Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Cloud Jacking™ Exploiting AWS Route53, CloudFront, and S3
Agenda • Who are you? • What is subdomain hijacking? • What is Route53, CloudFront, and S3? • How I can exploit these serv...
Who are you?
Whoami • Bryan McAninch, a.k.a aph3x • https://twitter.com/bryanmcaninch • https://www.linkedin.com/in/bryanmcaninch/ • Pr...
What is subdomain hijacking?
Subdomain Hijacking • Acme, Inc. • Sells explosive bird seed on e-commerce site • Chooses shop.acme.com for DNS resolution...
Subdomain Hijacking root@unknown$ dig shop.acme.com … ;;QUESTION SECTION: ;shop.acme.com. IN A ;;ANSWER SECTION: shop.acme...
Subdomain Hijacking • Explosive bird seed was a bad product idea • Who knew?!? • Acme cancels their service provider subsc...
Subdomain Hijacking root@unknown$ dig shop.acme.com … ;;QUESTION SECTION: ;shop.acme.com. IN A ;;ANSWER SECTION: shop.acme...
Subdomain Hijacking
What are R53, CF, and S3?
Route53, CloudFront, and S3 • Route 53 • AWS managed DNS service • Scalable, distributed, highly resilient • Supports traf...
Route53 Features • Alias Records • Similar to an A record with CNAME functionality • Visible as Alias only through R53 con...
CloudFront Features • CNAMES • Similar to HTTP name-based virtual hosts • Distribution domain names not very user friendly...
S3 Features • Objects and Buckets • Data/metadata in logical storage unit • Both support ACL’s and IAM policy enforcement ...
CloudFront Distributions root@unknown$ nslookup d22kkcjurirtnq.cloudfront.net Server: 8.8.88 Address: 8.8.8.8#53 Non-autho...
CloudFront Distributions root@unknown$ dig cname.lab.prevade.com … ;; QUESTION SECTION: ;test.lab.prevade.com. IN A ;; ANS...
How I can exploit this?
Enumeration • Decoupled CloudFront and S3 • CloudFront origins pointing to deleted Origin Domain Name • Decoupled Route53 ...
Exploitation • Hijacking • Create replica of target site content in replica S3 bucket • Create replica S3 bucket and/or Cl...
Exploitation CNAME: cname.lab.prevade.com Alias: d22kkcjurirtnq.cloudfront.net. Origin origin.lab.prevade.com S3CloudFront...
Exploitation (S3) CNAME: cname.lab.prevade.com Alias: d22kkcjurirtnq.cloudfront.net. Origin origin.lab.prevade.com S3Cloud...
Exploitation (CloudFront) CNAME: cname.lab.prevade.com Alias: d22kkcjurirtnq.cloudfront.net. Origin origin.lab.prevade S3C...
Exploitation • Squatting • Enumerate AWS customers through OSINT • Create S3 bucket names for apex and vanity subdomains •...
Mitigation and Remediation • Squat Your Own S3 buckets and CloudFront CNAME’s • Global namespace = race condition • Apex »...
Is there a live demo?
References https://hackerone.com/reports/32825 https://hackerone.com/reports/38007 https://hackerone.com/reports/175070 ht...
Upcoming SlideShare
Loading in …5
×
Technology
4,256 views
Apr. 27, 2018

Cloud Jacking™

Subdomain hijacking presents significant security risks to organizations. Everything from credential theft to phishing can be made possible with a few keystrokes and click of a mouse. This talk focuses on how these risks materialize within an AWS cloud environment, how to enumerate their existence, and options to quickly mitigate them.

