Tenants are Compromise
byCloud Village
 

Recently uploaded

PPTX
Redcentric Data Centres: vision, mission and values
byRedcentric
 
PPTX
Conserving precious peatland habitats using mobile apps - Esri UK Welsh Confe...
byEsri UK
 
PDF
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PDF
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
PDF
Building a Multi-Tenant OpenShift Platform with HyperShift
byTosin Akinosho
 
PDF
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
bywesley chun
 
PPTX
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
PDF
Mastering Handlers, Conditions, and Loops in Ansible Playbooks - RHCE.pdf
byLinuxCert Guru
 
PDF
Introduction to Shell Scripting - RHCSA+.pdf
byLinuxCert Guru
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
PDF
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
PDF
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
PDF
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 
PPTX
Neo4j Fraud GraphTalk Singapore Nov 2025
bygourisachdeva2
 
PDF
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
PPTX
Closing Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
PDF
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
PDF
AWS Cloud Technical Essentials - AWS Certificate
byVICTOR MAESTRE RAMIREZ
 
PDF
Oracle MySQL HeatWave - Complete - Version 3
byLuca Bonesini
 
Redcentric Data Centres: vision, mission and values
byRedcentric
 
Conserving precious peatland habitats using mobile apps - Esri UK Welsh Confe...
byEsri UK
 
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
Building a Multi-Tenant OpenShift Platform with HyperShift
byTosin Akinosho
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
bywesley chun
 
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
Mastering Handlers, Conditions, and Loops in Ansible Playbooks - RHCE.pdf
byLinuxCert Guru
 
Introduction to Shell Scripting - RHCSA+.pdf
byLinuxCert Guru
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 
Neo4j Fraud GraphTalk Singapore Nov 2025
bygourisachdeva2
 
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
Closing Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
AWS Cloud Technical Essentials - AWS Certificate
byVICTOR MAESTRE RAMIREZ
 
Oracle MySQL HeatWave - Complete - Version 3
byLuca Bonesini
 

Terraform Unleashed - Crafting Custom Provider Exploits for Ultimate Control

  • 1.
    Terraform Unleashed: Craftingcustom Provider exploits for Ultimate control
  • 2.
    Rupali Dash bringsover 8 years of cybersecurity experience, specializing in penetration testing and red teaming. Currently a Lead Security Architect at Axl.net Security, she oversees cloud security and penetration testing engagements. Her credentials include notable certifications like OSCP, OSWE, AWS Security Specialist, and GCPN. She has presented at prominent conferences like Black Hat Asia, DevSecCon, and CoCon. Alex Foley is a broadly experienced security professional with over 25 years of experience in IT and cybersecurity. He is the founder and CEO of Axl.net Security. He has operated and continues to operate as the vCISO of multiple startup companies with the support of the team from Axl.net Security. Throughout his career, he's had the opportunity to wear many hats and do "all the things" within product development, operations, and security. This broad experience has enabled Alex to bring this depth of understanding to the CISO roles. Alex's skill set focuses on blue team operations, which complements Rupali's expertise in red team activities. Who Are We ??
  • 3.
    Who Does TheTalk Cater To Pen testers and Red-teamers who will be testing an cloud infrastructure. Security Architects managing the security posture of the cloud infrastructure.
  • 4.
  • 5.
  • 6.
    â–ş - In-orderto provision this code the user logs in to the terraform enterprise first and provides the AWS Credentials of the account for the resource provisioning . â–ş Upon Terraform Init the TFE Spins up the worker container in the TFE AWS account and Downloads the required provides specified in the provider block. â–ş During Terraform Plan, The Terraform API zips the IAC code and the Provided authentication credentials along with the terraform binary and stores it over the worker container. â–ş It also performs a state lock using dynamo DB for that specific workspace so that no two TFE plan can run simultaneously for a specific workspace and it ques the job. â–ş It also downloads the Sentinel policies associated with the workspace on to the worker container. â–ş During the Terraform plan once the sentinel policies are validated against the TFE plan out out, Terraform generates a newer set of credentials using the provided AWS credentials in the terraform file which will be used to provision the resource in the clients AWS account. â–ş Once the Apply is completed the worker container stores the generated terraform state file over the s3 bucket and destroyes the container.
  • 7.
    Terraform Provider â–şA terraform provideris a binary written in go that interacts with terraform binary over RPC & enables interaction with the provider API. This includes Cloud providers and Software-as-a-service providers. The providers are specified in the Terraform configuration code. They tell Terraform which services it needs to interact with.
  • 8.
    Key-RISK Terraform binaries are executableswhich will be downloaded into the emphiral container during terraform init. Terraform Provider runs with the highest privilege on the worker container and hence have access to all the mounted file system as well as the AWS STS credentials. The TFE worker container needs to have the read access to the s3 and RDS instance where the TFE state file gets stored as a part of application. In a scenario where multiple providers are invoked for a specific Terraform Plan, Both the providers will have access to the TFE environment variables and the host file system.
  • 9.
    Attack-1: Custom providerwith filesystem access to gain access to the host file system ● In Golang Import os/exec and import syscall modules enables the binary to interact with the host file system. ● Create the data source to read an environment variable & register this new data source in your provider.go file. ● Use “go build” command to build the provider.
  • 10.
    Exploit ( SystemFile Read) Create a Terraform configuration file that uses the new data source to read the /etc/passwd file on the host.
  • 11.
    Attack-2: Custom providerwith Code Execution feature Terraform-provider-cmdexec is a custom built provider that provides command execution capability through Terraform Configuration. Below is the example of the main.tf file used to leverage the provider to execute the command. https://github.com/rung/terraform-provider-cmdexec https://alex.kaskaso.li/post/terraform-plan-rce
  • 12.
    â–ş Execute Commandson the Terraform container â–ş Provision highly privileged roles / resources by Bypassing sentinel policies to gain persistence. â–ş Exfiltrate Vaulted secrets from the TFE container. â–ş Manipulate state files resulting in deleting resources in the existing cloud accounts. â–ş Gain access to PII data in Production accounts. â–ş Supply chain threats to organizations using the malicious providers.
  • 13.
    Why the Terraform Providerand not the Provisioners ? â–şTerraform Provisioner has local_exec() and remote_exec() capability which helps to execute commands on the TFE infrastructure as a part of terraform apply. â–şTerraform Provisioners are called only after a successful plan and prior to the Terraform Apply. Hence usage of sentinel policy can be leveraged to block those attacks. â–şTerraform Provider block executes during the terraform plan and hence It cannot be blocked/restricted through Sentinel
  • 14.
    Provider Security Risks ►1: Malevolenceof the Binary: This is to ensure that the provider binary doesn’t contain any malware , packers or custom exploits. ►2: Impact on the TFE infrastructure: This will provide insight on the different functionalities and access level of the provider in the TFE infrastructure. ►3: Out bound Network communication: This will provide insight on the different end points/APIs embedded into the binary
  • 17.
    Conclusions â—Ź Provider AttackTypes â—‹ Third Party Providers â—‹ Insider Threat â—Ź Defense â—‹ Updated Training â—‹ Updated Detection Technology â—‹ Updated Processes
  • 18.