Closed
Bug 1305450
Opened 8 years ago
Closed 8 years ago
Subdomain takeover of telemetry-analysis-output.dev.mozaws.net
Categories
(Websites :: Other, defect)
Websites
Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: arneswinnen, Unassigned)
References
()
Details
(Keywords: wsec-takeover, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(3 files)
1. Before takeover.png
Note: Highly similar to earlier report https://bugzilla.mozilla.org/show_bug.cgi?id=1304736 Your online asset telemetry-analysis-output.dev.mozaws.net still had a DNS CNAME entry pointing to an Amazon Cloudfront CDN server, but it was not registered there anymore. This allowed anyone (and luckily in this case, me :-) to claim this domain and start serving content for it via Cloudfront. It is currently serving one of my S3 buckets, e.g. http://subdomaintakeover.s3.amazonaws.com/index.html is equal to http://telemetry-analysis-output.dev.mozaws.net/index.html . The impact is two-fold: - The subdomain takeover of the HTTP version allows me to acquire a valid SSL certificate for it, and thus upgrade it to an HTTPS subdomain takeover. Many Certificate Authorities support automated domain verification through hosting a specific HTML file in the root directory of a (sub)domain (e.g. Lets Encrypt, GoDaddy, Comodo, ...). Since the subdomain takeover yields the attacker complete control over the webserver serving the subdomain, this would be trivial. This was not actually performed as a PoC to not upset you by generating a malicious SSL certificate for your domain, but feel free to give me a heads up if you are not convinced and would like me to actually proceed with this attack scenario. I have done this before, it's only 1 command with Let's Encrypt. The certificate could be used in Man-in-the-Middle attacks, and to contribute to the point below. - Stealthy impersonation of Firefox. An attacker could start hosting convincing phishing pages asking for sensitive information of customers, such as credentials. Due to the mozaws.net Top-level domain and the https:// in the URL bar (see point above), this would most likely be very effective against existing Mozilla users. An attacker can leverage the usual web technologies to convince victims: HTML, JavaScript, Plugins, ..., so one could also see it as a Cross-site Scripting issue on a Mozilla-owned asset. Additionally, an attacker could also use it to negatively affected Mozilla's reputation, e.g. by hosting questionable content and spreading this on the internet (e.g. malware) or going directly to the press. The subdomain "telemetry-analysis-output.dev.mozaws.net" was (and still is) a CNAME pointing to an Cloudfront CDN server (depending on your location, the latter will resolve differently): # nslookup telemetry-analysis-output.dev.mozaws.net 8.8.8.8 Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: telemetry-analysis-output.dev.mozaws.net canonical name = dmqyazg2oui7p.cloudfront.net. Name: dmqyazg2oui7p.cloudfront.net Address: 54.192.217.104 However, the hostname "telemetry-analysis-output.dev.mozaws.net" was not claimed anymore on Cloudfront, resulting in a Cloudfront error page when visiting the subdomain before the takeover (see screenshot "1. Before takeover.png"). Subsequently, a new Amazon Cloudfront CDN endpoint was created and linked to an attacker-controlled origin server (http://subdomaintakeover.s3.amazonaws.com). For the new Cloudfront CDN endpoint, "telemetry-analysis-output.dev.mozaws.net" was designated as hostname successfully ("2. CNAME takeover.png"). This concluded the subdomain takeover (see screenshot "3. After takeover.png"). The root cause of the vulnerability is the dangling CNAME pointer to Cloudfront from the affected subdomain. It is advised to remove the DNS CNAME pointer from telemetry-analysis-output.dev.mozaws.net to the Cloudfront CDN server. This will mitigate the root cause vulnerability. If you are interested in keeping the subdomain on the Cloudfront CDN, I'll have to release it first before you can reclaim it. In that case, just let me know. Regards, Arne Swinnen https://www.arneswinnen.net
Flags: sec-bounty?
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
|
|
Reporter | |
Comment 3•8 years ago
|
||
|
||
Updated•8 years ago
|
|
|
||
Comment 4•8 years ago
|
||
This bug is part of an aggregate of bugs that were awarded in bug 1304785. Thank you!
Flags: needinfo?(jclaudius)
|
|
||
Comment 5•8 years ago
|
||
:digi - could I get your assistance with resolving this one too?
Flags: needinfo?(bhourigan)
|
||
Comment 6•8 years ago
|
||
:claudijd, no problem. the domain belongs to cloud services, NI'ing :jason
Flags: needinfo?(bhourigan) → needinfo?(jthomas)
|
||
Updated•8 years ago
|
Flags: needinfo?(jthomas)
|
||
Comment 7•8 years ago
|
||
I need to look into why this domain is not in use. AFAIK it is supposed to be, but I will confer with :rvitillo and :mreid to determine how to proceed.
|
|
||
Comment 8•8 years ago
|
||
I figured out the issue. The DNS record for telemetry-analysis-output.dev.mozaws.net existed only to CNAME to analysis-output.telemetry.mozilla.org, which is claimed. This was done for administrative convenience. I have fixed this by removing the entry for telemetry-analysis-output.dev.mozaws.net and setting up a direct CNAME in inventory (actually :ckolos did, thanks :ckolos).
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
|
||
Updated•8 years ago
|
Flags: sec-bounty- → sec-bounty?
|
|
||
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•8 years ago
|
Group: websites-security
|
||
Updated•5 years ago
|
Keywords: wsec-takeover
You need to log in
before you can comment on or make changes to this bug.
Description
•