Amazon Route 53

Public Subdomain Takeover: Missing Origin IP Address

Risk Level: Medium

Description:

This plugin detects Route53 records from public hosted zones pointing to internal IP addresses where corresponding IP addresses are not present. Such configuration can lead to a domain takeover where a malicious user can create an instance with the same DNS name in another AWS account and upload content. The attacker can then change the taken-over domain to look like an internal employee portal and make employees submit confidential information.

About the Service :

Amazon Route 53 is a cloud Domain Name System (DNS) web service that is highly accessible and scalable. It is intended to provide developers and businesses with a highly dependable and cost-effective method of routing end users to Internet applications.

Amazon Route 53 connects user requests to AWS infrastructure such as Amazon EC2 instances, Elastic Load Balancing load balancers, and Amazon S3 buckets, as well as equipment outside of AWS. 

Impact: 

A domain takeover can occur if a malicious user creates an instance with the same DNS name in another AWS account and uploads content.

 The attacker can then disguise the hijacked domain as an internal employee site and force employees to submit sensitive information.

Steps to reproduce :

  1. Login to AWS Management Console.
  2. Navigate to Route 53 dashboard. (https://console.aws.amazon.com/route53/ )
  3. Next, move to the “Hosted Zone” in the left navigation panel under Route 53.
  4. Select the hosted zone to examine.
  5. Expand the Hosted Zone details. Proceed for the next steps if the Type is set to “Public hosted zone”.
  6. Next, check the record with Type set to “A”. Copy the “Value/Route traffic to” IP address values.
  7. Navigate to the EC2 dashboard at: https://console.aws.amazon.com/ec2/
  8. Move to Network Interfaces in the Network and Security section.
  9. Paste the IP address copied in the search bar. If no Network Interface is found, the vulnerability exists.
  10. If there is no result for it, the instance is missing and hence it is vulnerable to takeover.

 

Steps for remediation :

Ensure that all such Route53 records are removed.

  1. Login to AWS Management Console.
  2. Navigate to Route 53 dashboard. (https://console.aws.amazon.com/route53/ )
  3. Next, move to the “Hosted Zone” in the left navigation panel under Route 53.
  4. Select the hosted zone to examine.
  5. Select the vulnerable record by clicking on the checkbox next to it. 
  6. Click on Delete Record to delete it.
  7. Repeat the steps for other vulnerable records as well.