Read proper write-up here: https://publish.whoisbinit.me/subdomain-takeover-on-api-techprep-fb-com-through-aws-elastic-beanstalk
I have included my script in another file (main.sh), which I used in discovering this vulnerability.
I didn't do any form of manual work in finding this vulnerability, and my workflow was fully automated with Bash scripting.
I have shortened my actual script, and only included the part which helped me in finding this vulnerability in the main.sh file.
| ## Subdomain Enumeration | |
| echo "Checking with Assetfinder!"; | |
| assetfinder -subs-only fb.com >> ~/results/fb.com/subs/assetfinder.txt; | |
| echo "Checking with Subfinder!"; | |
| subfinder -d fb.com -recursive -silent -all -t 500 -o ~/results/fb.com/subs/subfinder.txt; | |
| echo "Checking with Sublist3r!"; | |
| sublist3r -d fb.com -n -t 500 -o ~/results/fb.com/subs/sublist3r.txt; | |
| echo "Checking with Amass!"; | |
| amass enum -passive -norecursive -noalts -d fb.com -o ~/results/fb.com/subs/amass.txt; | |
| ## Subdomain Concatenation | |
| cat ~/results/fb.com/subs/*.txt > ~/results/fb.com/subs.txt; | |
| ## Subdomain Enumeration Cleanup | |
| rm -rf ~/results/fb.com/subs; | |
| ## Subdomain Enumeration Results | |
| sort -u ~/results/fb.com/subs.txt -o ~/results/fb.com/subs.txt | |
| ## Elastic Beanstalk Checker | |
| while IFS= read -r domain; do | |
| if dig +short $domain | grep elasticbeanstalk; then echo $domain | tee -a ~/results/fb.com/elasticbeanstalk.txt; fi; | |
| done < ~/results/fb.com/subs.txt |
Hi @madneal,
There isn't an open report for this vulnerability since Facebook's bug bounty reports are always hidden, but you can go through: https://www.dotsec.com/2020/09/17/dns-records-part-2/ to find out more information about this kind of attack vector.
Also, I am providing a part of my vulnerability report to Facebook in this response.
api.techprep.fb.com is pointed to techprep-backend.us-east-1.elasticbeanstalk.com via CNAME records. This Elastic Beanstalk URL in the us-east-1 region of AWS appears to be removed now, and anyone having an AWS account with privileges to create Elastic Beanstalk instances in the North Virginia region can create one with techprep-backend.us-east-1.elasticbeanstalk.com as the URL. Therefore, there are dangling CNAME records at api.techprep.fb.com.
As a result of dangling CNAME records, whenever techprep-backend.us-east-1.elasticbeanstalk.com (which has been removed now) is claimed by an AWS user, he/she will gain access over api.techprep.fb.com as well.
Users: N/A
Environment: N/A
Browser: Any web browser!
App version: N/A
OS: Debian 10 (Buster)
Description: fb.com is in scope of the Facebook's Bug Bounty Program.
nmap -sV -O techprep-backend.us-east-1.elasticbeanstalk.com -PnStarting Nmap 7.91SVN ( https://nmap.org/ ) at 2020-12-20 00:08 +0545
Failed to resolve "techprep-backend.us-east-1.elasticbeanstalk.com".
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 20.34 seconds
This shows that there are dangling DNS Records at this sub-domain.
To mitigate this issue, one simple step that can be taken would be to change or remove the CNAME records from the target sub-domain.
"This is a Dangling DNS Records issue. Previously, Facebook had done the following things:
But now, Facebook appears to have reverted the #2 point; i.e. deleting the Elastic Beanstalk instance.
Therefore, an attacker can create an Elastic Beanstalk instance in the same AWS Region with the same name, and hence claim the instance URL, and along with that, host his/her contents there, which means the same contents would appear in the FB.com's vulnerable sub-domain; i.e. api.techprep.fb.com.
To resolve this issue, Facebook needs to do one of the following:
I hope this much information is enough to answer your queries, and yes, this Dangling DNS vulnerability could have been escalated to a Sub-domain Takeover vulnerability by registering a techprep-backend Elastic Beanstalk instance in the us-east-1 region in Amazon AWS.
Thanks,
Binit Ghimire
@TheBinitGhimire
@TheBinitGhimire thanks a lot
thanks for writeup. Can you tell me your timeline :D
Hello @am6539,
The timeline of this vulnerability report is provided here:
Thank You for your concern!
Thanks,
Binit Ghimire
@TheBinitGhimire
Why did they only pay 500$ what was their reason?
Hello @nukats,
I am not sure about why they paid only $500 for this, and I have questioned them about it, and looking forward to hearing their response.
One thing that they had said while rewarding the bounty amount is, "The payout amount reflects the fact that fb.com domain is predominantly used for microsites and static content."
I hope this clears your question, and I will let you know again if I hear back from the team with more information.
Thanks,
Binit Ghimire
@TheBinitGhimire
Hello,
I think is no longer possible to perform this take over? I can't create a custom env. URL.
Can you confirm?
Hello @pdelteil,
I think you tried to create an application at Elastic Beanstalk, so you weren't able to define a custom URL. Can you once try creating an environment?
I just tried, and I'm still able to define custom URLs without any random strings added to the URL.
Here is an image showing what I did to verify just now!
If you have any further queries, please let me know!
Thanks,
Binit
Thank you for your quick answer. There's something odd, that dialog appeared when I created the second environment and not while creating the first.
Is there any open report for this bug vulnerability? Thanks