The document discusses 'cloud jacking', focusing on exploiting AWS services like Route 53, CloudFront, and S3 through subdomain hijacking techniques. It provides examples and explanations on how attackers can manipulate DNS records to gain control over e-commerce sites and content delivery networks. The presentation also highlights the associated risks, potential exploitation methods, and necessary mitigations for securing these AWS services.

1. Cloud Jacking™
Exploiting AWS Route53, CloudFront, and S3

2. Agenda
• Who are you?
• What is subdomain hijacking?
• What is Route53, CloudFront, and S3?
• How I can exploit these services?
• Is there a live demo?

3. Who are you?

4. Whoami
• Bryan McAninch, a.k.a aph3x
• https://twitter.com/bryanmcaninch
• https://www.linkedin.com/in/bryanmcaninch/
• Prevade Cybersecurity
• Founder & Executive Director
• https://twitter.com/prevadellc
• Research Focus
• Cloud
• Containerization
• FaaS “serverless”

5. What is subdomain hijacking?

6. Subdomain Hijacking
• Acme, Inc.
• Sells explosive bird seed on e-commerce site
• Chooses shop.acme.com for DNS resolution
• Outsources e-commerce functionality to service provider
• Magento, Shopify, YoKart, Volusion, et. al.
• Provider’s store URL
• Acme chooses acme.ecommerce.provider.com
• UX implementation options
• 301/302 HTTP redirect
• DNS CNAME record

7. Subdomain Hijacking
root@unknown$ dig shop.acme.com
…
;;QUESTION SECTION:
;shop.acme.com. IN A
;;ANSWER SECTION:
shop.acme.com. 1234 IN CNAME acme.ecommerce.provider.com. 86
acme.ecommerce.provider.com. IN A 12.34.56.78 Acme Controlled

8. Subdomain Hijacking
• Explosive bird seed was a bad product idea
• Who knew?!?
• Acme cancels their service provider subscription…
• …but doesn’t delete the CNAME for shop.acme.com
• Attacker creates account with provider
• Registers acme.ecommerce.provider.com as site URL
• All content rendered at shop.acme.com now under attacker’s control

9. Subdomain Hijacking
root@unknown$ dig shop.acme.com
…
;;QUESTION SECTION:
;shop.acme.com. IN A
;;ANSWER SECTION:
shop.acme.com. 1234 IN CNAME acme.ecommerce.provider.com. 86
acme.ecommerce.provider.com. IN A 12.34.56.78 Attacker Controlled

10. Subdomain Hijacking

11. What are R53, CF, and S3?

12. Route53, CloudFront, and S3
• Route 53
• AWS managed DNS service
• Scalable, distributed, highly resilient
• Supports traffic routing policies
• CloudFront
• AWS managed CDN service
• Minimizes latency of static and dynamic web content
• Delivery via worldwide network of data centers
• S3
• AWS object storage managed service
• Highly scalable, fast, inexpensive
• Tiered redundancy model

13. Route53 Features
• Alias Records
• Similar to an A record with CNAME functionality
• Visible as Alias only through R53 console or API
• Appears as A record when publicly resolved
• Resource Targets
• Elastic Beanstalk
• Application / Elastic Load Balancer (ALB/ELB)
• Simple Storage Service (S3)
• Route53
• CloudFront

14. CloudFront Features
• CNAMES
• Similar to HTTP name-based virtual hosts
• Distribution domain names not very user friendly
• Ex., d22kkcjurirtnq.cloudfront.net — look familiar?
• Global namespaces!
• Supports apex and subdomain wildcards
• Wait… what?!?
• No 1:1 mapping between distribution and content origin
• Wait… what?!?
• Content Origins
• S3 and Elastic Load Balancers
• Supports web and RTMP distributions
• Object access controlled via Origin Access Identity (OAI)

15. S3 Features
• Objects and Buckets
• Data/metadata in logical storage unit
• Both support ACL’s and IAM policy enforcement
• DAR encryption using S3-C, S3-SSE, S3-KMS

