Introduction

I have recently signed up to HackerOne and went through all the checks required in order to have a qualifying account for Bug Bounty, below are the steps required by HackerOne.

  1. Bookmark 5 programs on the Directory
  2. Upvote 5 items on Hacktivity
  3. Earn at least 26 points on the Hacker101 Capture the Flag
  4. Submit your first valid report. Learn more about submitting reports.

Before we move on please see /disclaimer/


While I was performing my usual Recon and Subdomain Enumeration I came across numerous subdomains for D.o.D that had CNAMES resolving to Azure CDN Profiles.

A brief explanation on CNAME (Canonical Name Record) subdomain takeover method:
A domain name is using a CNAME record to another domain
(e.g. subdomain.company.com CNAME anothercompany.com).

At some point, anothercompany.com expired and will be available for registration by anyone.

Since the CNAME record is not been updated from company.com DNS zone, anyone who registers anothercompany.com has full control over subdomain.company.com until the DNS record is set.

Enumeration


For my enumeration I use a kali VM where I have subfinder  from projectdiscovery, with this fantastic tool I am able to find subdomains.

After half an hour of scanning I had a list of nearly 200k subdomains which I was able to enumerate in greater detail with tools such as subjack and massdns.

potential subdomain vulnerable to takeover found by subjack

Soon after I discovered multiple domains that had CNAMES resolving to Azure domains that responded with NXDOMAIN. (An NXDOMAIN error message means that the domain does not exist.)

dig output from the vulnerable subdomain.

There are a few types of subdomain takeovers. In this article the CNAME method was used, I will briefly explain the other methods.

1. Name Server (NS) subdomain takeover
Same method from CNAME can be carried to NS subdomain takeover,
If the base domain of the CNAME of a NS record is available to register, the source domain name is potentially vulnerable to subdomain takeover.

2. MX subdomain takeover
Unlike the CNAME and NS subdomain takeovers, Mail Exchange (MS) subdomain takeover poses the least security severity and that is because mail exchange records are only used to receive e-mails. Gaining access over one would allow an attacker to receive e-mails designated to the domain source. This is commonly used in spear phishing attacks.

Exploiting / PoC

So far there is a potentially vulnerable CNAME that is registered with Microsoft Azure, so I quickly registered a free tier account. Luckily for me Microsoft credited my account with £150 worth of credit to spend for the month. However I didn't need any credits in order to perform the takeover.
Once registered I was able to browse the Azure services to create a CDN endpoint, Configure the new CDN profile to route to a location of my choice, within the cdn profile I had to set a custom domain, this will be the 'vulnerable' subdomain. Note: Cdn might need purging due to caching, everytime I made a new  change to the web server content.


These are a few common vulnerable services under Microsoft Azure:

*.trafficmanager.net
*.azurewebsites.net
*.azureapp.com
*.azureedge.net

Next stage was to check and see if the I could register the CNAME in question and to my surprise it was free to register. Once that was done I was able to deploy a PoC to the server and check if I was in control.

Picture from Azure with example of cname vulnerable for takeover.
Proof of Concept on the vulnerable subdomain.

Reporting

Next step is pretty straight forward, I went back on HackerOne and clicked to submit a report for the U.S. Dept Of Defense.

I wrote to them in easy steps how I performed all this and where to check for my PoC, they quickly confirmed and fixed the issue.

HackerOne agent

This Vulnerability Disclosure Program (VDP) is active on H1 by the D.o.D, it is not eligible for bug bounty however for me it's a learning curve and I'm glad I assisted them in solving this critical vulnerability. In exchange I received a 'thank you' on HackerOne!

If you would like to see the report:

U.S. Dept Of Defense disclosed on HackerOne: Subdomain takeover of...
**Summary:**I was able to claim the subdomain: ████ using Microsoft Azure ( CDN profiles) **Description:** ## ImpactPlatform(s) Affected:SubdomainAzure CDN ## Step-by-step Reproduction...

Thank you for reading my article, Until next time!

Read more about Other Vulnerable Cloud Providers

Your friendly neighbourhood Hacker.

You've successfully subscribed to Flaviu Popescu
Welcome back! You've successfully signed in.
Great! You've successfully signed up.
Success! Your account is fully activated, you now have access to all content.