High-Impact Subdomain Takeover

[hiddeco]

Report

⚠️ reported via [email protected] on January 18...

Describe

High-Impact Subdomain Takeover

FQDN: wkp.weave.works
IP address: 13.49.241.153

Overview of the Vulnerability

A subdomain takeover is when a misconfigured Domain Name System (DNS) record is re-registered to an endpoint owned by an attacker. An attacker is then able to redirect users to the endpoint and capture data such as cookies and credentials, perform Cross-Site Scripting (XSS) attacks, and potentially take over accounts in the legitimate application.

A high-impact subdomain takeover vulnerability was identified which could impact the reputation and brand of the business. An attacker can register a subdomain on behalf of the target domain and use it to create a HTML document with JavaScript payload that triggers a Cross-Site Scripting (XSS) attack. The target domain can also be used to create a scenario where an attacker can harvest user credentials by phishing users who then visit and login on a cloned version of a legitimate website.

You could imagine an attacker creating any sort of website using this subdomain, including phishing sites, ransomware attacks, hosting malware, distributing porn or illegal content such as copyrighted materials. You could also imagine an attacker creating any number of other NFT or DeFi scam web pages, all under your company banner.

Business Impact

High-Impact subdomain takeover could lead to data theft and indirect financial loss through the attacker’s ability to interact with legitimate users. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust.

Steps to Reproduce

    Browse to the URL https://wkp.weave.works/proof.txt
    You will see my name
    Browse to the URL https://weave.works/ and login
    Browse to the URL https://wkp.weave.works/cookie-thief.php
    You will see the cookies an attacker could steal, and possibly use to compromise an account
    Click the COOKIE BOMB button
    Browse to the URL https://weave.works/
    You will receive an error and not be able to access this site or anything related until you clear your cookies, resulting in DoS

References

• https://groups.google.com/a/weave.works/g/security/c/x3mMxh_nEhk

Handling

If you are reporting a potential vulnerability, you could ignore this section. It is intended to be managed by
a Vulnerability Manager

• Reporter notifies Weaveworks team (Receiver) about a potential vulnerability via any of the Security Vulnerability Sources. Receiver acknowledges it. If likely to be a legitimate request, Receiver creates a private issue of type CVE in https://github.com/weaveworks/weave-gitops-private to start the formal intake.
• Vulnerability Manager triages the request to either accept or rejects it:
• In case of accepted, Vulnerability Manager starts the coordination of the vulnerability based on the created issue. The vulnerability is treated as highest priority and directed to the respective Product Team.
• In case of rejected, if needed, a response to Reporter is provided about the rejection and the process terminates.
• Product Team evaluates the vulnerability with help from Vulnerability Manager. The evaluation should include which products and versions are affected.
• If the vulnerability does not pose a threat to the product or service, Vulnerability Manager responds back to the Reporter with proper reasoning.
• If the reported request is considered a vulnerability, Vulnerability Manager responds back to the Reporter, accepting the issue. Vulnerability Manager communicates and coordinates to the rest of internal stakeholders. Vulnerability Manager engages with CX to start the discovery of customers being affected.
• Product team provides a workaround, Vulnerability Manager makes it available to the Reporter and notifies CX. CX manages with customers the workaround.
• Product Team works to identify a fix and produce a time estimation (ETA) to create the fix for the product or service.
• Vulnerability Manager adds a 4 weeks buffer to the ETA. This date becomes the public announcement date.
• Vulnerability Manager e notifies the Reporter of the public announcement date. Vulnerability Manager asks the Reporter if they want to be credited. A Public Security Advisory will be issued accordingly.
• Vulnerability Manager creates a Private Security Advisory for the vulnerability, including the impact, and any available mitigations. It would be created using this template. An example of a Security Advisory is CVE-1126.
• CX would announce with customers the vulnerability sharing the Security Advisory.
• Product Team delivers the fix and communicates to Vulnerability Manager. Vulnerability Manager provides it to the Reporter and all affected customers via CX. CX manages the application of the fix on the customer side.
• A Public Security Advisory will be issued after all the fixes are issued to the customers and the public announcement date has been reached.

[lizwarner-weave]

@morancj is investigating

[bigkevmcd]

We should also do weaveworks/weave-gitops#3409

[morancj]

For context, this zone was created and delegated in https://github.com/weaveworks/corp/issues/495#issuecomment-558233088

[morancj]

Old config

dig wkp.weave.works.                                                                  

; <<>> DiG 9.18.11 <<>> wkp.weave.works.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53040
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;wkp.weave.works.		IN	A

;; ANSWER SECTION:
wkp.weave.works.	157	IN	A	13.49.241.153

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Wed Feb 15 15:11:44 GMT 2023
;; MSG SIZE  rcvd: 60

dig NS wkp.weave.works.

; <<>> DiG 9.18.11 <<>> NS wkp.weave.works.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38032
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;wkp.weave.works.		IN	NS

;; ANSWER SECTION:
wkp.weave.works.	819	IN	NS	ns-1597.awsdns-07.co.uk.
wkp.weave.works.	819	IN	NS	ns-1523.awsdns-62.org.
wkp.weave.works.	819	IN	NS	ns-380.awsdns-47.com.
wkp.weave.works.	819	IN	NS	ns-757.awsdns-30.net.

