Cloud Jacking™

1. Cloud Jacking™ Exploiting AWS Route53, CloudFront, and S3

2. Agenda • Who are you? • What is subdomain hijacking? • What is Route53, CloudFront, and S3? • How I can exploit these services? • Is there a live demo?

3. Who are you?

4. Whoami • Bryan McAninch, a.k.a aph3x • https://twitter.com/bryanmcaninch • https://www.linkedin.com/in/bryanmcaninch/ • Prevade Cybersecurity • Founder & Executive Director • https://twitter.com/prevadellc • Research Focus • Cloud • Containerization • FaaS “serverless”

5. What is subdomain hijacking?

6. Subdomain Hijacking • Acme, Inc. • Sells explosive bird seed on e-commerce site • Chooses shop.acme.com for DNS resolution • Outsources e-commerce functionality to service provider • Magento, Shopify, YoKart, Volusion, et. al. • Provider’s store URL • Acme chooses acme.ecommerce.provider.com • UX implementation options • 301/302 HTTP redirect • DNS CNAME record

7. Subdomain Hijacking root@unknown$ dig shop.acme.com … ;;QUESTION SECTION: ;shop.acme.com. IN A ;;ANSWER SECTION: shop.acme.com. 1234 IN CNAME acme.ecommerce.provider.com. 86 acme.ecommerce.provider.com. IN A 12.34.56.78 Acme Controlled

8. Subdomain Hijacking • Explosive bird seed was a bad product idea • Who knew?!? • Acme cancels their service provider subscription… • …but doesn’t delete the CNAME for shop.acme.com • Attacker creates account with provider • Registers acme.ecommerce.provider.com as site URL • All content rendered at shop.acme.com now under attacker’s control

9. Subdomain Hijacking root@unknown$ dig shop.acme.com … ;;QUESTION SECTION: ;shop.acme.com. IN A ;;ANSWER SECTION: shop.acme.com. 1234 IN CNAME acme.ecommerce.provider.com. 86 acme.ecommerce.provider.com. IN A 12.34.56.78 Attacker Controlled

10. Subdomain Hijacking

11. What are R53, CF, and S3?

12. Route53, CloudFront, and S3 • Route 53 • AWS managed DNS service • Scalable, distributed, highly resilient • Supports traffic routing policies • CloudFront • AWS managed CDN service • Minimizes latency of static and dynamic web content • Delivery via worldwide network of data centers • S3 • AWS object storage managed service • Highly scalable, fast, inexpensive • Tiered redundancy model

13. Route53 Features • Alias Records • Similar to an A record with CNAME functionality • Visible as Alias only through R53 console or API • Appears as A record when publicly resolved • Resource Targets • Elastic Beanstalk • Application / Elastic Load Balancer (ALB/ELB) • Simple Storage Service (S3) • Route53 • CloudFront

14. CloudFront Features • CNAMES • Similar to HTTP name-based virtual hosts • Distribution domain names not very user friendly • Ex., d22kkcjurirtnq.cloudfront.net — look familiar? • Global namespaces! • Supports apex and subdomain wildcards • Wait… what?!? • No 1:1 mapping between distribution and content origin • Wait… what?!? • Content Origins • S3 and Elastic Load Balancers • Supports web and RTMP distributions • Object access controlled via Origin Access Identity (OAI)

15. S3 Features • Objects and Buckets • Data/metadata in logical storage unit • Both support ACL’s and IAM policy enforcement • DAR encryption using S3-C, S3-SSE, S3-KMS

16. CloudFront Distributions root@unknown$ nslookup d22kkcjurirtnq.cloudfront.net Server: 8.8.88 Address: 8.8.8.8#53 Non-authoritative answer: Name:d22kkcjurirtnq.cloudfront.netAddress: 52.84.31.189 Name:d22kkcjurirtnq.cloudfront.netAddress: 52.84.31.233 Name:d22kkcjurirtnq.cloudfront.netAddress: 52.84.31.154 …

17. CloudFront Distributions root@unknown$ dig cname.lab.prevade.com … ;; QUESTION SECTION: ;test.lab.prevade.com. IN A ;; ANSWER SECTION: test.lab.prevade.com. 41 IN A 52.84.31.189 test.lab.prevade.com. 41 IN A 52.84.31.233 test.lab.prevade.com. 41 IN A 52.84.31.154

18. How I can exploit this?

19. Enumeration • Decoupled CloudFront and S3 • CloudFront origins pointing to deleted Origin Domain Name • Decoupled Route53 and CloudFront • Route53 alias records pointing to deleted CloudFront distributions • Active CloudFront distributions with deleted CloudFront CNAMES • Automated Reconnaissance • DNSRecon, DNSDumpster, censys.io and shodan.io API’s • Reverse lookup error indicates CloudFront distribution/CNAME doesn’t exist • CloudFront error indicates distribution exists and but is misconfigured • HTTP 404 or 503 indicates S3 bucket doesn’t exist

20. Exploitation • Hijacking • Create replica of target site content in replica S3 bucket • Create replica S3 bucket and/or CloudFront distribution • Create CloudFront CNAME matching target’s decoupled Route53 alias • Risks • Target masquerading — CYOA! • Phishing, credential theft, session hijacking, XSS, etc. • Reputational, legal, regulatory

21. Exploitation CNAME: cname.lab.prevade.com Alias: d22kkcjurirtnq.cloudfront.net. Origin origin.lab.prevade.com S3CloudFrontRoute53 Content index.html

22. Exploitation (S3) CNAME: cname.lab.prevade.com Alias: d22kkcjurirtnq.cloudfront.net. Origin origin.lab.prevade.com S3CloudFrontRoute53 Content index.html

23. Exploitation (CloudFront) CNAME: cname.lab.prevade.com Alias: d22kkcjurirtnq.cloudfront.net. Origin origin.lab.prevade S3CloudFrontRoute53 Content index.html

24. Exploitation • Squatting • Enumerate AWS customers through OSINT • Create S3 bucket names for apex and vanity subdomains • Create CloudFront CNAME’s for apex and vanity subdomains • Risks • Inability to use apex, subdomains, bucket within AWS • Development pipeline disruption • Legal precedents and recourse for recovery

25. Mitigation and Remediation • Squat Your Own S3 buckets and CloudFront CNAME’s • Global namespace = race condition • Apex » wildcard » subdomain • Fix Decoupled CloudFront/S3 and Route53/CloudFront • Delete or modify • Validate CI/CD dependencies! • Enumerate decoupled Route53 and CloudFront (S3 coming soon!) • CloudJack — https://github.com/prevade/cloudjack

26. Is there a live demo?

27. References https://hackerone.com/reports/32825 https://hackerone.com/reports/38007 https://hackerone.com/reports/175070 https://hackerone.com/reports/195350 https://hackerone.com/reports/193056 https://hackerone.com/reports/186766 https://hackerone.com/reports/172024 https://hackerone.com/reports/171942 http://boto3.readthedocs.io/en/latest/reference/services/cloudfront.html http://boto3.readthedocs.io/en/latest/reference/services/route53.html http://boto3.readthedocs.io/en/latest/reference/services/s3.html https://aws.amazon.com/route53/ https://aws.amazon.com/cloudfront/ https://aws.amazon.com/s3/ https://github.com/prevade/cloudjack https://www.youtube.com/watch?v=5USpvBAxBzM

Cloud Jacking™

Cloud Jacking™

Recommended

More Related Content

Similar to Cloud Jacking™

Similar to Cloud Jacking™(20)

Recently uploaded

Recently uploaded(20)

Cloud Jacking™