Telecom Italia (TIM) - Azure subdomain takeover

Subdomain takeover is a known technique being popular in the latest years with the advent of the cloud providers. At the end of April i was able to takeover timcafe.tim.it subdomain which belongs to Telecom Italia network. 

What is subdomain takeover ? 

Basically, subdomain takeover is the process of hijacking someone else subdomain. Let’s make an example. When a company hosts a website in the cloud let's say contoso.com hosts a web application on a cloud provider, they create a cloud application which has an unique DNS name, for example myapp.cloudprovider.com.

Then, contoso.com wants to reach the web application from one of its subdomains, so they create a Canonical Name Record (CNAME) record on their DNS servers for myapp.contoso.com  that maps one domain name (an alias) to another (the canonical name). In this case myapp.contoso.com is mapped to myapp.cloudprovider.com.

Now if you resolv the domain name, this will be the output:

 myapp.contoso.com CNAME myapp.cloudprovider.com

myapp.cloudprovider.com    A 1.1.1.1

After some time, Contoso company decides to remove the web application from the cloud provider, so they delete the instance but they do not update their DNS servers records. Here comes the subdomain takeover process, because since the cloud app is deleted, anyone can create another cloud app with the same name and hijack Constoso subdomain. So, when someone visits myapp.contoso.com the web application will be always webapp.cloudprovider.com but now it's under someone else's control.

An in depth explaination can be found at the follwing links:

Long story short

Since Telecom Italia have a responsible disclosure program i decided to check if one of tim.it subdomains were vulnerable, so after an enumeration phase i used subjack, which identified that timcafe.tim.it could be vulnerable to hijacking.

Looking at the DNS record with dig highlighted that the subdomain returned a CNAME record pointing to an Azure web application timcafe.azurewebsite.net that wasn't registered anymore. 

Since Microsoft Azure allows anyone with a valid account to create a web application, i've created a new web application named timcafe and after that timcafe.tim.it DNS record will point to the application that i've just created.


Oh, that was easy. Hold on, because if you visit the website a nice "HTTP 404 website not found" message will appear. That happens because after resolving the DNS name, the client performs an HTTP GET request to 52.173.149.254 with a HTTP Host header set to timcafe.tim.it and the Azure webserver doesn't know with which web application is mapped, so it returns an error.

To fix this error, you need to go on "App Service > Settings > Custom domains" and add a custom domain as show in the screenshot below, that maps the incoming name with the web application.


After that, timcafe.tim.it shows the content that i've uploaded to my instace.

Now what ? 

Okay, cool, now i've complete control over a subdomain. What can i do next ? Here is a list of potential attacks that could be performed: 
  • Steal all cookies with *.tim.it scope from users browser set without Secure flag;
  • Check if timcafe.tim.it subdomain is still referenced from another domain. For example, if tim.it loads a JavaScript file from timcafe.tim.it, it is possible to upload a script and potentially execute arbitrary JavaScript code to tim.it visitors;
  • Perform cross domain request to API endpoints which use cookies to keep track of user session;
  • Upload a self-signed SSL certificate and if a user accepts browser warnings, steal also cookies set with the Secure flag.
  • Phishing and spread malware in behalf of telecom italia;
  • Bypass Content-Security-Policy (CSP).
After hijacking the subdomain i've contacted TIM through their responsible disclosure program to inform them about the misconfiguration and after two days the issue was fixed.

Useful links:

Comments

Popular posts from this blog

Java Exploit Code Obfuscation and Antivirus Bypass/Evasion (CVE-2012-4681)

The Latest Java Exploit with Security Prompt/Warning Bypass (CVE-2013-2423)

Deobfuscating Java 7u11 Exploit from Cool Exploit Kit (CVE-2013-0431)