Cybersecurity researchers demonstrated an end-to-end privilege escalation chain in Amazon Elastic Container Service (ECS) that attackers can exploit for lateral movement and sensitive data access. Named ECScape, this vulnerability allows a low-privileged IAM role task to hijack credentials from a higher-privileged container on the same EC2 instance. This occurs via an undocumented internal protocol and a metadata service that exposes the temporary credentials associated with tasks, enabling malicious containers to assume more privileged roles and impersonate the ECS agent.
We identified a way to abuse an undocumented ECS internal protocol to grab AWS credentials belonging to other ECS tasks on the same EC2 instance. A malicious container with a low‑privileged IAM role can obtain the permissions of a higher‑privileged container running on the same host.
The vulnerability identified by Sweet Security essentially allows for privilege escalation by allowing a low-privileged task running on an ECS instance to hijack the IAM privileges of a higher-privileged container on the same EC2 machine by stealing its credentials.
Collection
[
|
...
]