Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Zendesk no more possible? #23

Closed
energiatel opened this issue Jul 12, 2018 · 31 comments
Closed

Zendesk no more possible? #23

energiatel opened this issue Jul 12, 2018 · 31 comments
Assignees
Labels
vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.

Comments

@energiatel
Copy link

As reported here https://support.zendesk.com/hc/en-us/articles/203664356-Changing-the-address-of-your-Help-Center-subdomain-host-mapping- Zendesk subdomain takeover requires making the subdomain an alias of default address. So it shouldn't be possible get a subdomain takeover without getting access to the domain registrar's control panel.

Am I wrong?

@codingo
Copy link
Collaborator

codingo commented Jul 27, 2018

This takeover is possible when a Zendesk account has been deleted, but still remains available in the host domains DNS record.

When you dig the record you will see the CNAME, this corresponds to the name of the Zendesk account you need to (re)create. Once you've done so you'll now have claimed Zendesk on this host domain.

This is a much less valuable takeover than other scenarios as you aren't hosting content on the domain like you are in other takeovers (removing XSS/CORS possibilities) and you're instead hosting a new support (zendesk) instance . It's useful for red teaming and social engineering, but I wouldn't expect the bounty payments to be as much as in other scenarios where you can demonstrate more relevant risk.

@codingo codingo closed this as completed Jul 27, 2018
@codingo codingo self-assigned this Jul 27, 2018
@codingo codingo added the question Further information is requested label Jul 27, 2018
@EdOverflow EdOverflow added edge case An edge case was discovered where it is possible to hijack a subdomain on this service. and removed question Further information is requested labels Sep 9, 2018
@EdOverflow EdOverflow reopened this Sep 9, 2018
@JesseClarkND
Copy link

My experience with a zendesk takeover attempt this morning.
no_luck

@codingo codingo added the not vulnerable Someone has made it very clear that this service is not vulnerable to subdomain takeovers. label Oct 14, 2018
@codingo
Copy link
Collaborator

codingo commented Oct 14, 2018

Thank-you @JesseClarkND, I was also familiar with this one through a recent attempt. I've made a change to the repo in line with your proofs and will now close this issue (see: #51).

Appreciate your efforts!

@codingo codingo closed this as completed Oct 14, 2018
@m7mdharoun
Copy link

Zendesk is still Vulnerable .. All Just check all the site subdomains if any subdomain is add to zendesk account and the other added too ( Only one will be the cname and the other one will redirect you to The finger print that give you the error )

Example if I add my subdomain ( support.example.com ) to my zendesk account with mine cname and add my other subdomain ( help.example.com ) to the same cname ..

my first subdomain support.example.com will show me my Zendesk Site But When I go to help.example.com I will find my self redirect to the finger print error

So you can takeover a Subdomain already Exist ?
Sure you can't !

Only if the company have an Only subdomain listed in Zendesk and the subdomain redirect you to finger print error So Sure you can Takeover!

@bgxdoc
Copy link

bgxdoc commented Mar 14, 2019

i tried taking over an expired zendesk subdomain and it worked but after i active the hep center in zendesk setting menu, it should appear on the subdomain but it is still redirecting to the previous error. Anybody can tell me, if it takes time to get published on the main subdomain after activation.

upate: i have only trial account, is that why zendesk is not showing it on the subdomain?

Update: it worked.

@JLLeitschuh
Copy link

JLLeitschuh commented Mar 15, 2019

@bgxdoc If you could describe your steps to achieve it so that it worked, that would be awesome.

@Cillian-Collins
Copy link

I just got a successful takeover today.

Simply located a domain which was redirect to a Zendesk page saying "This help center has been deleted".

Found the CName. Registered that on ZenDesk as my account. Now it's pointing to mine. Setup an SSL cert so that it stops redirecting to my ZenDesk, and instead it actually hosts it on the real subdomain.

Need to figure out a way to get stored XSS via zendesk admin so that I can improve on the impact...

@JLLeitschuh
Copy link

JLLeitschuh commented Apr 20, 2019

Double dipping there? Get a bounty from ZenDesk and the company?

@Cillian-Collins See if you can use the ZenDesk name to also generate emails from that domain, you can leverage that email to pivot into internal slack/jira instances.

Read:
https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c

If it works, I totally accept tips to my PayPal account. 🤣

@ym500
Copy link

ym500 commented Apr 21, 2019

If the Name of domain not taken you can take over it You need to Enable Ssl Certificate in security settings and Enable Host Maping option in account settings and it will work

@GDATTACKER-RESEARCHER
Copy link

i tried taking over an expired zendesk subdomain and it worked but after i active the hep center in zendesk setting menu, it should appear on the subdomain but it is still redirecting to the previous error. Anybody can tell me, if it takes time to get published on the main subdomain after activation.

upate: i have only trial account, is that why zendesk is not showing it on the subdomain?

