"RE: Hacking Terraform State for Privilege Escalation" was originally published on kevingimbel.de.

RE: Hacking Terraform State for Privilege Escalation

An interesting attack vector which uses empty terraform providers and a modified state file to execute code!

There’s lots to be excited about as a red teamer and scared of as a blue teamer, but at the top of the list is that the attack does not require a “terraform apply”. Even if the human reviewing this plan doesn’t approve it, the code has already executed.

— Daniel Grzelak

Read the full article on https://blog.plerion.com/hacking-terraform-state-privilege-escalation/