Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Amazon S3 proofs #36

Open
PatrikHudak opened this issue Sep 12, 2018 · 74 comments
Open

Amazon S3 proofs #36

PatrikHudak opened this issue Sep 12, 2018 · 74 comments
Labels
vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.

Comments

@PatrikHudak
Copy link

PatrikHudak commented Sep 12, 2018

Service name

Amazon (AWS) S3

Proof

Amazon S3 service is indeed vulnerable. Amazon S3 follows pretty much the same concept of virtual hosting as other cloud providers. S3 buckets might be configured as website hosting to serve static content as web servers. If the canonical domain name has website in it, the S3 bucket is specified as Website hosting. I suspect that non-website and website configured buckets are handled by separate load balancers, and therefore they don't work with each other. The only difference will be in the bucket creation where correct website flag needs to be set if necessary. Step-by-step process:

  1. Go to S3 panel
  2. Click Create Bucket
  3. Set Bucket name to source domain name (i.e., the domain you want to take over)
  4. Click Next multiple times to finish
  5. Open the created bucket
  6. Click Upload
  7. Select the file which will be used for PoC (HTML or TXT file). I recommend naming it differently than index.html; you can use poc (without extension)
  8. In Permissions tab select Grant public read access to this object(s)
  9. After upload, select the file and click More -> Change metadata
  10. Click Add metadata, select Content-Type and value should reflect the type of document. If HTML, choose text/html, etc.
  11. (Optional) If the bucket was configured as a website
    1. Switch to Properties tab
    2. Click Static website hosting
    3. Select Use this bucket to host a website
    4. As an index, choose the file that you uploaded
    5. Click Save

To verify the domain, I run:

http -b GET http://{SOURCE DOMAIN NAME} | grep -E -q '<Code>NoSuchBucket</Code>|<li>Code: NoSuchBucket</li>' && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"

Note that there are two possible error pages depending on the bucket settings (set as website hosting or not).

Some reports on H1, claiming S3 buckets:

Documentation

There are several formats of domains that Amazon uses for S3 (RegExp):

  • ^[a-z0-9\.\-]{0,63}\.?s3.amazonaws\.com$
  • ^[a-z0-9\.\-]{0,63}\.?s3-website[\.-](eu|ap|us|ca|sa|cn)-\w{2,14}-\d{1,2}\.amazonaws.com(\.cn)?$
  • ^[a-z0-9\.\-]{0,63}\.?s3[\.-](eu|ap|us|ca|sa)-\w{2,14}-\d{1,2}\.amazonaws.com$
  • ^[a-z0-9\.\-]{0,63}\.?s3.dualstack\.(eu|ap|us|ca|sa)-\w{2,14}-\d{1,2}\.amazonaws.com$

Note that there are cases where only raw domain (e.g. s3.amazon.com) is included in CNAME and takeover is still possible.

(Documentation taken from https://0xpatrik.com/takeover-proofs/)

@EdOverflow EdOverflow added the vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service. label Sep 13, 2018
@PatrikHudak
Copy link
Author

Official documentation link: https://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html

@sumgr0
Copy link

sumgr0 commented Mar 14, 2019

I've come across a sub-domain which confirms the error message:

NoSuchBucket
The specified bucket does not exist
randombucket-assets

When use the dig command, the CNAME points to a random.cloudfront.net URL.

On trying to follow the above steps, getting below message while creating the S3 bucket with same name:
"Bucket name already exists"

I'm entering the full sub-domain name in the bucket name. Am I missing something to check?

Update: I've been able to find the S3 bucket URL: subdomain.s3.amazonaws.com

@soynek
Copy link

soynek commented Jul 9, 2019

id 64053
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
girishsarwal.me. IN CNAME
;ANSWER
;AUTHORITY
something.me. 899 IN SOA ns-732.awsdns-27.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
;ADDITIONAL

in s3 bucket, i'm facing this problem. What's solution for this ?
Screenshot_1

@codingo
Copy link
Collaborator

codingo commented Jul 9, 2019

@soynek You're going to need to dig into the documentation for this one, we've had to draw the line at this repository being treated like a support desk. This is here to outline the work people have contributed back, and to outline vulnerable areas, but if you have a specific subdomain takeover question then the documentation for that service is where you should be looking.

