DIVD-2022-00007 - Subdomain Takeovers
| Our reference | DIVD-2022-00007 |
| Case lead | Martin van Wingerden |
| Researcher(s) | |
| CVE(s) |
|
| Product | Azure, AWS, GitHub, etc |
| Versions | n/a |
| Recommendation | Cleanup unused DNS records |
| Workaround | n/a |
| Status | Closed |
| Last modified | 26 May 2023 13:27 CEST |
Summary
Subdomain takeovers do not only allow the attacker to publish content on the targets website, but in some case it will also allow reading (session) cookies, perform other attacks such as cross-site scripting or even trick password managers.
Subdomain takeovers typically occur when a CNAME is still pointing to a service which is no longer active, or in some cases because a typo was made while creating the CNAME. Note however, that even when using A / AAAA records you could, in certain cases, still be vulnerable to subdomain takeovers.
Since 2014 subdomain takeovers have been growing problem. Due to the increased adoption of cloud this is also not a issue that will go away easily.
What you can do
- Cleanup unused/dangling DNS records
- First and foremost removal of the DNS records should be done in tandem with the removal of the service
- Secondly, whenever the vendors offers any security measures against subdomain takeovers you should apply them.
What we are doing
We are scanning the internet for vulnerable subdomain, and will attempt to notify system owners via the listed abuse contacts, info@ and security@.
We will continue scanning for potential subdomain takeovers in the future and whenever needed start a new case to track them.
Further details
The vulnerability does not work exactly the same for each service and some/most services offer some sort of security options.
AWS S3
By creating a bucket with a domain-name, eg www.example-bucket.com and setting up a CNAME pointing to the correct region you can easily host a website. However, when this bucket no longer exist anyone can take over the website by creating a bucket in the correct region. This is especially risky when using wildcard DNS records.
AWS Elastic Beanstalk
One case of the Elastic Beanstalk URLs is vulnerable for a subdomain takeover, this is the case where a single part exists before the region, eg: example.eu-central-1.elasticbeanstalk.com. In other cases (such as recent ones, where a hash occurs before region) no vulnerabilities arise, example: example.eu-central-1.hjklfshj.elasticbeanstalk.com
GitHub
CNAMES pointing to any username.github.io are vulnerable if they are not registered and not protected.
Please be aware that the username to which the CNAME points provides NO security, the way to protect your (sub)domain is by verifying your custom domain at GitHub.
Azure - App Services
(Sub)domains pointing to Azure App Services (CNAMES pointing to something.azurewebsites.net) can be vulnerable for subdomains takeover.
However, a protection is available, unfortunately it is not commonly used, you can configure a domainverification-id in a DNS TXT record
Azure - Other services
Most other services don’t provide additional security measure. If the service is completely removed from Azure while the CNAME is still there, subdomain takeovers are possible.
Unregistered Domains
A special case of subdomain takeovers does not work with cloud providers, in this case a CNAME has been created to another domain name, which is not/no longer registered, by registering this domain one could perform a takeover.
Timeline
| Date | Description |
|---|---|
| 04 Feb 2022 | First DIVD scan of CNAMES of .NL domains pointing to unregistered domains |
| 09 Feb 2022 | First scan of CNAMES of .BE domains |
| 13 Feb 2022 | DIVD sends out a first batch of notifications to NL domain owners. |
| 13 Feb 2022 | DIVD sends out a first batch of notifications to BE domain owners. |
|
13 Feb 2022- 18 Feb 2022 |
First scan & notify of CNAMES of .DE domains |
|
12 Feb 2022- 18 Feb 2022 |
First scan & notify of CNAMES of .EU domains |
|
13 Feb 2022- 18 Feb 2022 |
First scan & notify of CNAMES of .EDU domains |
|
15 Feb 2022- 03 Mar 2022 |
First scan & notify of CNAMES of .UK domains |
|
14 Feb 2022- 01 Mar 2022 |
First scan & notify of CNAMES of .ORG domains |
|
18 Feb 2022- 01 Mar 2022 |
First scan & notify of CNAMES of .IO domains |
|
18 Feb 2022- 01 Mar 2022 |
First scan & notify of CNAMES of .CO domains |
|
18 Feb 2022- 01 Mar 2022 |
First scan & notify of CNAMES of .FR domains |
|
01 Mar 2022- 02 Mar 2022 |
Second scan & notify of CNAMES of .NL domains |
|
01 Mar 2022- 02 Mar 2022 |
First scan & notify of CNAMES of .DK domains |
|
01 Mar 2022- 02 Mar 2022 |
First scan & notify of CNAMES of .SE domains |
|
01 Mar 2022- 02 Mar 2022 |
First scan & notify of CNAMES of .FI domains |
|
01 Mar 2022- 02 Mar 2022 |
First scan & notify of CNAMES of .NO domains |
|
02 Mar 2022- 03 Mar 2022 |
First scan & notify of CNAMES of .INT, .HR, .AERO, .TRAVEL, .NGO, .ONG domains |
|
02 Mar 2022- 03 Mar 2022 |
First scan & notify of CNAMES of .IT domains |
|
02 Mar 2022- 03 Mar 2022 |
First scan & notify of CNAMES of .US domains |
|
03 Mar 2022- 04 Mar 2022 |
First scan & notify of CNAMES of .LU domains |
|
03 Mar 2022- 04 Mar 2022 |
First scan & notify of CNAMES of .IE domains |
|
03 Mar 2022- 04 Mar 2022 |
First scan & notify of CNAMES of .PT domains |
|
17 Mar 2022- 17 Mar 2022 |
First scan & notify of CNAMES of .EE domains |
|
03 Mar 2022- 01 Apr 2022 |
First scan & notify of CNAMES of .NET domains |
|
03 Mar 2022- 01 May 2022 |
First scan & notify of CNAMES of .APP domains |
|
04 Apr 2022- 01 May 2022 |
First scan & notify of CNAMES of .COM domains |
|
01 May 2022- 01 May 2022 |
First scan & notify of CNAMES of .ONLINE domains |
| 28 Oct 2022 | Handed out scan result for Belgium to Centre for Cyber Security Belgium (CCB) |