Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Microsoft Azure proofs #35

Open
PatrikHudak opened this issue Sep 12, 2018 · 171 comments
Open

Microsoft Azure proofs #35

PatrikHudak opened this issue Sep 12, 2018 · 171 comments
Labels
vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.

Comments

@PatrikHudak
Copy link

PatrikHudak commented Sep 12, 2018

Service name

Microsoft Azure

Proof

There is no general approach for PoC. Microsoft Azure offers multiple services (CloudApp, Azure Websites, etc.) that use different domain names.

General approach in verifying subdomain takeover is to check, whether the Azure domain responds with NXDOMAIN DNS status. This is (to my knowledge) the necessary condition of the domain, however it is not sufficient. In other words, not all Azure domains which are used in some CNAME and respond with NXDOMAIN are vulnerable to subdomain takeover. I personally got a case where Azure portal refused to create a domain even though it responded with NXDOMAIN.

Some H1 reports to prove this point:

As mentioned before, the PoC creation depends on the service in question, however, they generally tend to have similar workflows.

Documentation

These are the domains that are identified as vulnerable. Each of these is used for particular Azure service:

  • *.cloudapp.net
  • *.cloudapp.azure.com
  • *.azurewebsites.net
  • *.blob.core.windows.net
  • *.cloudapp.azure.com
  • *.azure-api.net
  • *.azurehdinsight.net
  • *.azureedge.net
  • *.azurecontainer.io
  • *.database.windows.net
  • *.azuredatalakestore.net
  • *.search.windows.net
  • *.azurecr.io
  • *.redis.cache.windows.net
  • *.azurehdinsight.net
  • *.servicebus.windows.net
  • *.visualstudio.com
@EdOverflow EdOverflow added the vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service. label Sep 13, 2018
@Sechunt3r
Copy link

Hi All,
Hope you are good!

if a Azure Domain not Respond with NXDOMAIN that means it is not Vulnerable.
But if it shows this ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,

Then what would be the answer is it vulnerable or not!

Hope you understand my points

Regards
Shivam

@codingo
Copy link
Collaborator

codingo commented Oct 21, 2018

Linked back on the main repository, closing this as @Sechunt3r's comment is already addressed in @PatrikHudak's summary.

@codingo codingo closed this as completed Oct 21, 2018
@ghsec
Copy link

ghsec commented Feb 27, 2019

if subdomain return public IP is possible subdomain takeover?

@sumgr0
Copy link

sumgr0 commented Mar 3, 2019

If the sub-domain points to traffic manager service for Azure, is the takeover possible? When attempting to create a traffic manager profile using the same name as in the CNAME, getting error which mentions "Domain name xyz.trafficmanager.net already exists. Please choose a different DNS prefix".

Has Microsoft patched the service or am I doing something wrong?

Thanks

@PatrikHudak
Copy link
Author

@sumgro Microsoft haven't patched the service and you are doing everything ok.

You are getting a error message because the Traffic Manager profile actually EXIST, so you are unable to claim it. When you make a DNS request to *.trafficmanager.net and get NXDOMAIN there are two possible outcomes:

  1. The Traffic Manager with requested name really don't exist - you can go ahead and register it. In this context it is likely that the Subdomain Takeover is possible.
  2. (From my own testing) Traffic Manager profile can be created, however there is no requirement to assign it any endpoints by default. Traffic Manager (as the name) implies is trying to distribute network traffic using different settings and acts just as a middleman. This means that in order it to work, you need to set up endpoints (a.k.a. FQDN) where the traffic will be forwarded once the user reaches to something.trafficmanager.net. Now to the core of the problem: When there is no endpoint assigned in the profile, you will get the same NXDOMAIN response as you would get with non-existing TM profile. In this case, you won't be able to take in over because the TM profile with the name in CNAME record actually exist, it just seems that the profile does not exist.

It is pretty easy to setup a automation for that using Azure API. You would need to test a creation of particular TM profile and not rely only on DNS request as some external indicator of TM profile existence.

Hope it helps.

@sumgr0
Copy link

sumgr0 commented Mar 3, 2019

Thank you for the revert @PatrikHudak, really appreciate the detailed reply.

I'm fairly new to the subdomain takeover subject. When testing for the subdomain in question, the dig <subdomain.domain.com> confirmed the error NXDOMAIN (thereby bringing a smile) and then the CNAME pointed to xyz.trafficmanager.net.

