Cloud Jacking™
•
3 likes•4,471 views
Subdomain hijacking presents significant security risks to organizations. Everything from credential theft to phishing can be made possible with a few keystrokes and click of a mouse. This talk focuses on how these risks materialize within an AWS cloud environment, how to enumerate their existence, and options to quickly mitigate them.
Recommended
Recommended
More Related Content
Similar to Cloud Jacking™
Similar to Cloud Jacking™ (20)
Recently uploaded
Recently uploaded (20)
Cloud Jacking™
- 1. Cloud Jacking™ Exploiting AWS Route53, CloudFront, and S3
- 2. Agenda • Who are you? • What is subdomain hijacking? • What is Route53, CloudFront, and S3? • How I can exploit these services? • Is there a live demo?
- 3. Who are you?
- 4. Whoami • Bryan McAninch, a.k.a aph3x • https://twitter.com/bryanmcaninch • https://www.linkedin.com/in/bryanmcaninch/ • Prevade Cybersecurity • Founder & Executive Director • https://twitter.com/prevadellc • Research Focus • Cloud • Containerization • FaaS “serverless”
- 5. What is subdomain hijacking?
- 6. Subdomain Hijacking • Acme, Inc. • Sells explosive bird seed on e-commerce site • Chooses shop.acme.com for DNS resolution • Outsources e-commerce functionality to service provider • Magento, Shopify, YoKart, Volusion, et. al. • Provider’s store URL • Acme chooses acme.ecommerce.provider.com • UX implementation options • 301/302 HTTP redirect • DNS CNAME record
- 7. Subdomain Hijacking root@unknown$ dig shop.acme.com … ;;QUESTION SECTION: ;shop.acme.com. IN A ;;ANSWER SECTION: shop.acme.com. 1234 IN CNAME acme.ecommerce.provider.com. 86 acme.ecommerce.provider.com. IN A 12.34.56.78 Acme Controlled
- 8. Subdomain Hijacking • Explosive bird seed was a bad product idea • Who knew?!? • Acme cancels their service provider subscription… • …but doesn’t delete the CNAME for shop.acme.com • Attacker creates account with provider • Registers acme.ecommerce.provider.com as site URL • All content rendered at shop.acme.com now under attacker’s control
- 9. Subdomain Hijacking root@unknown$ dig shop.acme.com … ;;QUESTION SECTION: ;shop.acme.com. IN A ;;ANSWER SECTION: shop.acme.com. 1234 IN CNAME acme.ecommerce.provider.com. 86 acme.ecommerce.provider.com. IN A 12.34.56.78 Attacker Controlled
- 11. What are R53, CF, and S3?
- 12. Route53, CloudFront, and S3 • Route 53 • AWS managed DNS service • Scalable, distributed, highly resilient • Supports traffic routing policies • CloudFront • AWS managed CDN service • Minimizes latency of static and dynamic web content • Delivery via worldwide network of data centers • S3 • AWS object storage managed service • Highly scalable, fast, inexpensive • Tiered redundancy model
- 13. Route53 Features • Alias Records • Similar to an A record with CNAME functionality • Visible as Alias only through R53 console or API • Appears as A record when publicly resolved • Resource Targets • Elastic Beanstalk • Application / Elastic Load Balancer (ALB/ELB) • Simple Storage Service (S3) • Route53 • CloudFront
- 14. CloudFront Features • CNAMES • Similar to HTTP name-based virtual hosts • Distribution domain names not very user friendly • Ex., d22kkcjurirtnq.cloudfront.net — look familiar? • Global namespaces! • Supports apex and subdomain wildcards • Wait… what?!? • No 1:1 mapping between distribution and content origin • Wait… what?!? • Content Origins • S3 and Elastic Load Balancers • Supports web and RTMP distributions • Object access controlled via Origin Access Identity (OAI)
- 15. S3 Features • Objects and Buckets • Data/metadata in logical storage unit • Both support ACL’s and IAM policy enforcement • DAR encryption using S3-C, S3-SSE, S3-KMS
- 16. CloudFront Distributions root@unknown$ nslookup d22kkcjurirtnq.cloudfront.net Server: 8.8.88 Address: 8.8.8.8#53 Non-authoritative answer: Name:d22kkcjurirtnq.cloudfront.netAddress: 52.84.31.189 Name:d22kkcjurirtnq.cloudfront.netAddress: 52.84.31.233 Name:d22kkcjurirtnq.cloudfront.netAddress: 52.84.31.154 …
- 17. CloudFront Distributions root@unknown$ dig cname.lab.prevade.com … ;; QUESTION SECTION: ;test.lab.prevade.com. IN A ;; ANSWER SECTION: test.lab.prevade.com. 41 IN A 52.84.31.189 test.lab.prevade.com. 41 IN A 52.84.31.233 test.lab.prevade.com. 41 IN A 52.84.31.154
- 18. How I can exploit this?
- 19. Enumeration • Decoupled CloudFront and S3 • CloudFront origins pointing to deleted Origin Domain Name • Decoupled Route53 and CloudFront • Route53 alias records pointing to deleted CloudFront distributions • Active CloudFront distributions with deleted CloudFront CNAMES • Automated Reconnaissance • DNSRecon, DNSDumpster, censys.io and shodan.io API’s • Reverse lookup error indicates CloudFront distribution/CNAME doesn’t exist • CloudFront error indicates distribution exists and but is misconfigured • HTTP 404 or 503 indicates S3 bucket doesn’t exist
- 20. Exploitation • Hijacking • Create replica of target site content in replica S3 bucket • Create replica S3 bucket and/or CloudFront distribution • Create CloudFront CNAME matching target’s decoupled Route53 alias • Risks • Target masquerading — CYOA! • Phishing, credential theft, session hijacking, XSS, etc. • Reputational, legal, regulatory
- 24. Exploitation • Squatting • Enumerate AWS customers through OSINT • Create S3 bucket names for apex and vanity subdomains • Create CloudFront CNAME’s for apex and vanity subdomains • Risks • Inability to use apex, subdomains, bucket within AWS • Development pipeline disruption • Legal precedents and recourse for recovery
- 25. Mitigation and Remediation • Squat Your Own S3 buckets and CloudFront CNAME’s • Global namespace = race condition • Apex » wildcard » subdomain • Fix Decoupled CloudFront/S3 and Route53/CloudFront • Delete or modify • Validate CI/CD dependencies! • Enumerate decoupled Route53 and CloudFront (S3 coming soon!) • CloudJack — https://github.com/prevade/cloudjack
- 26. Is there a live demo?