By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 misconfiguration

0

Hii , i was doing a security research for an organization , and one one endpoint i got this <Error> <Code>SignatureDoesNotMatch</Code> <Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message> and in addition to this i got

<AWSAccessKeyId>XXXXXXXXXXXXXXXXX</AWSAccessKeyId> <StringToSign>AWS4-HMAC-SHA256 20240117T095347Z 20240117/us-east-1/s3/aws4_request 1e0f232543f9e0eccb5b9154102100476546cd64fc29f59d11c61db7cb03a98a</StringToSign> <SignatureProvided>b4c5ff5b5f5dffa6fca1d1157b01a39db471d8fcafb11ce293cbf9b0c7767553</SignatureProvided> <StringToSignBytes>41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 32 34 30 31 31 37 54 30 39 35 33 34 37 5a 0a 32 30 32 34 30 31 31 37 2f 75 73 2d 65 61 73 74 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 31 65 30 66 32 33 32 35 34 33 66 39 65 30 65 63 63 62 35 62 39 31 35 34 31 30 32 31 30 30 34 37 36 35 34 36 63 64 36 34 66 63 32 39 66 35 39 64 31 31 63 36 31 64 62 37 63 62 30 33 61 39 38 61</StringToSignBytes> <CanonicalRequest>GET /assets/no_op%3Bjsessionid%3D host:prod-XXXX-assets.s3.amazonaws.com x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 x-amz-date:20240117T095347Z host;x-amz-content-sha256;x-amz-date e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</CanonicalRequest> <CanonicalRequestBytes>47 45 54 0a 2f 61 73 73 65 74 73 2f 6e 6f 5f 6f 70 25 33 42 6a 73 65 73 73 69 6f 6e 69 64 25 33 44 0a 0a 68 6f 73 74 3a 70 72 6f 64 2d 72 61 70 79 64 2d 61 73 73 65 74 73 2e 73 33 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 0a 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35 0a 78 2d 61 6d 7a 2d 64 61 74 65 3a 32 30 32 34 30 31 31 37 54 30 39 35 33 34 37 5a 0a 0a 68 6f 73 74 3b 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3b 78 2d 61 6d 7a 2d 64 61 74 65 0a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35</CanonicalRequestBytes> <RequestId>0XVQCSCNG0HE56RX</RequestId> <HostId>hrqGvfmicnxhq/TRgTnyf/+kpYcAG9/DvLrZbifnB0OMvaS8nNy4JuP81UVapq75FPK5q7s5PGDXgMKB44zdBQ==</HostId> which i want to know , is this intentionally leaking the AWSAccessKeyId ??

Topics
StorageSecurity, Identity, & ComplianceAWS Well-Architected Framework
Tags
Amazon S3 GlacierAWS Identity and Access ManagementAWS Security HubAWS Secrets ManagerSecurity
Language
English
Martiz
asked 3 months ago199 views
1 Answer
2
Accepted Answer

Hi,

It is not leaking anything that you don't know as the requester: the SigV4 protocol imposes you to supply the AccessKey in http header x-amz-credential. See https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-authentication-HTTPPOST.html for the http frame structure.

So, the error message that you see is just returning you something that you provided as input: it is not divulging anything additional.

To know more about SigV4 process: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 3 months ago
profile picture
EXPERT
Oleksii Bebych
reviewed a month ago
  • Didier_Durand EXPERT
    3 months ago

    Hi Martiz, you may be indeed rising an interesting question!! Are you in touch with AWS security folks to explore your point? Please, reach me out via LinkedIn at https://www.linkedin.com/in/ddurand/. I'll try to route you to appropriate folks

  • Martiz
    3 months ago

    sure , i really appreciate the help , my linked name is Tarun Joshi

  • Martiz
    3 months ago

    Hey thanks for the clarification , as i said I'm a security researcher and i found a subdomain where i saw this <Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> <RequestId>NAKC65RQYHR95FWQ</RequestId> <HostId>UEgZWwl7PyMQXMV2fgIUqEnpBKuh9lydxmpSkRtpavESWjOACCNh49RpQXRceshWCYzAB11BY2M=</HostId> </Error> but after some content discovery i found the endpoint which i appended to the subdomain juste like this
    https://icon.domain.net/... and got this in response <AWSAccessKeyId>XXXXXXXXXXXXXXXXX</AWSAccessKeyId> <StringToSign>AWS4-HMAC-SHA256 20240117T095347Z 20240117/us-east-1/s3/aws4_request 1e0f232543f9e0eccb5b9154102100476546cd64fc29f59d11c61db7cb03a98a</StringToSign> <SignatureProvided>b4c5ff5b5f5dffa6fca1d1157b01a39db471d8fcafb11ce293cbf9b0c7767553</SignatureProvided> <StringToSignBytes>41 57 53 34 1</StringToSignBytes> <CanonicalRequest>GET /assets/no_op%3Bjsessionid%3D host:prod-XXXX-assets.s3.amazonaws.com x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 x-amz-date:20240117T095347Z host;x-amz-content-sha256;x- so i just wanted to ask the aws access key id is real .. right and belongs to the organization ?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content