From your reply, I understand that the profile already exists with the same name as the CNAME, even when the end-point may not have been setup, this results in the error message both when visiting the link and through the dig command. Hence, the takeover for in this situation may not be successful.

Not able to get the pointers on the Azure API for automation, kindly point in the direction to be able to research more on the topic to get an understand for future hunting.

Thanks

@sumgr0
Copy link

sumgr0 commented Mar 21, 2019

I've come across a sub-domain, pointing to an azure web app service. This CNAME itself has 3 levels like xyz.abc.m.azurewebsites.net. It shows the NXDOMAIN error when checking with dig.

However, when I try to create the App on the Azure Portal as xyz.abc.m to takeover, it does not allow periods in the same. Anyone aware of how can such scenario be handled for sub-domain takeover?

Thanks

@nikokosm
Copy link

nikokosm commented Mar 28, 2019

I also faced this. I found a subdomain that resolved to xyz.easteurope.cloudapp.azure.com and could not use the . character. Anyone else got around this?

Edit: turns out you could take over this by registering an Azure VM in the easteurope region ;)

@sumgr0
Copy link

sumgr0 commented Mar 28, 2019

found this in relation to the above, but haven't been able to go through in details to understand:
https://docs.microsoft.com/en-us/azure/app-service/environment/using-an-ase

@AdmiralGaust
Copy link

I found a subdomain pointing to 104.211.97.138. The ip certificate is issued to *.azurewebsites.net and the subdomain does not contain txt record.

Is it vulnerable to subdomain takeover?

@codingo codingo mentioned this issue Sep 5, 2019
@marcelo321
Copy link

marcelo321 commented Dec 26, 2019

I think it is a Edge case too.

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2616
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

"Domain name redacted.trafficmanager.net already exists. Please choose a different DNS prefix."

@marcelo321
Copy link

Can anyone confirm if this isn't possible or im just stupid?

when tryin to claim a CNAME with multiple levels like abc.aaa.azurewebsite.net i get

. is an invalid character

this means it is only possible to claim 1 level subdomains like abc.azurewebsite.net?

@hamzaavvan
Copy link

Which azure service gives us mysubdomain.windows.net ?
Any help would be appreciated.

@chiko360
Copy link

how can i claim this *.cloudapp.azure.com ?

@davisfreimanis
Copy link

how can i claim this *.cloudapp.azure.com ?

You can simply create a Virtual Machine in the specific region and then in the left menu select "Configure" and set a desired DNS name label.

The format of the URL will be:
<dnsname>.<region>.cloudapp.azure.com

@stark0de
Copy link

Does anyone know if it is possible to claim *.azurewebsites.us domains?

@adityathebe
Copy link

adityathebe commented May 16, 2020

Is this still vulnerable ? Because Azure requires a unique Custom Domain Verification ID to be put as a TXT record in the DNS.

image

Until the TXT record is configured the following error will show up

image

I have only tried this for Web Apps (.azurewebsites.net)

Repository owner deleted a comment May 20, 2020
@EdOverflow
Copy link
Owner

@EdOverflow EdOverflow added not vulnerable Someone has made it very clear that this service is not vulnerable to subdomain takeovers. and removed vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service. labels May 20, 2020
@EdOverflow EdOverflow reopened this May 20, 2020
@EdOverflow
Copy link
Owner

Never mind, it’s still vulnerable. Just observed one get snatched live. 😂

@EdOverflow EdOverflow removed the not vulnerable Someone has made it very clear that this service is not vulnerable to subdomain takeovers. label May 20, 2020
@4nibhal
Copy link

4nibhal commented Oct 8, 2023

In *azurewebsites.net, there is also a verification of DNS records.
Still try it always, and if you find something different you could share it with the community :D

@mohamed-faris
Copy link

image
what about this

@4nibhal
Copy link

4nibhal commented Oct 14, 2023

@PH-Apolonio hey hey could you climb that?
have you been able to takeover?

@pdelteil
Copy link
Contributor

Guys, traffic manager is not vulnerable since at least 2 years.

