Is persistency on serverless even possible?!

Author: Paweł Kusiński

In addition to being a common option in cloud environments, serverless computing is also a suggested method for creating plenty of things! Did you ever consider its mechanics? Is serverless truly server-less? How does the execution environment function? In this event-driven compute service, is persistency even conceivable? 

I will not lie – Remote Code Executions and Command Injections are uncommon, but what if one occurs in your function? Additionally, it may be brought in by an attacker through dependency injection. I will demonstrate how to use it to obtain persistency and exfiltrate more data than the function role gives. 

Let us figure out: 

  • How serverless infrastructure functions.
  • Why persistency is possible in this semi-volatile environment.
  • How to use pseudo shell over HTTP for serverless environment research.
  • An exploitation demo – how can we make use of an RCE vulnerability to obtain a persistency.
  • Possible mitigations.

Let us hijack the data real-time from the AWS Lambdas and GCP Cloud Functions! 

Presented at: Confidence 2022, AlligatorCon 2022, Secops Polska Meetup #32, DevSecCon Poland 2022, AWS Community Day Warsaw 2022. 

Paweł Kusiński
Paweł Kusiński Senior IT Security Consultant