Closed Bug 1753005 Opened 3 years ago Closed 3 years ago

Hosted Zone Takeover of mozit.net via Namecheap

Categories

(Infrastructure & Operations :: DNS and Domain Registration, defect)

Product:
Infrastructure & Operations
Component:
DNS and Domain Registration
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: aidan, Unassigned)

Details

(Keywords: reporter-external, sec-low, wsec-takeover, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Title: Hosted Zone Takeover of mozit.net via Namecheap

Summary:
Good Afternoon Team,

I was recently enumerating all domains with your own name in the Registrar Field via Whois and discovered that root domain mozit.net. had authoritative name-servers pointing to Namecheap 's DNS Hosting Service which were available to be claimed, thus I could hijack the zone file by purchasing there DNS Hosting Service for $10.

Initial enumeration displayed that all domains were responding a SERVFAIL for all DNS Queries, Secondly tracing the nameservers displayed the below.

 mozit.net.
Name Server: dns1.registrar-servers.com
Name Server: dns2.registrar-servers.com

You can also verify the takeover by visiting the following URL http://mozit.net./takeover.html

Mitigation

Remove all authoritive DNS Records configured for afore mentioned domains.

I look forward to hearing from you and once again, I apologize if this is out of scope & I will happily self-close :)

~ @m0chan

Utilizing this an attacker could easily carry out the below

  • Host & Deploy Mail Service on *.mozit.net. domains domain
  • Issue SSL Certificates
  • Create arbritary domains within *.mozit.net. domain space
  • Steal any cookies scoped to *.mozit.net. domains
Flags: sec-bounty?

Hello m0chan,

Thank you so much for your report and bringing this to our attention.

I can confirm the takeover:

% curl http://mozit.net/takeover.html 
m0chan

It seems like we do own this domain, I need to track down the team responsible for it though to help resolve the issue.

Please note that this domain might not be eligible for bounty based on our guidelines: https://www.mozilla.org/en-US/security/web-bug-bounty/

Thanks,
Frida

Type: task → defect
Assignee: nobody → infra
Group: mozilla-employee-confidential
Status: UNCONFIRMED → NEW
Component: Other → DNS and Domain Registration
Ever confirmed: true
Product: Websites → Infrastructure & Operations
Version: unspecified → ---

I wonder if we ever used this, or if we simply claimed it because someone was hosting a Mozilla scam on them? Then again, having a companion tizom.net domain does look like our style for a staging site.

URL: Hosted Zone Takeover of mozit.net via...
Keywords: sec-moderatesec-low

(In reply to Daniel Veditz [:dveditz] from comment #2)

I wonder if we ever used this, or if we simply claimed it because someone was hosting a Mozilla scam on them?
Then again, having a companion tizom.net domain does look like our style for a staging site.

I have no proof, but I have speculative oral history.

in bug 1456292, 2018-04-23, we got mozit.cloud and tizom.cloud, with them being purchased directly in markmonitor. These were used by the webops team of the time, and they have grown in usage.

The 'reuse' of mozit lines up with a couple of things. The webops team of the time (notably one Scott Idler), was doing some development around NameCheap for a project called 'autocert', which is long decom'ed. I recall there being a notion of having autocert start out in the datacenter as a mozit-named project, and then transfer off to the cloud. This never happened; it stayed branded as DC-named hosts until it died.

I have no reason to believe that we ever used this domain for anything. It was likely purchased as a land-rush / I-want-a-domain-tooooo! by someone who had access to namecheap but not to markmonitor, then it got moved over later.

is there something we need to do regarding the takeover?

Hello m0chan,

I am reading your report again and curious about one of the steps in the takeover, do you mean that the registrar-servers.com domain was available and you were able to purchase it?

Thanks,
Frida

No registrar-servers.com was the nameserver it was pointing too, in this case it is Namecheap.com's from there I was able to register a hosting package and connect the respective domain.

Aidan

Group: mozilla-employee-confidential

I just moved the NS records back to MarkMonitor

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Flags: sec-bounty?
Flags: sec-bounty-hof+
Flags: sec-bounty-

Hello,

Based on our web bounty guidelines, https://www.mozilla.org/en-US/security/web-bug-bounty/, this particular domain is not eligible for bounty award, but we decided to add you to our hall of fame. Please let us know how you would like to be mentioned and whether you have a social account or website you would like us to reference.

Thanks again for your report.

Regards,
Frida

Group: websites-security
You need to log in before you can comment on or make changes to this bug.