cloudfront takeover is not possible anymore

[Avileox]

AWS finally started mitigating subdomain takeovers on CloudFront. When you try to register Alias (CNAME) for your CloudFront distribution, it refuses to do so if the DNS zone file has CNAME to different CloudFront domain.
This is a type of verification from cloudfront that you can't takeover any subdomain even both (http OR https) port (80 and 443) shows error.
If the DNS zone file has CNAME to different CloudFront domain.

so,from cloudfront bye bye bug bounty

When you try to takeover subdomain you will get this as a further alert!

[BlackFan]

It is still possible to takeover in cases:
www.cf.example.com CNAME cf.example.com
cf.example.com CNAME d1234567890abc.cloudfront.net

But this is a rare case.

[ghost]

It seems like CloudFront, when creating the distribution, resolves the subdomain and checks the CNAME record for .cloudfront.net.
If such record exist - subdomain takeover isn't possible.
But If there is no *.cloudfront.net CNAME record set for the subdomain (like in the case above), or we have CNAME chains (like a.com->b.com->c.com->...->*.cloudfront.net, where a.com doesn't have direct CF CNAME) or no CNAME record at all (domain pointed to the CF by IP for example) - subdomain takeover is possible.

[MuhammadKhizerJaved]

Okey! so i found a sub that's giving the save bad request error on both http & https and have a CNAME as site.com tried takeover successfully added to cloudflare dist but the error remains the same so i guess it's indeed fixed

[ghost]

It won't work in this case, agree (this scenatio is fixed), but there are edge cases when it will still work. I had two such edge CF takeover cases (Jan 2019) in the IBM program

[MuhammadKhizerJaved]

@Sp1d3r Indeed i was wrong i played a little and was able to takeover the subdomain successfully!

[ghost]

Gotcha, congrats with the vuln!

[t1t4nm33r]

@MuhammadKhizerJaved What was your solution, How did you manage to takeover it

[El-t0ro]

@MuhammadKhizerJaved hey can you please tell us how you manage to takeover it?

[Ninja-Pandit]

It won't work in this case, agree (this scenatio is fixed), but there are edge cases when it will still work. I had two such edge CF takeover cases (Jan 2019) in the IBM program

hello @Sp1d3r @MuhammadKhizerJaved can you please explain , how you able to takeover ..?

[BlackFan]

It seems that CloudFront is no longer vulnerable to a subdomain takeover.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements

To add an alternate domain name (CNAME) to use with a CloudFront distribution, you must attach to your distribution a trusted, valid SSL/TLS certificate that covers the alternate domain name. This ensures that only people with access to your domain's certificate can associate with CloudFront a CNAME related to your domain.

[Avileox]

Goodbye to CloudFront subdomain takeover.
https://aws.amazon.com/blogs/networking-and-content-delivery/continually-enhancing-domain-security-on-amazon-cloudfront/

[riramar]

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-certificate-issuer

If you want to use an alternate domain name with your CloudFront distribution, you must verify to CloudFront that you have authorized rights to use the alternate domain name. To do this, you must attach a valid certificate to your distribution, and make sure that the certificate comes from a trusted CA that is listed on the Mozilla Included CA Certificate List. CloudFront does not allow you to use a self-signed certificate to verify your authorized rights to use an alternate domain name.

If somehow an attacker can issue a valid certificate using any CA defined on Mozilla trusted store so I think it'd be possible. Didn't get any case that I could try.

[Avileox]

@riramar If it's possible, It will be a bypass for takeover and probably a bug on Amazon Cloudfront itself rather then misconfiguration on Cloudfront lead to a takeover.

[eranshmuely]

someone recently tookover a subdomain via cloudfront:
https://hackerone.com/reports/317005

[codingo]

@eranshmuely this report is from two years ago (from when this was possible), it's just that it has only been disclosed in the past 15 hours.

