Summary
ExAws.SNS.verify_message/1 fetches the signing certificate from the SigningCertURL field of the incoming SNS message without validating that the URL uses HTTPS or that its host is an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to any endpoint that calls verify_message/1 can supply an attacker-controlled SigningCertURL, sign a forged SNS message with their own RSA key, and cause the function to return :ok, completely bypassing SNS signature verification.
Details
In lib/ex_aws/sns.ex (lines 475–483), verify_message/1 performs three checks: validate_message_params/1 (confirms required fields are present), validate_signature_version/1 (confirms SignatureVersion == "1"), then signature verification. The signature step calls ExAws.SNS.PublicKeyCache.get(message["SigningCertURL"]) and passes the result to :public_key.verify/4.
Neither validate_message_params/1 nor any other step checks that SigningCertURL is an HTTPS URL or that the hostname matches the expected pattern (e.g. sns.<region>.amazonaws.com). PublicKeyCache.get/1 in lib/ex_aws/sns/public_key_cache.ex fetches whatever URL is provided and caches the certificate. The RSA signature then verifies against the attacker's own public key, and verify_message/1 returns :ok.
PoC
- Generate an RSA keypair and host the DER/PEM public certificate at any URL reachable from the target server (e.g.
http://attacker.example/cert.pem).
- Build a forged
Notification payload with an arbitrary TopicArn and Message, compute the canonical string-to-sign per the SNS spec, and sign it with the attacker private key.
- Set
SigningCertURL to the attacker URL and Signature to the base64-encoded signature.
- POST the forged payload to any SNS webhook endpoint that calls
ExAws.SNS.verify_message/1.
- The function returns
:ok; the application treats the message as authentic.
Configurations
The application must expose an HTTP endpoint that calls ExAws.SNS.verify_message/1 on incoming request bodies (the standard SNS webhook pattern).
Impact
Complete SNS signature authentication bypass. Affects ex_aws_sns from 2.0.1 through 2.3.4. Consequences include spoofing arbitrary Notification payloads, auto-confirming attacker-controlled SubscribeURL values to hijack topic delivery, and spoofing UnsubscribeConfirmation to disrupt legitimate subscriptions. No authentication or special configuration on the attacker side is required. CVSS v4.0: 8.7 (HIGH).
Resources
References
Summary
ExAws.SNS.verify_message/1fetches the signing certificate from theSigningCertURLfield of the incoming SNS message without validating that the URL uses HTTPS or that its host is an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to any endpoint that callsverify_message/1can supply an attacker-controlledSigningCertURL, sign a forged SNS message with their own RSA key, and cause the function to return:ok, completely bypassing SNS signature verification.Details
In
lib/ex_aws/sns.ex(lines 475–483),verify_message/1performs three checks:validate_message_params/1(confirms required fields are present),validate_signature_version/1(confirmsSignatureVersion == "1"), then signature verification. The signature step callsExAws.SNS.PublicKeyCache.get(message["SigningCertURL"])and passes the result to:public_key.verify/4.Neither
validate_message_params/1nor any other step checks thatSigningCertURLis an HTTPS URL or that the hostname matches the expected pattern (e.g.sns.<region>.amazonaws.com).PublicKeyCache.get/1inlib/ex_aws/sns/public_key_cache.exfetches whatever URL is provided and caches the certificate. The RSA signature then verifies against the attacker's own public key, andverify_message/1returns:ok.PoC
http://attacker.example/cert.pem).Notificationpayload with an arbitraryTopicArnandMessage, compute the canonical string-to-sign per the SNS spec, and sign it with the attacker private key.SigningCertURLto the attacker URL andSignatureto the base64-encoded signature.ExAws.SNS.verify_message/1.:ok; the application treats the message as authentic.Configurations
The application must expose an HTTP endpoint that calls
ExAws.SNS.verify_message/1on incoming request bodies (the standard SNS webhook pattern).Impact
Complete SNS signature authentication bypass. Affects
ex_aws_snsfrom 2.0.1 through 2.3.4. Consequences include spoofing arbitraryNotificationpayloads, auto-confirming attacker-controlledSubscribeURLvalues to hijack topic delivery, and spoofingUnsubscribeConfirmationto disrupt legitimate subscriptions. No authentication or special configuration on the attacker side is required. CVSS v4.0: 8.7 (HIGH).Resources
References