Skip to content

Instantly share code, notes, and snippets.

@TheBinitGhimire
Last active October 27, 2024 19:26
Show Gist options
  • Save TheBinitGhimire/ec24a9de97a372cf6b7b9453511c3f8b to your computer and use it in GitHub Desktop.
Save TheBinitGhimire/ec24a9de97a372cf6b7b9453511c3f8b to your computer and use it in GitHub Desktop.
Dangling DNS Records leading to Sub-domain Takeover on api.techprep.fb.com!

Dangling DNS Records on api.techprep.fb.com - $500!

Read proper write-up here: https://publish.whoisbinit.me/subdomain-takeover-on-api-techprep-fb-com-through-aws-elastic-beanstalk

I have included my script in another file (main.sh), which I used in discovering this vulnerability.

I didn't do any form of manual work in finding this vulnerability, and my workflow was fully automated with Bash scripting.

I have shortened my actual script, and only included the part which helped me in finding this vulnerability in the main.sh file.

## Subdomain Enumeration
echo "Checking with Assetfinder!";
assetfinder -subs-only fb.com >> ~/results/fb.com/subs/assetfinder.txt;
echo "Checking with Subfinder!";
subfinder -d fb.com -recursive -silent -all -t 500 -o ~/results/fb.com/subs/subfinder.txt;
echo "Checking with Sublist3r!";
sublist3r -d fb.com -n -t 500 -o ~/results/fb.com/subs/sublist3r.txt;
echo "Checking with Amass!";
amass enum -passive -norecursive -noalts -d fb.com -o ~/results/fb.com/subs/amass.txt;
## Subdomain Concatenation
cat ~/results/fb.com/subs/*.txt > ~/results/fb.com/subs.txt;
## Subdomain Enumeration Cleanup
rm -rf ~/results/fb.com/subs;
## Subdomain Enumeration Results
sort -u ~/results/fb.com/subs.txt -o ~/results/fb.com/subs.txt
## Elastic Beanstalk Checker
while IFS= read -r domain; do
if dig +short $domain | grep elasticbeanstalk; then echo $domain | tee -a ~/results/fb.com/elasticbeanstalk.txt; fi;
done < ~/results/fb.com/subs.txt
@madneal
Copy link

madneal commented Feb 17, 2021

Is there any open report for this bug vulnerability? Thanks

@TheBinitGhimire
Copy link
Author

Hi @madneal,

There isn't an open report for this vulnerability since Facebook's bug bounty reports are always hidden, but you can go through: https://www.dotsec.com/2020/09/17/dns-records-part-2/ to find out more information about this kind of attack vector.


Also, I am providing a part of my vulnerability report to Facebook in this response.

Complete Details

api.techprep.fb.com is pointed to techprep-backend.us-east-1.elasticbeanstalk.com via CNAME records. This Elastic Beanstalk URL in the us-east-1 region of AWS appears to be removed now, and anyone having an AWS account with privileges to create Elastic Beanstalk instances in the North Virginia region can create one with techprep-backend.us-east-1.elasticbeanstalk.com as the URL. Therefore, there are dangling CNAME records at api.techprep.fb.com.

Impact

As a result of dangling CNAME records, whenever techprep-backend.us-east-1.elasticbeanstalk.com (which has been removed now) is claimed by an AWS user, he/she will gain access over api.techprep.fb.com as well.


Setup

Users: N/A

Environment: N/A

Browser: Any web browser!

App version: N/A

OS: Debian 10 (Buster)

Description: fb.com is in scope of the Facebook's Bug Bounty Program.

Steps

  1. Perform DNS lookup on api.techprep.fb.com, and you will find out that it is pointed to techprep-backend.us-east-1.elasticbeanstalk.com through CNAME records.
  2. Scan for all of the open ports, and also check whether techprep-backend.us-east-1.elasticbeanstalk.com resolves or not. You will find out that it doesn't resolve.

Reference for Step 2:

  • Command: nmap -sV -O techprep-backend.us-east-1.elasticbeanstalk.com -Pn
  • Output:
Starting Nmap 7.91SVN ( https://nmap.org/ ) at 2020-12-20 00:08 +0545
Failed to resolve "techprep-backend.us-east-1.elasticbeanstalk.com".
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 20.34 seconds

This shows that there are dangling DNS Records at this sub-domain.