@devbertram
Copy link

devbertram commented Oct 31, 2023

Hi everyone. is *.azureedge.net still vulnerable? Tried some approach via CDN Profile and not working.
Screenshot 2023-10-31 230502
Screenshot 2023-10-31 232233

@xMrEhAcKeR
Copy link

Hello Guys, hope you're all good!.
I found *.southafricanorth.cloudapp.azure.com and the server status is showing NXDOMAIN, I wonder if this is sill available to takeover. i spent 2 days trying =_=l

@jan-call
Copy link

In *azurewebsites.net, Subdomain takeover fail:
Website with given name xxx already exists
image

@xElkomy
Copy link

xElkomy commented Dec 25, 2023

If I have a subdomain point to third azurewebsites like example.example.azurewebsites.net
can I take over it?

@ceylanb
Copy link

ceylanb commented Jan 2, 2024

Hi everyone. is *.azureedge.net still vulnerable? Tried some approach via CDN Profile and not working. Screenshot 2023-10-31 230502 Screenshot 2023-10-31 232233

Yes, it is still vulnerable. However, the number of vulnerable assets will decrease daily due to the following protection mechanism. Additionally, be careful if you have already taken over the target subdomain because you can't release/delete it if you can't change its CNAME record :)

image

In order to delete the CDN endpoint, you first need to delete the Custom Domain. To prevent dangling DNS entries and the security risks they create, starting from April 9th 2021, Azure CDN requires removal of the CNAME records to Azure CDN endpoints before the resources can be deleted. - Azure

@YusukeJustinNakajima
Copy link

Hi

I have a question about the subdomain takeover regarding azure-api.net. I currently have a domain A pointing to xxx.azure-api.net in CNAME, and I have an Azure API Management to xxx.azure-api.net. Originally, it was failing to resolve the name of domain A, but now it can resolve the name, but when I access to domain A, I get a 404 Not Found error and cannot route to the API I prepared for xxx.azure-api.net. Can anyone tell me how to make the routing work or how to create a PoC ?

@Memmedyar
Copy link

Hi

I have a question about the subdomain takeover regarding azure-api.net. I currently have a domain A pointing to xxx.azure-api.net in CNAME, and I have an Azure API Management to xxx.azure-api.net. Originally, it was failing to resolve the name of domain A, but now it can resolve the name, but when I access to domain A, I get a 404 Not Found error and cannot route to the API I prepared for xxx.azure-api.net. Can anyone tell me how to make the routing work or how to create a PoC ?

same here

@Phoenix1112
Copy link

@zy9ard3

It's true that on some occasions a mandatory TXT verification is needed to perform the Subdomain Takeover. However, there are still some situations in which this is not the case and the takeover can be done without this verification.

I cannot add a custom domain for azurewebsites.net because it requires TXT verification. please can you help me. How will we get past this situation?

@pdelteil
Copy link
Contributor

pdelteil commented Apr 1, 2024

@zy9ard3
It's true that on some occasions a mandatory TXT verification is needed to perform the Subdomain Takeover. However, there are still some situations in which this is not the case and the takeover can be done without this verification.

I cannot add a custom domain for azurewebsites.net because it requires TXT verification. please can you help me. How will we get past this situation?

If you're being asked for a TXT verification it means you can't take it over, the domain is not vulnerable. If you can bypass the TXT verification you can takeover all domains pointing to azurewebsites, therefore making you rich.

@nakib85
Copy link

nakib85 commented Apr 21, 2024

is it still vulnerable?
Screenshot_55

@sainath-reddiee
Copy link

Hi @PatrikHudak

I successfully claimed cname for the *cloudapp.net service takeover but got struck to create real poc to showcase to traigers.
I’m unable to create required files Can anyone help me in creating cscfg & cspkg files ?
IMG_1295

@sainath-reddiee
Copy link

Hi, I have various *.cloudapp.net subdomains registered but I cannot seem to deploy a proof.

Does anyone have any up to date instructions on creating PoC code for cloud services?

This method in this article is out of date and the code no longer works https://godiego.co/posts/STO-Azure/

Hey hi , did you find any real working poc ?

I’m looking to create sample poc

@marcelo321
Copy link

@sainath-reddiee if you took over the subdomain but are unable to upload the files (and the subdomains belong to a bbp and not a vdp), hit me up in twitter https://twitter.com/zonduu1 and I should be able to help get a PoC. Some accounts can, some can't create the poc, no idea why

@sainath-reddiee
Copy link

@sainath-reddiee if you took over the subdomain but are unable to upload the files (and the subdomains belong to a bbp and not a vdp), hit me up in twitter https://twitter.com/zonduu1 and I should be able to help get a PoC. Some accounts can, some can't create the poc, no idea why

Hi @marcelo321 unable to ping you in twitter
My handle @sainath29 (twitter)

@Harsh-Navgale
Copy link

Note : *.cloudapp.net no longer vulnerable as the Azure Cloud Services (Classic) are deprecated.