Update: it worked.

how it worked what you changed

@bgxdoc
Copy link

bgxdoc commented Jul 23, 2019

@gauravdrago:
on above comment, @YosefMahmoud has already described the solution. It's the same thing i did to make it work.

" If the Name of domain not taken you can take over it You need to Enable Ssl Certificate in security settings and Enable Host Maping option in account settings and it will work. "

@GDATTACKER-RESEARCHER
Copy link

GDATTACKER-RESEARCHER commented Jul 23, 2019 via email

@bgxdoc
Copy link

bgxdoc commented Jul 23, 2019

@gauravdrago
I believe Zendesk has Free Trial option, use that. Incase you have used the trial account before then simply create a new account and then use free trial.

@GDATTACKER-RESEARCHER
Copy link

GDATTACKER-RESEARCHER commented Jul 23, 2019 via email

@bgxdoc
Copy link

bgxdoc commented Jul 23, 2019

@gauravdrago
It worked for me back then. but why not now, I don't know, i guess they might have disabled it for trial accounts.
I will look into this once i get free time from my work.

@GDATTACKER-RESEARCHER
Copy link

GDATTACKER-RESEARCHER commented Jul 23, 2019 via email

@ym500
Copy link

ym500 commented Jul 23, 2019

@bgxdoc @gauravdrago
Not Sure About The Free Trial and Premium . To Solve This Zendesk has Three cases when you see helpdesk is close :

1- Deleted Help Desk You can Take over it
2- inactive you can't Take over it until 90 days passed
3- sometimes compaines used only chat widget from zendesk without help center it will respond with the same message but You can't take over

Not Sure if there are any cases or not if someone already faced another case he can put it to solve this issue

@fl0ydsg
Copy link

fl0ydsg commented Aug 30, 2019

still possible

@maxicrisp
Copy link

@roblox1488 Did you have a specific method that you used that is separate from the above comments?

@fl0ydsg
Copy link

fl0ydsg commented Sep 29, 2019

@roblox1488 Did you have a specific method that you used that is separate from the above comments?

you have to wait a while after the subdomain stops being in use, then you can just register it normally like you would

@bugbaba
Copy link

bugbaba commented Jan 15, 2020

Looks like it is vulnerable in some cases, This person was able to takeover the zendesk portal.

https://hackerone.com/reports/759454

@EdOverflow EdOverflow removed the not vulnerable Someone has made it very clear that this service is not vulnerable to subdomain takeovers. label Jan 16, 2020
@JvdHout1011
Copy link

There are two possibilities when dealing with a closed Zendesk helpcenter as far as I've encountered so far.

Possibility 1: The domain the Zendesk domain is pointing towards, is in use. However, the host mapping has not been done correctly, which makes the domain displaying a 'help center closed' notice. This case is not vulnerable, because the Zendesk domain (so the CNAME reference (*.zendesk.com)) is occupied.

Possibility 2: The Zendesk domain is not in use and the target's domain name is displaying a 'help center closed' notice. Here, takeover is possible.

For succesfull takeover, follow the following steps:

  1. Go to zendesk.com and register for a free trial. When being asked what name you want the zendesk domain to have (foo.zendesk.com). If it is available for takeover, it will display a green checkmark.
  2. After registering, go to Settings > Account > Host mapping. Fill in the domain this Zendesk domain is pointing to.
  3. Enable SSL on the domain to stop the redirect when you browse to your target's domain (if SSL is not enabled, when browsing to the vulnerable domain (foo.vulnerable.com), Zendesk will redirect to your Zendesk subdomain).
  4. Start up a guide and enable unsafe content in Admin settings.
  5. In an article, add an extra line of source code (f.e. <script>alert("stored XSS for PoC")</script>)
  6. ???
  7. Profit.

@m0ns7er
Copy link

m0ns7er commented Apr 26, 2020

There are two possibilities when dealing with a closed Zendesk helpcenter as far as I've encountered so far.

..............

Thanks @JvdHout1011 for good write-up. Yes it is still possible to hijack/takeover subdomain through zendesk portal. I takover the subdomain of support.*******.com and i'm receiving their help desk emails on zendesk dashboard.

POC : https://drive.google.com/file/d/1h4QomND3n7O5dRCzyGmHQ78qdFcpK51L/view?usp=sharing

@Mouja0412
Copy link

Thank you @JvdHout1011
I can confirm the takeover still working, i tookover a subdomain through zendesk portal few minutes ago.
POC here :
https://prnt.sc/s80l2i
https://prntscr.com/s80mhi

@Mouja0412
Copy link

Update : There's something wrong with the trial period ending just after confirming my email. Happened 5 times in 5 subdomains I was trying to takeover.
Is it cause i was using the same ip? (will try from another ip)
Anyone confirm this issue please?

@Superngorksky
Copy link

@JvdHout1011 I can confirm the takeover still works.