no profile picture user

  • Be the first to comment

Cloud Jacking™

  1. 1. Cloud Jacking™ Exploiting AWS Route53, CloudFront, and S3
  2. 2. Agenda • Who are you? • What is subdomain hijacking? • What is Route53, CloudFront, and S3? • How I can exploit these services? • Is there a live demo?
  3. 3. Who are you?
  4. 4. Whoami • Bryan McAninch, a.k.a aph3x • https://twitter.com/bryanmcaninch • https://www.linkedin.com/in/bryanmcaninch/ • Prevade Cybersecurity • Founder & Executive Director • https://twitter.com/prevadellc • Research Focus • Cloud • Containerization • FaaS “serverless”
  5. 5. What is subdomain hijacking?
  6. 6. Subdomain Hijacking • Acme, Inc. • Sells explosive bird seed on e-commerce site • Chooses shop.acme.com for DNS resolution • Outsources e-commerce functionality to service provider • Magento, Shopify, YoKart, Volusion, et. al. • Provider’s store URL • Acme chooses acme.ecommerce.provider.com • UX implementation options • 301/302 HTTP redirect • DNS CNAME record
  7. 7. Subdomain Hijacking root@unknown$ dig shop.acme.com … ;;QUESTION SECTION: ;shop.acme.com. IN A ;;ANSWER SECTION: shop.acme.com. 1234 IN CNAME acme.ecommerce.provider.com. 86 acme.ecommerce.provider.com. IN A 12.34.56.78 Acme Controlled
  8. 8. Subdomain Hijacking • Explosive bird seed was a bad product idea • Who knew?!? • Acme cancels their service provider subscription… • …but doesn’t delete the CNAME for shop.acme.com • Attacker creates account with provider • Registers acme.ecommerce.provider.com as site URL • All content rendered at shop.acme.com now under attacker’s control
  9. 9. Subdomain Hijacking root@unknown$ dig shop.acme.com … ;;QUESTION SECTION: ;shop.acme.com. IN A ;;ANSWER SECTION: shop.acme.com. 1234 IN CNAME acme.ecommerce.provider.com. 86 acme.ecommerce.provider.com. IN A 12.34.56.78 Attacker Controlled
  10. 10. Subdomain Hijacking
  11. 11. What are R53, CF, and S3?
  12. 12. Route53, CloudFront, and S3 • Route 53 • AWS managed DNS service • Scalable, distributed, highly resilient • Supports traffic routing policies • CloudFront • AWS managed CDN service • Minimizes latency of static and dynamic web content • Delivery via worldwide network of data centers • S3 • AWS object storage managed service • Highly scalable, fast, inexpensive • Tiered redundancy model
  13. 13. Route53 Features • Alias Records • Similar to an A record with CNAME functionality • Visible as Alias only through R53 console or API • Appears as A record when publicly resolved • Resource Targets • Elastic Beanstalk • Application / Elastic Load Balancer (ALB/ELB) • Simple Storage Service (S3) • Route53 • CloudFront
  14. 14. CloudFront Features • CNAMES • Similar to HTTP name-based virtual hosts • Distribution domain names not very user friendly • Ex., d22kkcjurirtnq.cloudfront.net — look familiar? • Global namespaces! • Supports apex and subdomain wildcards • Wait… what?!? • No 1:1 mapping between distribution and content origin • Wait… what?!? • Content Origins • S3 and Elastic Load Balancers • Supports web and RTMP distributions • Object access controlled via Origin Access Identity (OAI)
  15. 15. S3 Features • Objects and Buckets • Data/metadata in logical storage unit • Both support ACL’s and IAM policy enforcement • DAR encryption using S3-C, S3-SSE, S3-KMS
  16. 16. CloudFront Distributions root@unknown$ nslookup d22kkcjurirtnq.cloudfront.net Server: 8.8.88 Address: 8.8.8.8#53 Non-authoritative answer: Name:d22kkcjurirtnq.cloudfront.netAddress: 52.84.31.189 Name:d22kkcjurirtnq.cloudfront.netAddress: 52.84.31.233 Name:d22kkcjurirtnq.cloudfront.netAddress: 52.84.31.154 …
  17. 17. CloudFront Distributions root@unknown$ dig cname.lab.prevade.com … ;; QUESTION SECTION: ;test.lab.prevade.com. IN A ;; ANSWER SECTION: test.lab.prevade.com. 41 IN A 52.84.31.189 test.lab.prevade.com. 41 IN A 52.84.31.233 test.lab.prevade.com. 41 IN A 52.84.31.154
  18. 18. How I can exploit this?
  19. 19. Enumeration • Decoupled CloudFront and S3 • CloudFront origins pointing to deleted Origin Domain Name • Decoupled Route53 and CloudFront • Route53 alias records pointing to deleted CloudFront distributions • Active CloudFront distributions with deleted CloudFront CNAMES • Automated Reconnaissance • DNSRecon, DNSDumpster, censys.io and shodan.io API’s • Reverse lookup error indicates CloudFront distribution/CNAME doesn’t exist • CloudFront error indicates distribution exists and but is misconfigured • HTTP 404 or 503 indicates S3 bucket doesn’t exist
  20. 20. Exploitation • Hijacking • Create replica of target site content in replica S3 bucket • Create replica S3 bucket and/or CloudFront distribution • Create CloudFront CNAME matching target’s decoupled Route53 alias • Risks • Target masquerading — CYOA! • Phishing, credential theft, session hijacking, XSS, etc. • Reputational, legal, regulatory
  21. 21. Exploitation CNAME: cname.lab.prevade.com Alias: d22kkcjurirtnq.cloudfront.net. Origin origin.lab.prevade.com S3CloudFrontRoute53 Content index.html
  22. 22. Exploitation (S3) CNAME: cname.lab.prevade.com Alias: d22kkcjurirtnq.cloudfront.net. Origin origin.lab.prevade.com S3CloudFrontRoute53 Content index.html
  23. 23. Exploitation (CloudFront) CNAME: cname.lab.prevade.com Alias: d22kkcjurirtnq.cloudfront.net. Origin origin.lab.prevade S3CloudFrontRoute53 Content index.html
  24. 24. Exploitation • Squatting • Enumerate AWS customers through OSINT • Create S3 bucket names for apex and vanity subdomains • Create CloudFront CNAME’s for apex and vanity subdomains • Risks • Inability to use apex, subdomains, bucket within AWS • Development pipeline disruption • Legal precedents and recourse for recovery
  25. 25. Mitigation and Remediation • Squat Your Own S3 buckets and CloudFront CNAME’s • Global namespace = race condition • Apex » wildcard » subdomain • Fix Decoupled CloudFront/S3 and Route53/CloudFront • Delete or modify • Validate CI/CD dependencies! • Enumerate decoupled Route53 and CloudFront (S3 coming soon!) • CloudJack — https://github.com/prevade/cloudjack
  26. 26. Is there a live demo?
  27. 27. References https://hackerone.com/reports/32825 https://hackerone.com/reports/38007 https://hackerone.com/reports/175070 https://hackerone.com/reports/195350 https://hackerone.com/reports/193056 https://hackerone.com/reports/186766 https://hackerone.com/reports/172024 https://hackerone.com/reports/171942 http://boto3.readthedocs.io/en/latest/reference/services/cloudfront.html http://boto3.readthedocs.io/en/latest/reference/services/route53.html http://boto3.readthedocs.io/en/latest/reference/services/s3.html https://aws.amazon.com/route53/ https://aws.amazon.com/cloudfront/ https://aws.amazon.com/s3/ https://github.com/prevade/cloudjack https://www.youtube.com/watch?v=5USpvBAxBzM

×