Sourav Sahana

@pocdork

Sourav Sahana Uncategorized Create N number of Subdomains | AWS CloudFront Misconfiguration

Create N number of Subdomains | AWS CloudFront Misconfiguration

Summary:

Security issues could be anywhere, either for a loophole in services or by developers due to the complexity of the service.

AWS is used for many purposes. In this post, I’ll tell you how dangerous it could be if it is not configured properly. Let’s discuss some terms first.

What is Wildcard domain:

WildCard subdomains (same as WildCard DNS) allow you to point all the subdomains (existing and non-existing) to a specific domain.

It means that if you enter any subdomain in your browser (for example, test.domain1.com – which does not existing, or forum.domain1.com – existing) it will show the same content that you uploaded to the file folder for the WildCard subdomain.

How to Set Wildcard Domain in AWS:

We can use a AWS S3 bucket as wildcard endpoint. All existing and non existing sub domain will redirect to that bucket.

Suppose you bought a domain example.com and want to create a wildcard record for this domain with AWS. So first you created a wildcard endpoint: www.example.com.s3.amazonaws.com . All non existence and existence sub domain will redirect to this bucket.

Then You must create a cloudfront distribution for your bucket (www.example.com.s3.amazonaws.com). cloudfront url will look like this: 64sder41bg112.cloudfront.net.

Now you can add this cloudfront endpoint in your domain CNAME record like this:

*.example.com. CNAME  64sder41bg112.cloudfront.net 

Feeling boring !..? Let’s discuss my story. I was testing web asset of a company. As I told before Reverse Whois is your VIP friend. Sometimes company create a domain for a specific purposes and further they don’t delete that domain, just set a redirect to their main domain.

I found a domain (example.com) using reverse whois search. This domain don’t have any sub domain. When I’m trying to visit this domain it simple redirect me to a s3 bucket (www.example.com.s3.amazonaws.com) and further redirecting to their main public domain. (company.com). They created below DNS record [I got to know because further they sent me a screenshot of DNS record] :

example.comCNAMEwww.example.com.s3.amazonaws.com
www.example.comCNAMEwww.example.com.s3.amazonaws.com
*.example.comCNAMEwww.example.com.s3.amazonaws.com
@.example.comCNAMEwww.example.com.s3.amazonaws.com

See the 3 and 4 no record. They are trying to create a wildcard record but this is not the right way in AWS.

As a result if I visit any non existence sub domain like: sahana.example.com, evil.example.com, etc . It will show same error: No Such Bucket, The specific bucket does not exist.

Now I can create a bucket named: sahana.example.com.s3.amazonaws.com or evil.example.com.s3.amazonaws.com and will take over the domain.

The Fact is:

If you see CNAME record of any of these non existence sub domains using dig or host command it will show the same CNAME record (www.example.com.s3.amazonaws.com).

Owner of the domain (example.com) can not see any of the sub domains created by hacker in the DNS record.

.

.

Thank you. Hope you have enjoyed this story …

2 thoughts on “Create N number of Subdomains | AWS CloudFront Misconfiguration”

Leave a Reply to cybrog Cancel reply

Your email address will not be published. Required fields are marked *

TopBack to Top