[eranshmuely]

Oh, right, sorry about that

[mujtabashamas]

It won't work in this case, agree (this scenatio is fixed), but there are edge cases when it will still work. I had two such edge CF takeover cases (Jan 2019) in the IBM program

Brother, I have the same edge case but still getting that ssl error, is aws entirely fixed it? or I am doing something wrong?

[shubham4500]

i have found an ip pointing to cloudfront both http and https shows same error.

direct ip to cloudfront subdomain . is it possible to takeover ?

[melardev]

@shubham4500 The first message of this issue explicitly explains the VERY SAME THING you are talking about ...

[shubham4500]

it didnt showed the way :( do you encountered issue like this anytime ? @melardev

[shubham4500]

i have found an ip pointing to cloudfront both http and https shows same error.

direct ip to cloudfront subdomain . is it possible to takeover ?

@Sp1d3r direct ip to cloudfront....

[melardev]

Again, the first message clearly states we can not anymore, there are hundreds of these out there, if takeover is possible i would be rich now. Unless you find a bypass on AWS itself there is no way.

[shubham4500]

(domain pointed to the CF by IP for example) - subdomain takeover is possible.

@Sp1d3r

[marcelo321]

I just tried 2 subdomains and i coudln't because it requested a valid ACM certificate.

[marcelo321]

@Sp1d3r

It seems like CloudFront, when creating the distribution, resolves the subdomain and checks the CNAME record for .cloudfront.net.
If such record exist - subdomain takeover isn't possible.
But If there is no *.cloudfront.net CNAME record set for the subdomain (like in the case above), or we have CNAME chains (like a.com->b.com->c.com->...->*.cloudfront.net, where a.com doesn't have direct CF CNAME) or no CNAME record at all (domain pointed to the CF by IP for example) - subdomain takeover is possible.

i have found a subdomain with a CNAME like *.ubnt.com and that one has a CNAME to something.cloudfront.net but i still can't register the main subdomain... do you really thing it is possible?

[ghost]

@marcelo321 I think no, since the certificate feature stuff.
Theoretically now you need to find also leaked cert of organization's root domain somewhere to be able to takeover. Seems very unlikely (but not impossible).

[marcelo321]

@Sp1d3r i also just found a subdomain with a CNAME pointing to example.awsdns-hostmaster.amazon.com
with a 404 response "No page available" but couldn't find any documentation if this is vulnerable or not... for any reason do you know if it is vulnerable?

[danielanonymous]

It is still possible to takeover in cases:
www.cf.example.com CNAME cf.example.com
cf.example.com CNAME d1234567890abc.cloudfront.net

But this is a rare case.

Hey There, Now i had found a site with CNAME dxxxxxxx.cloudfrount.net, but my account is asw haven't fully activated yet. Could i take over this domain ? thanks !

[piechowiakmichal]

@danielanonymous Hi, did you succeed or is it still impossible?

[ghost]

If this is mitigated by aws then how it can be possible? see the report below of subdomain takeover on cloudfront in 2019 and fix was pushed in 2018.
https://hackerone.com/reports/317005

[tolidano]

Report is from 2018, 2 years ago, and was already discussed in this issue above. It was DISCLOSED in 2019. Please review carefully.

[abd-4fg]

Hello ,
Is it possible to takeover a website with only one following CNAME , e.g,
CNAME : xxxxxxxxxx.cloudfront.net

Consider that the website as well as CNAME , both returns 'DNS_PROBE_FINISHED_NXDOMAIN' error !
Is takeover possible ?steps ?

[R0h1t3]

It seems like CloudFront, when creating the distribution, resolves the subdomain and checks the CNAME record for .cloudfront.net. If such record exist - subdomain takeover isn't possible. But If there is no *.cloudfront.net CNAME record set for the subdomain (like in the case above), or we have CNAME chains (like a.com->b.com->c.com->...->*.cloudfront.net, where a.com doesn't have direct CF CNAME) or no CNAME record at all (domain pointed to the CF by IP for example) - subdomain takeover is possible.

How to exploit this kind of bug?