Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cloudfront takeover is not possible anymore #29

Closed
Avileox opened this issue Aug 30, 2018 · 33 comments
Closed

cloudfront takeover is not possible anymore #29

Avileox opened this issue Aug 30, 2018 · 33 comments
Labels
edge case An edge case was discovered where it is possible to hijack a subdomain on this service.

Comments

@Avileox
Copy link
Contributor

Avileox commented Aug 30, 2018

AWS finally started mitigating subdomain takeovers on CloudFront. When you try to register Alias (CNAME) for your CloudFront distribution, it refuses to do so if the DNS zone file has CNAME to different CloudFront domain.
This is a type of verification from cloudfront that you can't takeover any subdomain even both (http OR https) port (80 and 443) shows error.
If the DNS zone file has CNAME to different CloudFront domain.

so,from cloudfront bye bye bug bounty

When you try to takeover subdomain you will get this as a further alert!

cloudfront

@BlackFan
Copy link

It is still possible to takeover in cases:
www.cf.example.com CNAME cf.example.com
cf.example.com CNAME d1234567890abc.cloudfront.net

But this is a rare case.

@EdOverflow EdOverflow added the edge case An edge case was discovered where it is possible to hijack a subdomain on this service. label Sep 9, 2018
@ghost
Copy link

ghost commented Oct 1, 2018

It seems like CloudFront, when creating the distribution, resolves the subdomain and checks the CNAME record for .cloudfront.net.
If such record exist - subdomain takeover isn't possible.
But If there is no *.cloudfront.net CNAME record set for the subdomain (like in the case above), or we have CNAME chains (like a.com->b.com->c.com->...->*.cloudfront.net, where a.com doesn't have direct CF CNAME) or no CNAME record at all (domain pointed to the CF by IP for example) - subdomain takeover is possible.

@MuhammadKhizerJaved
Copy link

Okey! so i found a sub that's giving the save bad request error on both http & https and have a CNAME as site.com tried takeover successfully added to cloudflare dist but the error remains the same so i guess it's indeed fixed

@ghost
Copy link

ghost commented Feb 21, 2019

It won't work in this case, agree (this scenatio is fixed), but there are edge cases when it will still work. I had two such edge CF takeover cases (Jan 2019) in the IBM program

@MuhammadKhizerJaved
Copy link

@Sp1d3r Indeed i was wrong i played a little and was able to takeover the subdomain successfully!
screenshot 2019-02-21 at 11 24 37 pm

@ghost
Copy link

ghost commented Feb 21, 2019

Gotcha, congrats with the vuln!

@t1t4nm33r
Copy link

@MuhammadKhizerJaved What was your solution, How did you manage to takeover it

@El-t0ro
Copy link

El-t0ro commented Mar 1, 2019

@MuhammadKhizerJaved hey can you please tell us how you manage to takeover it?

@Ninja-Pandit
Copy link

It won't work in this case, agree (this scenatio is fixed), but there are edge cases when it will still work. I had two such edge CF takeover cases (Jan 2019) in the IBM program

hello @Sp1d3r @MuhammadKhizerJaved can you please explain , how you able to takeover ..?

@BlackFan
Copy link

It seems that CloudFront is no longer vulnerable to a subdomain takeover.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-requirements

To add an alternate domain name (CNAME) to use with a CloudFront distribution, you must attach to your distribution a trusted, valid SSL/TLS certificate that covers the alternate domain name. This ensures that only people with access to your domain's certificate can associate with CloudFront a CNAME related to your domain.

@Avileox
Copy link
Contributor Author

Avileox commented Apr 25, 2019

Goodbye to CloudFront subdomain takeover.
https://aws.amazon.com/blogs/networking-and-content-delivery/continually-enhancing-domain-security-on-amazon-cloudfront/
cloudfront501hg

@Avileox Avileox closed this as completed Apr 25, 2019
@riramar
Copy link

riramar commented Jul 21, 2019

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-certificate-issuer

If you want to use an alternate domain name with your CloudFront distribution, you must verify to CloudFront that you have authorized rights to use the alternate domain name. To do this, you must attach a valid certificate to your distribution, and make sure that the certificate comes from a trusted CA that is listed on the Mozilla Included CA Certificate List. CloudFront does not allow you to use a self-signed certificate to verify your authorized rights to use an alternate domain name.

If somehow an attacker can issue a valid certificate using any CA defined on Mozilla trusted store so I think it'd be possible. Didn't get any case that I could try.

@Avileox
Copy link
Contributor Author

Avileox commented Jul 21, 2019

@riramar If it's possible, It will be a bypass for takeover and probably a bug on Amazon Cloudfront itself rather then misconfiguration on Cloudfront lead to a takeover.