16. CloudFront Distributions
root@unknown$ nslookup d22kkcjurirtnq.cloudfront.net
Server: 8.8.88
Address: 8.8.8.8#53
Non-authoritative answer:
Name:d22kkcjurirtnq.cloudfront.netAddress: 52.84.31.189
Name:d22kkcjurirtnq.cloudfront.netAddress: 52.84.31.233
Name:d22kkcjurirtnq.cloudfront.netAddress: 52.84.31.154
…

17. CloudFront Distributions
root@unknown$ dig cname.lab.prevade.com
…
;; QUESTION SECTION:
;test.lab.prevade.com. IN A
;; ANSWER SECTION:
test.lab.prevade.com. 41 IN A 52.84.31.189
test.lab.prevade.com. 41 IN A 52.84.31.233
test.lab.prevade.com. 41 IN A 52.84.31.154

18. How I can exploit this?

19. Enumeration
• Decoupled CloudFront and S3
• CloudFront origins pointing to deleted Origin Domain Name
• Decoupled Route53 and CloudFront
• Route53 alias records pointing to deleted CloudFront distributions
• Active CloudFront distributions with deleted CloudFront CNAMES
• Automated Reconnaissance
• DNSRecon, DNSDumpster, censys.io and shodan.io API’s
• Reverse lookup error indicates CloudFront distribution/CNAME doesn’t exist
• CloudFront error indicates distribution exists and but is misconfigured
• HTTP 404 or 503 indicates S3 bucket doesn’t exist

20. Exploitation
• Hijacking
• Create replica of target site content in replica S3 bucket
• Create replica S3 bucket and/or CloudFront distribution
• Create CloudFront CNAME matching target’s decoupled Route53 alias
• Risks
• Target masquerading — CYOA!
• Phishing, credential theft, session hijacking, XSS, etc.
• Reputational, legal, regulatory

21. Exploitation
CNAME:
cname.lab.prevade.com
Alias:
d22kkcjurirtnq.cloudfront.net.
Origin
origin.lab.prevade.com
S3CloudFrontRoute53
Content
index.html

22. Exploitation (S3)
CNAME:
cname.lab.prevade.com
Alias:
d22kkcjurirtnq.cloudfront.net.
Origin
origin.lab.prevade.com
S3CloudFrontRoute53
Content
index.html

23. Exploitation (CloudFront)
CNAME:
cname.lab.prevade.com
Alias:
d22kkcjurirtnq.cloudfront.net.
Origin
origin.lab.prevade
S3CloudFrontRoute53
Content
index.html

24. Exploitation
• Squatting
• Enumerate AWS customers through OSINT
• Create S3 bucket names for apex and vanity subdomains
• Create CloudFront CNAME’s for apex and vanity subdomains
• Risks
• Inability to use apex, subdomains, bucket within AWS
• Development pipeline disruption
• Legal precedents and recourse for recovery

25. Mitigation and Remediation
• Squat Your Own S3 buckets and CloudFront CNAME’s
• Global namespace = race condition
• Apex » wildcard » subdomain
• Fix Decoupled CloudFront/S3 and Route53/CloudFront
• Delete or modify
• Validate CI/CD dependencies!
• Enumerate decoupled Route53 and CloudFront (S3 coming soon!)
• CloudJack — https://github.com/prevade/cloudjack

26. Is there a live demo?

27. References
https://hackerone.com/reports/32825
https://hackerone.com/reports/38007
https://hackerone.com/reports/175070
https://hackerone.com/reports/195350
https://hackerone.com/reports/193056
https://hackerone.com/reports/186766
https://hackerone.com/reports/172024
https://hackerone.com/reports/171942
http://boto3.readthedocs.io/en/latest/reference/services/cloudfront.html
http://boto3.readthedocs.io/en/latest/reference/services/route53.html
http://boto3.readthedocs.io/en/latest/reference/services/s3.html
https://aws.amazon.com/route53/
https://aws.amazon.com/cloudfront/
https://aws.amazon.com/s3/
https://github.com/prevade/cloudjack
https://www.youtube.com/watch?v=5USpvBAxBzM