SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 30 day free trial to unlock unlimited reading.
Subdomain hijacking presents significant security risks to organizations. Everything from credential theft to phishing can be made possible with a few keystrokes and click of a mouse. This talk focuses on how these risks materialize within an AWS cloud environment, how to enumerate their existence, and options to quickly mitigate them.
1.
Cloud Jacking™
Exploiting AWS Route53, CloudFront, and S3
2.
Agenda
• Who are you?
• What is subdomain hijacking?
• What is Route53, CloudFront, and S3?
• How I can exploit these services?
• Is there a live demo?
6.
Subdomain Hijacking
• Acme, Inc.
• Sells explosive bird seed on e-commerce site
• Chooses shop.acme.com for DNS resolution
• Outsources e-commerce functionality to service provider
• Magento, Shopify, YoKart, Volusion, et. al.
• Provider’s store URL
• Acme chooses acme.ecommerce.provider.com
• UX implementation options
• 301/302 HTTP redirect
• DNS CNAME record
7.
Subdomain Hijacking
root@unknown$ dig shop.acme.com
…
;;QUESTION SECTION:
;shop.acme.com. IN A
;;ANSWER SECTION:
shop.acme.com. 1234 IN CNAME acme.ecommerce.provider.com. 86
acme.ecommerce.provider.com. IN A 12.34.56.78 Acme Controlled
8.
Subdomain Hijacking
• Explosive bird seed was a bad product idea
• Who knew?!?
• Acme cancels their service provider subscription…
• …but doesn’t delete the CNAME for shop.acme.com
• Attacker creates account with provider
• Registers acme.ecommerce.provider.com as site URL
• All content rendered at shop.acme.com now under attacker’s control
9.
Subdomain Hijacking
root@unknown$ dig shop.acme.com
…
;;QUESTION SECTION:
;shop.acme.com. IN A
;;ANSWER SECTION:
shop.acme.com. 1234 IN CNAME acme.ecommerce.provider.com. 86
acme.ecommerce.provider.com. IN A 12.34.56.78 Attacker Controlled
12.
Route53, CloudFront, and S3
• Route 53
• AWS managed DNS service
• Scalable, distributed, highly resilient
• Supports traffic routing policies
• CloudFront
• AWS managed CDN service
• Minimizes latency of static and dynamic web content
• Delivery via worldwide network of data centers
• S3
• AWS object storage managed service
• Highly scalable, fast, inexpensive
• Tiered redundancy model
13.
Route53 Features
• Alias Records
• Similar to an A record with CNAME functionality
• Visible as Alias only through R53 console or API
• Appears as A record when publicly resolved
• Resource Targets
• Elastic Beanstalk
• Application / Elastic Load Balancer (ALB/ELB)
• Simple Storage Service (S3)
• Route53
• CloudFront
14.
CloudFront Features
• CNAMES
• Similar to HTTP name-based virtual hosts
• Distribution domain names not very user friendly
• Ex., d22kkcjurirtnq.cloudfront.net — look familiar?
• Global namespaces!
• Supports apex and subdomain wildcards
• Wait… what?!?
• No 1:1 mapping between distribution and content origin
• Wait… what?!?
• Content Origins
• S3 and Elastic Load Balancers
• Supports web and RTMP distributions
• Object access controlled via Origin Access Identity (OAI)
15.
S3 Features
• Objects and Buckets
• Data/metadata in logical storage unit
• Both support ACL’s and IAM policy enforcement
• DAR encryption using S3-C, S3-SSE, S3-KMS
17.
CloudFront Distributions
root@unknown$ dig cname.lab.prevade.com
…
;; QUESTION SECTION:
;test.lab.prevade.com. IN A
;; ANSWER SECTION:
test.lab.prevade.com. 41 IN A 52.84.31.189
test.lab.prevade.com. 41 IN A 52.84.31.233
test.lab.prevade.com. 41 IN A 52.84.31.154
24.
Exploitation
• Squatting
• Enumerate AWS customers through OSINT
• Create S3 bucket names for apex and vanity subdomains
• Create CloudFront CNAME’s for apex and vanity subdomains
• Risks
• Inability to use apex, subdomains, bucket within AWS
• Development pipeline disruption
• Legal precedents and recourse for recovery
25.
Mitigation and Remediation
• Squat Your Own S3 buckets and CloudFront CNAME’s
• Global namespace = race condition
• Apex » wildcard » subdomain
• Fix Decoupled CloudFront/S3 and Route53/CloudFront
• Delete or modify
• Validate CI/CD dependencies!
• Enumerate decoupled Route53 and CloudFront (S3 coming soon!)
