The content of the article
A few years ago, I managed to capture subdomains on Microsoft websites and access mail and files of Outlook and OneDrive users, as well as profile data on Xbox.com. I will talk about what exactly was required for this, but at the same time we will see how such an attack might look now, in 2020.
There are two types of interesting subdomain manipulations. One complements the other. We will look at both.
Capture through a forgotten CNAME
Modern companies use a large number of cloud services. For ease of connection, subdomains of the organization’s main domain are used, and the content is served directly by the cloud service. In this case, it is enough for the company’s administrators to add a DNS record of the form CNAME (canonical name or, more simply, alias) with a link to the cloud service.
For example, setting up GitHub Pages for the wiki.company.com domain might look like this:
$ dig wiki.company.com +nostats +nocomments +nocmd
wiki.company.com 1728 IN CNAME company-wiki.github.io.
company-wiki.github.io. 3529 IN A 184.108.40.206
But what happens if the repository is deleted along with setting the binding to the wiki.company.com domain? It is likely that the DNS record will remain in this case, the administrator usually adds these records, and there is usually no one to ensure that they are promptly deleted. Here the human factor plays.
In this case, an attacker could create a repository and bind it to wiki.company.com. Since CNAME wiki.company.com already points to company-wiki.github.io, from now on, the content of wiki.company.com will be controlled by the attacker.
A stolen company subdomain can be used to steal session cookies, phishing attacks, bypassing CORS and CSP.
Capturing domains on external links
It is also possible to capture domains that do not belong to the organization, but the links to which are used to download external scripts. Imagine that the application page looks like this:
If it is possible to capture the subdomain subdomain.3rdparty.com according to the CNAME scheme, the attacker will be able to control the contents and execute arbitrary code in the context of app.company.com. And if the 3rdparty.com domain has expired and is deleted, an attacker can re-register it and control all its subdomains.
Hijacking Outlook and OneDrive sessions
A few years ago, I managed to capture many Microsoft subdomains, including for Live.com. This made it possible to seamlessly intercept the sessions of users of Outlook and OneDrive. How it was? I'll tell you now.
When registering any Azure service (for example, a virtual server or shared hosting), a name is indicated, which can then be accessed directly or through CNAME. For example, a web application will be available at XYZ.azurewebsites.net, where XYZ is the name of the application.
For various services, Azure uses a set of different domains, they may also be slightly different and have a prefix of the resource location region:
At Microsoft, this mechanism is also used for their applications in the same namespaces as other users. In the analysis, it is easy to see that many Microsoft.com subdomains use Azure services and point to the set of domains given above.
What happens after the service is no longer used by Microsoft and deleted? We can register the Azure service on our account, but with the same name. Thus, the existing CNAME record will point to a service we have created that we can fully control.
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the Xakep.ru community.
Join the Xakep.ru Community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of Xakep.ru