![](http://img.youtube.com/vi/["tMMpK0kd5H8"]/1.jpg)
Just for you: FREE 60-day trial to the world’s largest digital library.
The SlideShare family just got bigger. Enjoy access to millions of ebooks, audiobooks, magazines, and more from Scribd.
Cancel anytime.
- 1. Cloud Jacking™ Exploiting AWS Route53, CloudFront, and S3
- 2. Agenda • Who are you? • What is subdomain hijacking? • What is Route53, CloudFront, and S3? • How I can exploit these services? • Is there a live demo?
- 3. Who are you?
- 4. Whoami • Bryan McAninch, a.k.a aph3x • https://twitter.com/bryanmcaninch • https://www.linkedin.com/in/bryanmcaninch/ • Prevade Cybersecurity • Founder & Executive Director • https://twitter.com/prevadellc • Research Focus • Cloud • Containerization • FaaS “serverless”
- 5. What is subdomain hijacking?
- 6. Subdomain Hijacking • Acme, Inc. • Sells explosive bird seed on e-commerce site • Chooses shop.acme.com for DNS resolution • Outsources e-commerce functionality to service provider • Magento, Shopify, YoKart, Volusion, et. al. • Provider’s store URL • Acme chooses acme.ecommerce.provider.com • UX implementation options • 301/302 HTTP redirect • DNS CNAME record
- 7. Subdomain Hijacking root@unknown$ dig shop.acme.com … ;;QUESTION SECTION: ;shop.acme.com. IN A ;;ANSWER SECTION: shop.acme.com. 1234 IN CNAME acme.ecommerce.provider.com. 86 acme.ecommerce.provider.com. IN A 12.34.56.78 Acme Controlled
- 8. Subdomain Hijacking • Explosive bird seed was a bad product idea • Who knew?!? • Acme cancels their service provider subscription… • …but doesn’t delete the CNAME for shop.acme.com • Attacker creates account with provider • Registers acme.ecommerce.provider.com as site URL • All content rendered at shop.acme.com now under attacker’s control
- 9. Subdomain Hijacking root@unknown$ dig shop.acme.com … ;;QUESTION SECTION: ;shop.acme.com. IN A ;;ANSWER SECTION: shop.acme.com. 1234 IN CNAME acme.ecommerce.provider.com. 86 acme.ecommerce.provider.com. IN A 12.34.56.78 Attacker Controlled
- 10. Subdomain Hijacking
- 11. What are R53, CF, and S3?
- 12. Route53, CloudFront, and S3 • Route 53 • AWS managed DNS service • Scalable, distributed, highly resilient • Supports traffic routing policies • CloudFront • AWS managed CDN service • Minimizes latency of static and dynamic web content • Delivery via worldwide network of data centers • S3 • AWS object storage managed service • Highly scalable, fast, inexpensive • Tiered redundancy model
- 13. Route53 Features • Alias Records • Similar to an A record with CNAME functionality • Visible as Alias only through R53 console or API • Appears as A record when publicly resolved • Resource Targets • Elastic Beanstalk • Application / Elastic Load Balancer (ALB/ELB) • Simple Storage Service (S3) • Route53 • CloudFront
- 14. CloudFront Features • CNAMES • Similar to HTTP name-based virtual hosts • Distribution domain names not very user friendly • Ex., d22kkcjurirtnq.cloudfront.net — look familiar? • Global namespaces! • Supports apex and subdomain wildcards • Wait… what?!? • No 1:1 mapping between distribution and content origin • Wait… what?!? • Content Origins • S3 and Elastic Load Balancers • Supports web and RTMP distributions • Object access controlled via Origin Access Identity (OAI)
- 15. S3 Features • Objects and Buckets • Data/metadata in logical storage unit • Both support ACL’s and IAM policy enforcement • DAR encryption using S3-C, S3-SSE, S3-KMS
- 16. CloudFront Distributions root@unknown$ nslookup d22kkcjurirtnq.cloudfront.net Server: 8.8.88 Address: 8.8.8.8#53 Non-authoritative answer: Name:d22kkcjurirtnq.cloudfront.netAddress: 52.84.31.189 Name:d22kkcjurirtnq.cloudfront.netAddress: 52.84.31.233 Name:d22kkcjurirtnq.cloudfront.netAddress: 52.84.31.154 …
- 17. CloudFront Distributions root@unknown$ dig cname.lab.prevade.com … ;; QUESTION SECTION: ;test.lab.prevade.com. IN A ;; ANSWER SECTION: test.lab.prevade.com. 41 IN A 52.84.31.189 test.lab.prevade.com. 41 IN A 52.84.31.233 test.lab.prevade.com. 41 IN A 52.84.31.154
- 18. How I can exploit this?
