Neglected DNS records exploited to takeover subdomains
In this write up I will be talking about a security issue identified in Redbooth platform which « is a communication and collaboration platform that provides a single place for shared tasks, discussions, file sharing, and more. » – Read more at: https://www.crunchbase.com/organization/redbooth
As you read in the title, exploiting the issue allowed me to takedown two of their subdomains. So what is this about ? Well, when I was checking out the website’s DNS records I noticed that there is a CNAME that points the subdomain blog.redbooth.com to teambox-redirect-to-new-blog.herokuapp.com but I when I verified the blog subdomain I discovered that it is not correctly set up yet because they still had not registered the username : teambox-redirect-to-new-blog as their heroku-app yet. See the below photo :
So my next step after is to sign up for the service and claim the domain as mine in Heroku.com besides that Herokuapp do not perform any kind of verification if you are the legitimate owner of the domain.
So now that the DNS records are already set and the subdomain is linked to the herokuapp, all I needed to elaborate a full Proof Of Concept is to upload a test web page as you can see below :
Following the same steps I was also able to takedown another subdomain : https://support.redbooth.com/ exploiting the fact that developers have neglected the DNS records.
I just want to point that this vulnerability is not a code bug but a result of neglect. The company could have been using the service and after a while stopped doing so but they forgot to remove CNAME from their DNS records which, by the way, are publicly visible. The vulnerability could be exploited in many ways inluding, for instance :
– Create fake login page similar the original one.
– Redirect users to malicious web pages.
– Inject malicious codes designed to steal cookies for example.
– Deface the webpage and destroy company’s credibility.
The security issues were forwarded to their engineering team on 02/09/2015 and got fixed by 02/11/2015. Despite that their response was not much appreciated I have got a small token of thanks but overall I am glad to have contributed in the security of their web service.
If you want to further read about this attack vector then I recommand you to check out this great article : https://labs.detectify.com/post/109964122636/hostile-subdomain-takeover-using
Thank you for reading!