@EdOverflow Please update this. Using @JvdHout1011's method, the takeover is still possible.

@soareswallace
Copy link

There is a report already about this take over on H1. I believe it is possible.

https://hackerone.com/reports/810807

@Mouja0412
Copy link

@soareswallace I confirm, already took over 10 subdomains the last 3 days, I sent reports to hackerone but most of them are "ineligible" and they said "We do in fact consider bounty payment on a case by case basis for bounty ".

@riramar
Copy link

riramar commented Sep 4, 2020

Seems is still vulnerable.
https://www.youtube.com/watch?v=sBTVWKeh7xY

@Mouja0412
Copy link

Mouja0412 commented Sep 4, 2020

Seems is still vulnerable.
https://www.youtube.com/watch?v=sBTVWKeh7xY

Hello, I didn't test if it's still vulnerable or not (been 4 months since my last report as shown in the video), I will check hat tomorrow and will keep you updated.

(The POC video is mine from my report here : https://hackerone.com/reports/869605 but someone downloaded it and posted it on youtube, so the youtube channel is not mine)

@jub0bs
Copy link

jub0bs commented Oct 28, 2020

Not sure why this is marked as "Not vulnerable"... As others have reported above, Zendesk is still vulnerable, although the necessary conditions may have changed over time. Let's take zendesk.example.com as an example in what follows.

Regarding impact:

  • Such a subdomain takeover is a phisher's wet dream. I've even seen cases in which emails sent to support@example.com automatically created a ticket in Zendesk; not bad for phishing users asking for help.
  • You can achieve stored XSS in the context of the subdomain, which may have implications for other subdomains of the target (e.g. if they have sensitive cookies improperly scoped to a common parent domain).

Signature

In my experience, there are two necessary conditions for a host to be vulnerable. First, zendesk.example.com must have a CNAME record targeting some zendesk.com subdomain corresponding to a Help Center. Second, zendesk.example.com must be available as custom domain name on the platform. You can check that programmatically by sending a request of the following form (which the Zendesk frontend sends to the backend when you sign up for a free trial):

$ target="zendesk.example.org"
$ curl -s 'https://www.zendesk.com/wp-content/themes/zendesk-twentyeleven/lib/domain-check.php' \
      -H 'authority: www.zendesk.com' \
      -H 'pragma: no-cache' \
      -H 'cache-control: no-cache' \
      -H 'accept: */*' \
      -H 'x-requested-with: XMLHttpRequest' \
      -H 'user-agent: REDACTED' \
      -H 'content-type: application/x-www-form-urlencoded; charset=UTF-8' \
      -H 'origin: https://www.zendesk.com' \
      -H 'sec-fetch-site: same-origin' \
      -H 'sec-fetch-mode: cors' \
      -H 'sec-fetch-dest: empty' \
      -H 'referer: https://www.zendesk.com/register/' \
      -H 'accept-language: en-GB,en-US;q=0.9,en;q=0.8,fr;q=0.7' \
      --data-raw "domain=$target" \
      --compressed

Inspect the JSON response. You can safely ignore the value of the available field, which I have found to be misleading. What truly matters is the presence of a suggestion field in the response; if that field is present, the custom domain name is unavailable; otherwise, the custom domain name is available.

Be mindful that Zendesk sits behind Cloudflare, and if you hammer it with such requests, you'll likely get a temporary IP ban from Cloudflare.

A subtlety regarding cert provisioning

Zendesk offers you to provision a TLS cert (using Let's Encrypt) for your custom domain, but this provisioning can fail. Be aware that cert provisioning may fail multiple times at first, for no good reason, really; be patient but persistent: retry a few times.

However, one remarkable reason for cert-provisioning failure is when the root domain of your custom domain name features on Let's Encrypt deny list; in that case, provisioning of the cert will fail, but the error message shown in Zendesk's frontend will be indistinguishable from that of a transitory cert-provisioning failure. You simply won't be able to tell that it's due to a problem with Let's Encrypt, unless, perhaps, you ask Zendesk's support nicely.

If you cannot obtain a certificate for your custom domain, visiting it will simply redirect you to the associated Zendesk subdomain, which greatly reduces impact of the subdomain takeover :(

Tip: disable email notifications

As soon as you get a foothold and before notifying the target, I recommend disabling all email notifications in the Zendesk settings. Why? Once the target removes the offending CNAME record, you won't be able to access the Zendesk account; as a result, you won't be able to disable email notifications, and you'll keep receiving emails (marketing, etc.) until your free trial expires, which can be annoying.

@EdOverflow EdOverflow added vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service. and removed edge case An edge case was discovered where it is possible to hijack a subdomain on this service. labels Feb 7, 2021
c53martin added a commit to c53martin/can-i-take-over-xyz that referenced this issue May 16, 2022
just confirmed that its still possible via zendesk see EdOverflow#23 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.
Projects
None yet
Development

No branches or pull requests