Subdomain takeover of content-signature-2.cdn.mozilla.net
Categories
(Websites :: Other, defect)
Tracking
(Not tracked)
People
(Reporter: onkarsonawane313, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Steps to reproduce:
Steps to reproduce:
Your online asset content-signature-2.cdn.mozilla.net still had a DNS CNAME entry pointing to an Amazon Cloudfront CDN server, but it was not registered there anymore. This allowed anyone (and luckily in this case, me :-) to claim this domain and start serving content for it via Cloudfront. It is currently serving one of my S3 buckets, e.g. http://d2nxq2uap88usk.cloudfront.net/index.html is equal to https://content-signature-2.cdn.mozilla.net/ . The impact is two-fold:
The subdomain takeover of the HTTP version allows me to acquire a valid SSL certificate for it, and thus upgrade it to an HTTPS subdomain takeover. Many Certificate Authorities support automated domain verification through hosting a specific HTML file in the root directory of a (sub)domain (e.g. Lets Encrypt, GoDaddy, Comodo, ...). Since the subdomain takeover yields the attacker complete control over the webserver serving the subdomain, this would be trivial. This was not actually performed as a PoC to not upset you by generating a malicious SSL certificate for your domain, but feel free to give me a heads up if you are not convinced and would like me to actually proceed with this attack scenario. I have done this before, it's only 1 command with Let's Encrypt. The certificate could be used in Man-in-the-Middle attacks, and to contribute to the point below.
Stealthy impersonation of Firefox. An attacker could start hosting convincing phishing pages asking for sensitive information of customers, such as credentials. Due to the mozaws.net Top-level domain and the https:// in the URL bar (see point above), this would most likely be very effective against existing Mozilla users. An attacker can leverage the usual web technologies to convince victims: HTML, JavaScript, Plugins, ..., so one could also see it as a Cross-site Scripting issue on a Mozilla-owned asset. Additionally, an attacker could also use it to negatively affected Mozilla's reputation, e.g. by hosting questionable content and spreading this on the internet (e.g. malware) or going directly to the press.
The subdomain "content-signature-2.cdn.mozilla.net " was (and still is) a CNAME pointing to an Cloudfront CDN server (depending on your location, the latter will resolve differently):
content-signature-2.cdn.mozilla.net. 59 IN CNAME d2nxq2uap88usk.cloudfront.net.
However, the hostname "content-signature-2.cdn.mozilla.net " was not claimed anymore on Cloudfront, resulting in a Cloudfront error page when visiting the subdomain before the takeover . Subsequently, a new Amazon Cloudfront CDN endpoint was created and linked to an attacker-controlled origin server (http://d2nxq2uap88usk.cloudfront.net). For the new Cloudfront CDN endpoint, "content-signature.cdn.mozilla.net" was designated as hostname successfully . This concluded the subdomain takeover.
The root cause of the vulnerability is the dangling CNAME pointer to Cloudfront from the affected subdomain. It is advised to remove the DNS CNAME pointer from content-signature-2.cdn.mozilla.net to the Cloudfront CDN server. This will mitigate the root cause vulnerability. If you are interested in keeping the subdomain on the Cloudfront CDN, I'll have to release it first before you can reclaim it. In that case, just let me know.
Can give me permission I can clam on this domain ?
Regards,
Onkar Sonawane
https://www.linkedin.com/in/onkar-sonawane-40a59118a/
|
||
Comment 1•4 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
|
Reporter | |
Comment 2•4 years ago
|
||
any update ?
|
||
Updated•4 years ago
|
|
|
Reporter | |
Comment 3•4 years ago
|
||
Thank you
|
||
Comment 4•4 years ago
|
||
I am looking to find the right owner for this, will NI them once I figure out who.
Onkar: can you claim or upload a PoC to the domain? Or since you mentioned your AWS account was suspended in another bug provide directions on how to take the domain over from another AWS account?
This is an autograph content signature domain. :jbuck and :wezhou are primary and secondary ops respectively.
|
|
Reporter | |
Comment 6•4 years ago
|
||
Okay
|
|
Reporter | |
Comment 7•4 years ago
|
||
My two account suspended that's why I cant claim this domain. I hope you understand. Thank you
(In reply to Onkar Sonawane from comment #7)
My two account suspended that's why I cant claim this domain. I hope you understand. Thank you
Can you provide steps on how to claim the domain or CDN over from another AWS account instead? We can run through your steps from one of our test accounts.
|
|
Reporter | |
Comment 10•4 years ago
|
||
Hello any update ?
|
|
Reporter | |
Comment 11•4 years ago
|
||
any update ?
|
|
||
Comment 12•4 years ago
|
||
Mozilla owns the R53 record for content-signature-2.cdn.mozilla.net and the d2nxq2uap88usk.cloudfront.net Cloudfront distribution it points to. You can see our content at URLs like https://content-signature-2.cdn.mozilla.net/chains/normandy.content-signature.mozilla.org-2020-05-05-15-04-19.chain
|
|
Reporter | |
Comment 13•4 years ago
|
||
I'm eligible for bounty
Description
•