;; Query time: 70 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Wed Feb 15 15:16:55 GMT 2023
;; MSG SIZE  rcvd: 184

[morancj]

A record and TXT record both removed.

[morancj]

They kindly also set X-Subdomain-Takeover: true in the headers

curl -IL http://13.49.241.153/cookie-thief.php 
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 15 Feb 2023 15:55:41 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: PHPSESSID=lh80709tfvjpnh8rv6b6tch2b6; expires=Mon, 14-Feb-2033 15:55:41 GMT; Max-Age=315532800; path=/; domain=.241.153
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Pragma: no-cache
X-Subdomain-Takeover: true

[lizwarner-weave]

how civilised of them

[morancj]

We have likely junk in wkp.weave.works. Using r53export.sh:

$ r53export.sh wkp.weave.works

; Using AWS profile sts
; Hosted zone ID: Z1TBOQ0594AGJ9

wkp.weave.works.	172800	IN	NS	ns-380.awsdns-47.com.
wkp.weave.works.	172800	IN	NS	ns-757.awsdns-30.net.
wkp.weave.works.	172800	IN	NS	ns-1523.awsdns-62.org.
wkp.weave.works.	172800	IN	NS	ns-1597.awsdns-07.co.uk.
wkp.weave.works.	900	IN	SOA	ns-380.awsdns-47.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
_c6b2ec19a73ea2206fc67b80ae577bda.wkp.weave.works.	300	IN	CNAME	_56468c26ed5f4cda97fe302815a675c7.mzlfeqexyx.acm-validations.aws.
demo.wkp.weave.works.		IN	ALIAS	dualstack.d89b23d5-wkpui-wkpuialbing-603e-1976046370.eu-west-2.elb.amazonaws.com. ; HostedZoneId: ZHURV8PSTC4K8
dev.wkp.weave.works.	300	IN	NS	ns-1195.awsdns-21.org.
dev.wkp.weave.works.	300	IN	NS	ns-249.awsdns-31.com.
dev.wkp.weave.works.	300	IN	NS	ns-823.awsdns-38.net.
dev.wkp.weave.works.	300	IN	NS	ns-1712.awsdns-22.co.uk.
_acme-challenge.dev.wkp.weave.works.	300	IN	TXT	"jw2wful_5Cec4dBTLVPQZ6gxeD7uKvJr4hIF6vbvmtc"
docs.wkp.weave.works.	60	IN	CNAME	weaveworks.github.io.
_fa5b04d7b39c0d26cd2ac47ebf429f5b.mccp.wkp.weave.works.	300	IN	CNAME	_93ebb99073f87e1f41df0640795887d1.hkmpvcwbzw.acm-validations.aws.
wk-simon-2.wkp.weave.works.	300	IN	CNAME	1172b3a1-wkpoauth-wkpoauth-1624-778069029.eu-north-1.elb.amazonaws.com
wkp-wk-simon-2.wkp.weave.works.	300	IN	TXT	"heritage=external-dns,external-dns/owner=default,external-dns/resource=ingress/wkp-oauth/wkp-oauth-alb-ingress"

dev.wkp.weave.works only appears to host charts.dev.wkp.weave.works.

$ r53export.sh dev.wkp.weave.works

; Using AWS profile sts
; Hosted zone ID: Z06887422P2J81C9U51JB

dev.wkp.weave.works.	172800	IN	NS	ns-1195.awsdns-21.org.
dev.wkp.weave.works.	172800	IN	NS	ns-249.awsdns-31.com.
dev.wkp.weave.works.	172800	IN	NS	ns-823.awsdns-38.net.
dev.wkp.weave.works.	172800	IN	NS	ns-1712.awsdns-22.co.uk.
dev.wkp.weave.works.	900	IN	SOA	ns-1195.awsdns-21.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
charts.dev.wkp.weave.works.		IN	ALIAS	d1ksdw3ce0kn9v.cloudfront.net. ; HostedZoneId: Z2FDTNDATAQYW2
_ac93eefa0e75933bfe529aa5ea0e8a47.charts.dev.wkp.weave.works.	300	IN	CNAME	_7e55bbcd784d138f0179448945f6b8c2.bcsdcprczz.acm-validations.aws.

[morancj]

@foot might know if we need any of these, otherwise we have to do some extra work

[morancj]

Intestingly, MSFT have a tool for Azure to detect dangling DNS entries here.

[morancj]

Stuff from my temp. repo's README, before I forget

DNS hijacking enumeration

Prerequisites

nuclei-templates
nuclei
subfinder

Search

subfinder -d weave.works -recursive -output subfinder-recursive-weave.works.out

Check

Broad

nuclei -project -project-path nuclei -tags 'dns' \
  -list subfinder-recursive-weave.works.out

Focussed

nuclei -project -project-path nuclei \
  -list subfinder-recursive-weave.works.out \
  -templates nuclei-templates/dns/detect-dangling-cname.yaml

References

https://dhiyaneshgeek.github.io/bug/bounty/2020/02/06/recon-with-me/
https://github.com/crunchprank/dig-dug
https://nominetcyber.com/dangling-dns-is-no-laughing-matter/
https://www.hackerone.com/application-security/guide-subdomain-takeovers
r53export.sh
Sublist3r (alternative to subfinder)

[foot]

dev.wkp.weave.works only appears to host charts.dev.wkp.weave.works.

Yeah this is the important one

Others like simon, demo can all go I think