• CloudJack — https://github.com/prevade/cloudjack
Subdomain hijacking presents significant security risks to organizations. Everything from credential theft to phishing can be made possible with a few keystrokes and click of a mouse. This talk focuses on how these risks materialize within an AWS cloud environment, how to enumerate their existence, and options to quickly mitigate them.
1.
Cloud Jacking™
Exploiting AWS Route53, CloudFront, and S3
2.
Agenda
• Who are you?
• What is subdomain hijacking?
• What is Route53, CloudFront, and S3?
• How I can exploit these services?
• Is there a live demo?
6.
Subdomain Hijacking
• Acme, Inc.
• Sells explosive bird seed on e-commerce site
• Chooses shop.acme.com for DNS resolution
• Outsources e-commerce functionality to service provider
• Magento, Shopify, YoKart, Volusion, et. al.
• Provider’s store URL
• Acme chooses acme.ecommerce.provider.com
• UX implementation options
• 301/302 HTTP redirect
• DNS CNAME record
7.
Subdomain Hijacking
root@unknown$ dig shop.acme.com
…
;;QUESTION SECTION:
;shop.acme.com. IN A
;;ANSWER SECTION:
shop.acme.com. 1234 IN CNAME acme.ecommerce.provider.com. 86
acme.ecommerce.provider.com. IN A 12.34.56.78 Acme Controlled
8.
Subdomain Hijacking
• Explosive bird seed was a bad product idea
• Who knew?!?
• Acme cancels their service provider subscription…
• …but doesn’t delete the CNAME for shop.acme.com
• Attacker creates account with provider
• Registers acme.ecommerce.provider.com as site URL
• All content rendered at shop.acme.com now under attacker’s control
9.
Subdomain Hijacking
root@unknown$ dig shop.acme.com
…
;;QUESTION SECTION:
;shop.acme.com. IN A
;;ANSWER SECTION:
shop.acme.com. 1234 IN CNAME acme.ecommerce.provider.com. 86
acme.ecommerce.provider.com. IN A 12.34.56.78 Attacker Controlled
12.
Route53, CloudFront, and S3
• Route 53
• AWS managed DNS service
• Scalable, distributed, highly resilient
• Supports traffic routing policies
• CloudFront
• AWS managed CDN service
• Minimizes latency of static and dynamic web content
• Delivery via worldwide network of data centers
• S3
• AWS object storage managed service
• Highly scalable, fast, inexpensive
• Tiered redundancy model
13.
Route53 Features
• Alias Records
• Similar to an A record with CNAME functionality
• Visible as Alias only through R53 console or API
• Appears as A record when publicly resolved
• Resource Targets
• Elastic Beanstalk
• Application / Elastic Load Balancer (ALB/ELB)
• Simple Storage Service (S3)
• Route53
• CloudFront
14.
CloudFront Features
• CNAMES
• Similar to HTTP name-based virtual hosts
• Distribution domain names not very user friendly
• Ex., d22kkcjurirtnq.cloudfront.net — look familiar?
• Global namespaces!
• Supports apex and subdomain wildcards
• Wait… what?!?
• No 1:1 mapping between distribution and content origin
• Wait… what?!?
• Content Origins
• S3 and Elastic Load Balancers
• Supports web and RTMP distributions
• Object access controlled via Origin Access Identity (OAI)
15.
S3 Features
• Objects and Buckets
• Data/metadata in logical storage unit
• Both support ACL’s and IAM policy enforcement
• DAR encryption using S3-C, S3-SSE, S3-KMS
17.
CloudFront Distributions
root@unknown$ dig cname.lab.prevade.com
…
;; QUESTION SECTION:
;test.lab.prevade.com. IN A
;; ANSWER SECTION:
test.lab.prevade.com. 41 IN A 52.84.31.189
test.lab.prevade.com. 41 IN A 52.84.31.233
test.lab.prevade.com. 41 IN A 52.84.31.154
24.
Exploitation
• Squatting
• Enumerate AWS customers through OSINT
• Create S3 bucket names for apex and vanity subdomains
• Create CloudFront CNAME’s for apex and vanity subdomains
• Risks
• Inability to use apex, subdomains, bucket within AWS
• Development pipeline disruption
• Legal precedents and recourse for recovery
25.
Mitigation and Remediation
• Squat Your Own S3 buckets and CloudFront CNAME’s
• Global namespace = race condition
• Apex » wildcard » subdomain
• Fix Decoupled CloudFront/S3 and Route53/CloudFront
• Delete or modify
• Validate CI/CD dependencies!
• Enumerate decoupled Route53 and CloudFront (S3 coming soon!)
• CloudJack — https://github.com/prevade/cloudjack