{"id":5178,"date":"2020-11-20T13:06:32","date_gmt":"2020-11-20T07:36:32","guid":{"rendered":"https:\/\/www.varutra.com\/?p=5178"},"modified":"2022-12-02T14:56:47","modified_gmt":"2022-12-02T09:26:47","slug":"subdomain-takeovers-cnames-and-cloud-services","status":"publish","type":"post","link":"https:\/\/www.varutra.com\/varutravrt3\/subdomain-takeovers-cnames-and-cloud-services\/","title":{"rendered":"Subdomain Takeovers – CNAMEs And Cloud Services"},"content":{"rendered":"

<\/p>\n

Introduction A Subdomain Takeovers
\n<\/strong><\/h3>\n

A hostile takeover of a subdomain by an attacker is known as a subdomain takeover. This issue mostly arises when organizations are integrating with either third-party hosting services or cloud service providers. The DNS records referring to these service providers remain while they have stopped their services. Subdomain takeovers are considered to be an acute threat to an organization that regularly activates and deactivates resources that depend on cloud computing service providers. It is an emerging threat especially when an organization\u2019s DNS record points are discontinued or non-existent. These DNS records are referred to as dangling DNS or stale DNS. Dangling CNAME records are quite vulnerable to these threats.<\/p>\n

 <\/p>\n

Common Scenario leading to subdomain takeovers<\/strong><\/h3>\n
    \n
  1. The CNAME record is used by domain names like greatapp.contoso.com for a different domain. Example: greatapp.contoso.com CNAME great app.third-party.hosting.<\/li>\n
  2. Due to any circumstances, when domain name (great app.third-party.hosting) expires, then it will be available to others for registration by the hosting service providers.<\/li>\n
  3. As the CNAME record does not get deleted from the hosting website i.e., costono.com, anyone can easily register for your previous selected domain name (great app.third-party.hosting).<\/li>\n<\/ol>\n

     <\/p>\n

    Note that HTTP redirects (301 or 302) could be also be used instead of CNAMEs to redirect from http:\/\/www.battlinjack.buzz<\/em> to http:\/\/aws.battlinjack.buzz.s3-website.ap-south-1.amazonaws.com.<\/em><\/p>\n

    \"\"<\/em><\/p>\n

    It is a method that is not used so frequently. It replaces the domain name from the browser\u2019s URL bar while the CNAME record will not change the domain in the URL bar of your browser as DNS resolution takes place in the backend.<\/p>\n

     <\/p>\n

    What\u2019s in a CNAME?<\/strong><\/h3>\n

    \"\"<\/p>\n

    CNAME or Canonical Name is a category in DNS record that means alternate name to canonical domain name. For example, a CNAME record is used by domain name (greatapp.contoso.com) for a different domain (sub.example.com CNAME great app.third-party.hosting).<\/p>\n

    Hosting service providers assign a particular subdomain for the organization on the hosting provider\u2019s domain. It is represented as organizationname.hostname.com. It is followed by a CNAME to redirect towards the customer\u2019s domain, i.e.,\u00a0www.organizationname.com<\/a>.<\/p>\n

     <\/p>\n

    Looking up the CNAME of a subdomain<\/strong><\/h3>\n

    \"\"<\/p>\n

    Various tools and applications are available on internet to look for a CNAME if it is available. You can use nlookup to find out whether a CNAME for a particular subdomain exists or not. The result will indicate that is the hosting provider is in use or not. In this case, you can see that the CNAME record for source domain (aws.battlinjack.buzz) is directed to the resource (aws.battlinjack.buzz.s3-website.ap-south-1.amazonaws.com) which is hosted on the AWS S3 bucket.<\/p>\n

     <\/p>\n

    Is there a dangling DNS record (CNAME) for the subdomain?<\/strong><\/h3>\n

    \"\"<\/p>\n

    In the example here, while browsing aws.battlinjack.buzz (source subdomain), you can see an error message getting displayed by the AWS S3 (cloud service provider). This message means that the resource (bucket) does not exist.<\/p>\n

    It is a dangling DNS record issue. It means the CNAME record is directed towards the AWS S3 bucket (resource), however, aws.battlinjack.buzz.s3-website.ap-south-1.amazonaws.com (resource) no longer exists. This instance is a scenario for subdomain takeover.<\/p>\n

     <\/p>\n

    Exploitation of Subdomain takeovers<\/strong><\/h3>\n

    The exploitation of subdomain takeover is different as the service provider that was earlier present and used to host the current resource (non-existing) that was existing in the earlier case.<\/p>\n

     <\/p>\n

    Taking over an AWS S3 bucket<\/strong><\/h3>\n

    Here in AWS S3, the website hosting format for subdomain identifying the unique cloud resource (bucket) is bucket-name.s3-website.region-name.amazonaws.com. The CNAME record aws.battlinjack.buzz\u00a0<\/em>(source subdomain) redirects to aws.battlinjack.buzz.s3-website.ap-south-1.amazonaws.com (resource).\u00a0<\/em>The part before \u201c.s3\u201d<\/em>\u00a0is known as the bucket name. To carry out a successful attack, the hacker only needs to create a bucket with the name aws.battlinjack.buzz. It is done as there is already a CNAME record for this subdomain.<\/p>\n

    \"Bucket<\/p>\n

    This subdomain take-over is complete if the bucket is successfully created.<\/p>\n

    Note: In case when aws.battlinjack.buzz (bucket name) is already in existence then AWS will show an error and exploitation will not be possible.<\/p>\n

     <\/p>\n

    Taking over a github pages website<\/strong><\/h3>\n

    GitHub is mostly used for technical blogs, project documentation, or assisting in webpages for open-source projects as it provides free web hosting services using their GitHub Pages. It will assist the default domain name as well as a custom domain name that is registered in github.io. The subdomain format for the GitHub page for a user is username.github.io.<\/p>\n

    The appearance of the CNAME record for a source subdomain that is hosted on GitHub.<\/p>\n

    \"\"<\/p>\n

    Verifying the existence of GitHub pages site on github.battlinjack.buzz.<\/p>\n

    \"\"<\/p>\n

    In exploitation, to complete the take-over a hacker needs to insert the custom domain name (github.battlinjack.buzz) into their GitHub pages repository (battlinjack.github.io).<\/p>\n

    \"\"<\/p>\n

    Note:<\/p>\n