Mitigation/Remediation Actions

To mitigate this issue, one simple step that can be taken would be to change or remove the CNAME records from the target sub-domain.

References


My Further Response to Facebook:

"This is a Dangling DNS Records issue. Previously, Facebook had done the following things:

  1. Pointing api.techprep.fb.com to the respective Elastic Beanstalk URL; i.e. techprep-backend.us-east-1.elasticbeanstalk.com, and
  2. Creating an Elastic Beanstalk instance named "techprep-backend" in the US-East-1 region!

But now, Facebook appears to have reverted the #2 point; i.e. deleting the Elastic Beanstalk instance.

Therefore, an attacker can create an Elastic Beanstalk instance in the same AWS Region with the same name, and hence claim the instance URL, and along with that, host his/her contents there, which means the same contents would appear in the FB.com's vulnerable sub-domain; i.e. api.techprep.fb.com.

To resolve this issue, Facebook needs to do one of the following:

  1. Change the CNAME records of api.techprep.fb.com to the Elastic Beanstalk instance URL that they currently own,
  2. Delete the CNAME records,
  3. Re-claim the respective Elastic Beanstalk instance URL before anyone else does in the US-East-1 region!"

I hope this much information is enough to answer your queries, and yes, this Dangling DNS vulnerability could have been escalated to a Sub-domain Takeover vulnerability by registering a techprep-backend Elastic Beanstalk instance in the us-east-1 region in Amazon AWS.

Thanks,
Binit Ghimire
@TheBinitGhimire

@madneal
Copy link

madneal commented Feb 17, 2021

@TheBinitGhimire thanks a lot

@am6539
Copy link

am6539 commented Feb 17, 2021

thanks for writeup. Can you tell me your timeline :D

@TheBinitGhimire
Copy link
Author

Hello @am6539,

The timeline of this vulnerability report is provided here:

  • Report Submitted: Sunday, December 20, 2020 at 12:11 AM
  • First Response from the team: Tuesday, December 22, 2020 at 2:07 AM
  • My Response back to the team: Tuesday, December 22, 2020 at 2:28 AM
  • Triaged (the team sent it to the appropriate product team): Monday, January 11, 2021 at 10:28 PM
  • My Response: Monday, January 11, 2021 at 10:29 PM
  • Patched Response: Tuesday, January 12, 2021 at 9:05 PM
  • My Patch Confirmation: Tuesday, January 12, 2021 at 9:29 PM
  • My Response: Thursday, January 21, 2021 at 10:18 PM
  • My Response: Sunday, February 14, 2021 at 8:33 AM
  • Rewarded $500: Yesterday at 9:43 PM
  • My Response: Yesterday at 10:36 PM

Thank You for your concern!

Thanks,
Binit Ghimire
@TheBinitGhimire

@nukats
Copy link

nukats commented Feb 18, 2021

Why did they only pay 500$ what was their reason?

@TheBinitGhimire
Copy link
Author

Hello @nukats,

I am not sure about why they paid only $500 for this, and I have questioned them about it, and looking forward to hearing their response.

One thing that they had said while rewarding the bounty amount is, "The payout amount reflects the fact that fb.com domain is predominantly used for microsites and static content."

I hope this clears your question, and I will let you know again if I hear back from the team with more information.

Thanks,
Binit Ghimire
@TheBinitGhimire

@pdelteil
Copy link

Hello,

I think is no longer possible to perform this take over? I can't create a custom env. URL.

Can you confirm?

@TheBinitGhimire
Copy link
Author

Hello @pdelteil,

I think you tried to create an application at Elastic Beanstalk, so you weren't able to define a custom URL. Can you once try creating an environment?

I just tried, and I'm still able to define custom URLs without any random strings added to the URL.

Creating an environment!

Here is an image showing what I did to verify just now!

If you have any further queries, please let me know!

Thanks,
Binit

@pdelteil
Copy link

Thank you for your quick answer. There's something odd, that dialog appeared when I created the second environment and not while creating the first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment