Graham Sutherland / PolynomialMay 20
fun trick: if someone gives a hosted LLM a skill that lets it fetch web pages (directly, not through some third party scraper service) and it's hosted on AWS, you can often trick it into fetching data from the AWS instance metadata server (IMDS) at 169.254.169.254 / [fd00:ec2::254]. the higher end models tend to refuse if you give the IP, but you can just spin up a domain with A/AAAA records pointing at that IP and request that instead. if IMDSv1 isn't disabled you can get secrets out of it.
Show threadPhil Ashby  🍵
@gsuberland
Deeply suspecting this trick will work on Azure for the managed identity token service endpoint too (and thus onward to key vaults etc. that the leaked identity is authorised for)... I'm retiring in 6 weeks and my current employer is all Azure based and diving into AI stuff 🙃
May 20 at 10:47pmWeb
Show threadGraham Sutherland / PolynomialMay 21
@phlash yeah it's a fundamental problem of mixing any kind of SSRF-as-a-service with any kind of source-based identity check.
Show threadGraham Sutherland / PolynomialMay 21
@phlash I checked for Azure and GCP. neither are vulnerable to the most basic case because they require a specific custom HTTP header on all requests. AWS IMDSv1 is the only one that doesn't require it, so it's vulnerable.