@eranshmuely
Copy link

someone recently tookover a subdomain via cloudfront:
https://hackerone.com/reports/317005

@codingo
Copy link
Collaborator

codingo commented Aug 27, 2019

@eranshmuely this report is from two years ago (from when this was possible), it's just that it has only been disclosed in the past 15 hours.

@eranshmuely
Copy link

Oh, right, sorry about that

@mujtabashamas
Copy link

It won't work in this case, agree (this scenatio is fixed), but there are edge cases when it will still work. I had two such edge CF takeover cases (Jan 2019) in the IBM program

Brother, I have the same edge case but still getting that ssl error, is aws entirely fixed it? or I am doing something wrong?

@shubham4500
Copy link

i have found an ip pointing to cloudfront both http and https shows same error.

direct ip to cloudfront subdomain . is it possible to takeover ?

@melardev
Copy link

@shubham4500 The first message of this issue explicitly explains the VERY SAME THING you are talking about ...

@shubham4500
Copy link

it didnt showed the way :( do you encountered issue like this anytime ? @melardev

@shubham4500
Copy link

i have found an ip pointing to cloudfront both http and https shows same error.

direct ip to cloudfront subdomain . is it possible to takeover ?

@Sp1d3r direct ip to cloudfront....
awsthing

@melardev
Copy link

Again, the first message clearly states we can not anymore, there are hundreds of these out there, if takeover is possible i would be rich now. Unless you find a bypass on AWS itself there is no way.

@shubham4500
Copy link

(domain pointed to the CF by IP for example) - subdomain takeover is possible.

@Sp1d3r

@marcelo321
Copy link

I just tried 2 subdomains and i coudln't because it requested a valid ACM certificate.

@marcelo321
Copy link

marcelo321 commented Dec 26, 2019

@Sp1d3r

It seems like CloudFront, when creating the distribution, resolves the subdomain and checks the CNAME record for .cloudfront.net.
If such record exist - subdomain takeover isn't possible.
But If there is no *.cloudfront.net CNAME record set for the subdomain (like in the case above), or we have CNAME chains (like a.com->b.com->c.com->...->*.cloudfront.net, where a.com doesn't have direct CF CNAME) or no CNAME record at all (domain pointed to the CF by IP for example) - subdomain takeover is possible.

i have found a subdomain with a CNAME like *.ubnt.com and that one has a CNAME to something.cloudfront.net but i still can't register the main subdomain... do you really thing it is possible?

@ghost
Copy link

ghost commented Dec 26, 2019

@marcelo321 I think no, since the certificate feature stuff.
Theoretically now you need to find also leaked cert of organization's root domain somewhere to be able to takeover. Seems very unlikely (but not impossible).

@marcelo321
Copy link

@Sp1d3r i also just found a subdomain with a CNAME pointing to example.awsdns-hostmaster.amazon.com
with a 404 response "No page available" but couldn't find any documentation if this is vulnerable or not... for any reason do you know if it is vulnerable?

@danielanonymous
Copy link

It is still possible to takeover in cases:
www.cf.example.com CNAME cf.example.com
cf.example.com CNAME d1234567890abc.cloudfront.net

But this is a rare case.

Hey There, Now i had found a site with CNAME dxxxxxxx.cloudfrount.net, but my account is asw haven't fully activated yet. Could i take over this domain ? thanks !

@piechowiakmichal
Copy link

@danielanonymous Hi, did you succeed or is it still impossible?

@ghost
Copy link

ghost commented Jun 12, 2020

If this is mitigated by aws then how it can be possible? see the report below of subdomain takeover on cloudfront in 2019 and fix was pushed in 2018.
https://hackerone.com/reports/317005

@tolidano
Copy link

tolidano commented Sep 21, 2020

Report is from 2018, 2 years ago, and was already discussed in this issue above. It was DISCLOSED in 2019. Please review carefully.

@abd-4fg
Copy link

abd-4fg commented Jan 27, 2022

Hello ,
Is it possible to takeover a website with only one following CNAME , e.g,
CNAME : xxxxxxxxxx.cloudfront.net

Consider that the website as well as CNAME , both returns 'DNS_PROBE_FINISHED_NXDOMAIN' error !
Is takeover possible ?steps ?

@R0h1t3
Copy link

R0h1t3 commented Aug 30, 2023

It seems like CloudFront, when creating the distribution, resolves the subdomain and checks the CNAME record for .cloudfront.net. If such record exist - subdomain takeover isn't possible. But If there is no *.cloudfront.net CNAME record set for the subdomain (like in the case above), or we have CNAME chains (like a.com->b.com->c.com->...->*.cloudfront.net, where a.com doesn't have direct CF CNAME) or no CNAME record at all (domain pointed to the CF by IP for example) - subdomain takeover is possible.

How to exploit this kind of bug?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
edge case An edge case was discovered where it is possible to hijack a subdomain on this service.
Projects
None yet
Development

No branches or pull requests