Register Now

Login

Lost Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

Login

Register Now

Canyoupwn.me ~

EN | Sony Subdomain Takeover

Home/ EN | Sony Subdomain Takeover

EN | Sony Subdomain Takeover

Mart 28 , 2017 Bug Bounty 0 Comments 1540 views

Summary

Subdomain takeover was possible in some of the subdomains.  The CNAME entry in the subdomain is pointing to an external page service (fanfootballsony.s3-us-west-2.amazonaws.com).

Description

 

$ nslookup fan.football.sony.net 8.8.8.8
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:   fanfootballsony.s3-us-west-2.amazonaws.com
Address: 173.255.201.227

fan.football.sony.net
 -> fan.football.sony.net is an alias for fanfootballsony.s3-us-west-2.amazonaws.com.

The bucket name must be the same as the CNAME. So fan.football.sony.net/filename would be the same as fanfootballsony.s3-us-west-2.amazonaws.com/filename if a CNAME were created to map fan.football.sony.net to fanfootballsony.s3-us-west-2.amazonaws.com.

PoC:

http://fanfootballsony.s3-us-west-2.amazonaws.com/subdomaintakeover/index.html

Risk

  • Fake website
  • Malicious code injection
  • Users tricking
  • Company impersonation

Since the vulnerable subdomain is called signup , it’s a perfect place to create a fake login/subscribe page to steal users credentials. An attacker would post links on forums or send emails and then wait for people to signup on the site he owns.

Fix

You should immediately remove the DNS-entry for this domain or point it elsewhere if you don’t use that service.

Berk İMRAN

About Berk İMRAN

Cyber security researcher

Follow Me