Great oversight spotted by the Light Spin team in Amazon Relational Database Service’s (RDS) PostGre service allowing for arbitrary file reading and ultimately disclosure of internal service credentials.

Effectively with RDS you can spin up one of several different database systems and have Amazon worry about scaling and all that. With that you get access to the database system but access to the underlying host system is restricted.

There is some limited extension support, for effectively only the extensions that Amazon trusts. The Light Spin team found the log_fdw extension was allowed. This extension allows access to log files through a SQL interface, exposing the log through a table and its columns.

There was a bit of security around this though, as Amazon does provide a custom foreign data wrapper for accessing the log files. These wrappers have two components the mandatory handler which handles actually fetching the foreign data, and the validator which just validates the options, the validator is optional as such validation could also just happen in the handler. What they found was that the handler did no validation on its own however, so by altering the foreign data wrapper to disable the validator they could import arbitrary files and read them through the log_fdw extension.

With the ability to read arbitrary files, they found their way through some configuration layers to /tmp/csd-grover-credentials.json which contained the credentials for an internal AWS service account.