The 2016 American elections were overshadowed with cybersecurity concerns, accusations and in some cases, actual attacks. After an election season full of the current U.S. president accusing his opponent of “treasonously” weak cybersecurity, one of his own domains, associated with his fundraising efforts has been hacked and defaced by way of a subdomain takeover.
On February 20th, hackers acting under the pseudonym “Pro_Mast3r” defaced one of Donald Trump’s official websites which is used for fundraising. Checkmarx’s Security Research Team wrote a detailed brief which explains the vulnerability that the malicious party used, an example via proof of concept as well as tools which can be used to prevent such attacks in the future.
What is a Subdomain Takeover?
A subdomain takeover is a vulnerability that results from DNS misconfiguration. It is the ability to point to external domains that expose DNS servers to this attack. A subdomain is vulnerable to such attacks if its DNS answer is an alias to an external domain that can be taken over by an attacker.
A possible attack vector is a subdomain (ex: git.companysite.com) that points to github.com with the help of a CNAME DNS register. Github is a free repository and its contents are available at URLs in the form of “github.com/username/”. In this scenario, it doesn’t matter if the company has an account in Github or not.
An attacker can, for instance, launch a phishing campaign to spread malware using Github as a repository and a link to “git.companysite.com/companysite-promotions.” This link will appear legit to the victims.
Another possible scenario is the configuration of a subdomain like “blog.companysite.com” that points to “companyblog.herokuapp.com”. Heroku is a cloud platform that allows the hosting of web applications at URLs in the form of webappname.herokuapp.com.
If the “companyblog” Heroku subdomain is available for claiming, an attacker can register this Heroku subdomain and associate it with a web page that will provide several attacks, such as steal credentials, defacement or spread malware. Keep in mind that this malicious web page would be available at the “legit” URL blog.companysite.com.
Finally, if a subdomain (api.companysite.com) points to an unregistered (expired) domain it is exposed to even more attacks. By claiming the expired domain, an attacker can configure and provide several services, including email, that will be accessible through the subdomain api.companysite.com. This happens because the requests to the MX record of this subdomain will be replied by the CNAME register.
The existence of aliases to unregistered domains usually results from old projects that were discontinued and their DNS register remained configured, or from misspelling the external domains like “mycompany.org”. A well-known case of this was discovered by Szymon Gruszecki, an independent security researcher, in 2014. He found that the subdomain racing.msn.com had a CNAME record pointing to msnbrickyardsweeps.com. This domain had expired and he was able to register it for himself.
To read about a different example of this, with the subdomain blog.snapchat.com, click here.
How to Prevent Subdomain Takeovers via DNS Misconfiguration
To mitigate this vulnerability, organizations must review their DNS configuration and assure that all the aliases and delegations of subdomains to external domains (CNAME, DNAME, NS registers) do not expose these subdomains to takeovers.
Tools on the market
Here are some useful tools to perform enumeration of subdomains:
HostileSubBruteforcer has the singularity of highlighting the subdomains, from the tested
domain, that point to AWS, Github, Heroku, Shopify, Tumblr, WP Engine and Squarespace