@sainath-reddiee
Copy link

No I claimed 3 takeovers :)

@Harsh-Navgale
Copy link

@sainath-reddiee can you pls tell process here?

@mcipekci
Copy link

mcipekci commented Jul 6, 2024 via email

@HackerSSG
Copy link

HackerSSG commented Jul 10, 2024

I also faced this. I found a subdomain that resolved to xyz.easteurope.cloudapp.azure.com and could not use the . character. Anyone else got around this?

Edit: turns out you could take over this by registering an Azure VM in the easteurope region ;)

brother please help me any body can help me i found a subdomain like ---> subdomain.company.com

which cname point to ---> subdomain.westus2.cloudapp.azure.com

i can create service on azure portal like the name before westus2 (means subdomain name) but when adding custom domain azure want to verify through adding records like CNAME and TXT records so how can i takeover it please any one guide me or tell me

@PatrikHudak @codingo @davisfreimanis @ceylanb @CalfCrusher please help

and one thing also that i can create resource or service in east region i have created free account in which i have 200 usd credit

@k0ns0l
Copy link

k0ns0l commented Sep 17, 2024

@usmanzahid123999

Go through this blogpost -> https://godiego.co/posts/STO-Azure/

@med0101z
Copy link

med0101z commented Oct 7, 2024

enterpriseregistration.test.net. 300 IN CNAME enterpriseregistration.windows.net.
enterpriseregistration.windows.net. 300 IN CNAME na.privatelink.msidentity.com.
na.privatelink.msidentity.com. 300 IN CNAME prdf.aadg.msidentity.com.
prdf.aadg.msidentity.com. 300 IN CNAME www.tm.f.prd.aadg.akadns.net.

is ther any subdomain takeover for enterpriseregistration.test.net ? please reply guys ?

@Tarun5139
Copy link

Tarun5139 commented Oct 24, 2024

@pdelteil @codingo @davisfreimanis
What is this error could you explain this to me
Screenshot 2024-10-24 at 7 01 43 PM

@pdelteil
Copy link
Contributor

pdelteil commented Oct 24, 2024 via email

@sh3rl0ckpggp
Copy link

Is the Azure fixed the issue ? Needs to add dns record .
I have followed the POC technique but failed
https://godiego.co/posts/STO-Azure/
image

@pdelteil
Copy link
Contributor

This is still an edge case.

Stop tagging people for answers that are easily searchable. The error message means the resource is not vulnerable.

On Thu, Oct 24, 2024, 08:32 SHROUD @.> wrote: @pdelteil https://github.com/pdelteil @codingo https://github.com/codingo @davisfreimanis https://github.com/davisfreimanis What is this error could you explain this to me Screenshot.2024-10-24.at.7.01.43.PM.png (view on web) https://github.com/user-attachments/assets/d8a73cbd-2d28-4a80-b4e1-71861162c4f6 — Reply to this email directly, view it on GitHub <#35 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE2OS74RTPOZZ6WZ3GACNK3Z5DZHLAVCNFSM4FUUY4J2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TENBTGUZTCMBUGY2Q . You are receiving this because you were mentioned.Message ID: @.>

@ceylanb
Copy link

ceylanb commented Nov 27, 2024

Hi

I have a question about the subdomain takeover regarding azure-api.net. I currently have a domain A pointing to xxx.azure-api.net in CNAME, and I have an Azure API Management to xxx.azure-api.net. Originally, it was failing to resolve the name of domain A, but now it can resolve the name, but when I access to domain A, I get a 404 Not Found error and cannot route to the API I prepared for xxx.azure-api.net. Can anyone tell me how to make the routing work or how to create a PoC ?

@YusukeJustinNakajima @Memmedyar check custom domains. don't forget to add the custom domain.

Additionally, I just took over a subdomain (*.azure-api.net) through Azure API Management, so it is still vulnerable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.
Projects
None yet
Development

No branches or pull requests