Hostile Subdomain Takeover using Pantheon
Hi Hackers,
In this blog post I’ll talk about how I found a very interesting Subdomain Takeover issue in Pantheon which affects but not limited to Tor Project Blog, Donald J Trump domain, Harvard University and many more. Hackers (regardless of the hat color) can claim and withdraw those subdomains hence cause a business harm (in case of black-hat ones).
First lets know what is “Pantheon”?
Pantheon one of the best world’s website management platform one that gives web teams all of the developer tools, hosting, scaling, performance, workflow and the automation they need to build the best websites in the world, pantheon powers 100,000 sites and involves WordPress and Drupal Hosting along with other services related to building, launching and managing service for those websites.
Lets dive into the details!
Back in time, I found an subdomain takeover issue affecting Donald J Trump’s website domain along with some other companies and responsibly reported them under the bug bounty responsible disclosure for sure (this is how white-hats acts).
I will take “Donald J Trump’s website” as an example for this blog-post , I’m usually playing with the big websites when I was wearing my black-hat long time ago then I decided pick and play with Donald J Trump’s website a little bit.
I discovered that Donald J Trump’s website was using CloudFlare service so I used services/tools like “censys.io” and “dnsdumpster” to find and check the IPs and subdomains pointing to external services.
Hours and hours, I failed to find a single external service so i had idea to use a tool developed by a friend to harvest all the publicly known subdomains from search engines after finishing the scan process i found one of the domains which is abandoned but still pointing to “Pantheon service”. That subdomain was “secure2.donaldjtrump.com”.
The above screenshot indicates *for sure* that anyone can claim this subdomain and deface/create any kind of scripts served and affects the visitors of this subdomain.
And here what i simply did:
1. Signed up as client in Pantheon service.
2. Created a Sandboxed domain as Wordpress or Drupal.
3. Added a credit card, then subscribed as ‘Professional’ to setup the sandboxed domain.
4. Used a feature called “custom domains” to add the vulnerable subdomain to my account.
5. Waited for the verification and building process to be finish.
6. Boom I started to administrate the subdomain.
Want to dive more in the details with me?
Ok, so you’ve reached that far, Lets use nmap to extract the IP addresses of the service and check reverse DNS for other domains which are pointing to Pantheon:
Let’s check the reverse DNS of “23.185.0.XXX” from 1 : 1000
As an example of a DNS-entry that could be used for this attack we found this: http://cdn3.computersupport.com/
To mitigate such attacks here are some recommendations from “Detectify” which is the original author of this attack type:
1. Check your DNS-configuration for subdomains pointing to services not in use.
2. Set up your external service so it fully listens to your wildcard DNS.
3. The best advice to this is to keep your DNS-entries constantly vetted and restricted.
Resources
- https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/
- https://labs.detectify.com/2014/12/08/hijacking-of-abandoned-subdomains-part-2/
Done!
Thanks for reading. Let me know what you think about what you’ve just read, Tweet me @hussain_0x3c
Big Thanks to @SymbianSyMoh for help
