Subdomain Takeover using a dangling Cloudfront

Introduction

AWS S3 is a storage service by Amazon. Any kind of file. Permissions can be then given per object and per bucket. Most often than not, AWS S3 buckets have been discovered with weak permissions on individual objects or the entire buckets itself. Files and folders which should not be public are made world readable and available to the world for inspection.

Organisations ofen use this property of S3 to host their static websites & attach it to the CloudFront. Amazon CloudFront is a web service that works as a content delivery network(CDN), it speeds up distribution of static and dynamic web content, such as HTML, javascript, CSS, PHP, and image files. Many sites and organisations use it as a service for distributing their content faster on servers local to users.

What are we going to cover?

This chapter covers hijacking of a subdomain due to deletion of a S3 bucket, which is within Cloudfront distribution.

Steps to setup

  • There are maily 2 services involved in the lab.

    • AWS S3

    • AWS CloudFront

The userflow of the lab begins with creating a bucket & using this bucket to host the static web application. A CloudFront distribution is created & attached it to the static web application created via S3 bucket.

  1. Now navigate to your AWS console & open S3 section.

  2. Create a bucket with www.unique-name.com & in the bucket ownership enable the ACL's.

  3. Disable the block all public access while creating the bucket.

  4. Once the bucket is created, navigate to the properties.

  5. Go to the bottom of the page, there is a static website hosting. Click edit & enable the option to host the webpage.

  6. Now lets host the webiste with simple html file. Get your files by following command

    aws s3 cp s3://aws-training-modules/subdomain-takeover-files/ . --recursive

  7. After getting the files, upload the index.html to static website hosting.

  8. Now, go to your permissions, Add the following policy to the bucket, basically this policy makes the data public.

  9. Make sure that you replace the resource with your bucket ARN

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::www.unique-name.com/*",
                "arn:aws:s3:::www.unique-name.com"
            ]
        }
    ]
}

In case if you face any error while pasting the policy, Use json beautify to rearrange

  1. We have successfully created the bucket, now configure the S3 bucket as the origin within Cloudfront.

  2. Navigate to your Cloudfront section & create a distribution.

  1. We will enable the redirect HTTP to HTTPS. Now click create distribution.

  2. Now, select the cachedisabled in cache key and origin requests

  1. Wait for some time, you will get the Cloudfront domain, Now open the domain in your browser.

We are done with the lab setup, Now follow the steps to attack

Steps to attack

  • Once the environment is ready. Open your browser & paste the domain name which is present in your AWS account > Cloudfront.

cloudfront deleted

  • Now on the other tab open your static website, you can get this from your S3 > bucket properties . You should see a welcome page on the website.

cloudfront deleted

  • Navigate to the cloudfront domain & you can see the welcome message.

cloudfront deleted

  • Delete the bucket, which you have created in the setup process with unique-name. To do that navigate to your S3 > buckets empty the bucket & delete the bucket.

cloudfront deleted

Now, how an attacker can use this?

cloudfront deleted

How to Claim sub-domain via dangling CloudFront

  • We can see that the error is disclosing the S3 bucket name. Now, wait for a minute and create a new bucket with same name.

  • Once the bucket is created, Now, attacker changes the permissions & properties to host a static website. Attacker adds the custom bucket policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicReadGetObject",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME-HERE/*"
    }
  ]
}

  • Now, enable the static website hosting & add entry file as index.html. Once you are done with the basic setup on the Cloudfront side, next is the step of creating your take over page. This can effectively be anything you want to host on either S3 bucket or your own web server. Use the following code to do that.

<!DOCTYPE html>
<html>
<head>
    <title>Sub-domain Takeover</title>
</head>
<body>
    <h1>Sub-domain Hijack/Takeover Proof of Concept</h1>
    <script>
    document.write("Sub-domain Hijack/Takeover Proof of Concept " + document.domain + " by student")
    </script>
</body>
</html>

  • Once you upload the index file to the bucket, navigate to your bucket properties & enable static website hosting.

  • Now, upload your files to your bucket & make sure you have index.html. Navigate to the cloudfront domain .

  • It is a static page with a little JavaScript to highlight the domain that's being taken over/hijacked. We have successfully hijacked.

Additional references

PreviousHostnames and Google Cloud Naming ConventionsNextScoutSuite for AWS and Google Cloud

Last updated