- 19. Enumeration • Decoupled CloudFront and S3 • CloudFront origins pointing to deleted Origin Domain Name • Decoupled Route53 and CloudFront • Route53 alias records pointing to deleted CloudFront distributions • Active CloudFront distributions with deleted CloudFront CNAMES • Automated Reconnaissance • DNSRecon, DNSDumpster, censys.io and shodan.io API’s • Reverse lookup error indicates CloudFront distribution/CNAME doesn’t exist • CloudFront error indicates distribution exists and but is misconfigured • HTTP 404 or 503 indicates S3 bucket doesn’t exist
- 20. Exploitation • Hijacking • Create replica of target site content in replica S3 bucket • Create replica S3 bucket and/or CloudFront distribution • Create CloudFront CNAME matching target’s decoupled Route53 alias • Risks • Target masquerading — CYOA! • Phishing, credential theft, session hijacking, XSS, etc. • Reputational, legal, regulatory
- 21. Exploitation CNAME: cname.lab.prevade.com Alias: d22kkcjurirtnq.cloudfront.net. Origin origin.lab.prevade.com S3CloudFrontRoute53 Content index.html
- 22. Exploitation (S3) CNAME: cname.lab.prevade.com Alias: d22kkcjurirtnq.cloudfront.net. Origin origin.lab.prevade.com S3CloudFrontRoute53 Content index.html
- 23. Exploitation (CloudFront) CNAME: cname.lab.prevade.com Alias: d22kkcjurirtnq.cloudfront.net. Origin origin.lab.prevade S3CloudFrontRoute53 Content index.html
- 24. Exploitation • Squatting • Enumerate AWS customers through OSINT • Create S3 bucket names for apex and vanity subdomains • Create CloudFront CNAME’s for apex and vanity subdomains • Risks • Inability to use apex, subdomains, bucket within AWS • Development pipeline disruption • Legal precedents and recourse for recovery
- 25. Mitigation and Remediation • Squat Your Own S3 buckets and CloudFront CNAME’s • Global namespace = race condition • Apex » wildcard » subdomain • Fix Decoupled CloudFront/S3 and Route53/CloudFront • Delete or modify • Validate CI/CD dependencies! • Enumerate decoupled Route53 and CloudFront (S3 coming soon!) • CloudJack — https://github.com/prevade/cloudjack
- 26. Is there a live demo?
- 27. References https://hackerone.com/reports/32825 https://hackerone.com/reports/38007 https://hackerone.com/reports/175070 https://hackerone.com/reports/195350 https://hackerone.com/reports/193056 https://hackerone.com/reports/186766 https://hackerone.com/reports/172024 https://hackerone.com/reports/171942 http://boto3.readthedocs.io/en/latest/reference/services/cloudfront.html http://boto3.readthedocs.io/en/latest/reference/services/route53.html http://boto3.readthedocs.io/en/latest/reference/services/s3.html https://aws.amazon.com/route53/ https://aws.amazon.com/cloudfront/ https://aws.amazon.com/s3/ https://github.com/prevade/cloudjack https://www.youtube.com/watch?v=5USpvBAxBzM
Recommended
More Related Content
Related Books
Free with a 30 day trial from Scribd