@soynek
Copy link

soynek commented Jul 9, 2019

@codingo
I want to takeover a subdomain and i face that problem as in picture showing. Any solution for this?

@yoursquad13
Copy link

Hi
I found a domain with CNAME *.cloudfront.net
When I access it from browser it returned empty. I tried to add it to bucket by steps above and was successfully added. But when I access it, it's still empty, I tried other subdomains from same domain but they say 'Bucket name already exist'.
Please explain me this

@PatrikHudak
Copy link
Author

@yoursquad13 Because *.cloudfront.net is not a subdomain for S3

@nynuz
Copy link

nynuz commented Feb 26, 2020

Hi, during a bug bounty activity I have found a subdomain vulnerable to takeover, the dig command returns this information:
sub.example.com CNAME [bucket_name].s3.amazonaws.com
and then:
[bucket_name].s3.amazonaws.com CNAME s3-1-w.amazonaws.com
I haven't the region information from dig command.

Also if I visit the page, I get an XML error. Below is the screenshot:
Screenshot_2020-02-26_15-59-34

The subdomain would seem vulnerable to takeover, but when I go to create the bucket from my AWS console, I get the following error:
Bucket name already exists

Anyone can help me?
Thank You!

@OGoodness
Copy link

@webliqui
Any news on this issue? I am running into the same thing

@soareswallace
Copy link

soareswallace commented May 4, 2020

Have you guys ran the AWS CLI like aws s3 ls <bucket_name>? I think this command search in all regions for a bucket name.

@theinfosecguy
Copy link

@webliqui You found something?
I'm facing the same issue.
@codingo Do you have some solution for this?

@Zachswan1
Copy link

same issue as @webliqui. @codingo?

@soareswallace
Copy link

I believe, as I mentioned above, this issue is related to the region. This bucket may not be created on the region that you are testing on. But if you use the AWS CLI (aws s3 ls <bucket_name>) I believe you would find the bucket. I suggest you to test using the AWS CLI.

@Mik317
Copy link

Mik317 commented Jul 5, 2020

Hi @soareswallace :),
I got the same error and when I execute the command you suggested in the latest reply, I get this error: An error occurred (AllAccessDisabled) when calling the ListObjectsV2 operation: All access to this object has been disabled ... any tip to make possible the take over ?

Regards,
Mik

@soareswallace
Copy link

I believe when we get this message @Mik317 , the take over is not possible. This message show that the bucket does exist and has an owner.

Stay safe,

Wallace

@Mik317
Copy link

Mik317 commented Jul 9, 2020

Hi @soareswallace :).
Thanks for the reply. I'll be lucky the next time ;)

Until that, stay safe and hack the world ;)

Regards,
Mik

@FaizanNehal
Copy link

Hi @soareswallace
I discovered a subdomain whose CNAME is point to *.elb.amazonaws.com.
How can I takeover this subdomain? Is the process same as creating a s3 bucket?

@soareswallace
Copy link

Hi @FaizanNehal,

I tried once, but never found out how to do it. I also would like to know how we can takeover. Let us know if you discover anything.

Wallace

@vemoa
Copy link

vemoa commented Jul 21, 2020

Anyone knows about amazon route 53???? Is it vulnerable?

@PxHunt3r
Copy link

PxHunt3r commented Aug 4, 2020

I found a subdomain.domain.com that is vulnerable, and confirmed with dig that CNAME was for s3 bucket in Verginia
When I tried creating the bucket with the same name it worked but the endpoint for the bucket was like so:
^[a-z0-9\.\-]{0,63}\.?s3-website[\.-](eu|ap|us|ca|sa|cn)-\w{2,14}-\d{1,2}\.amazonaws.com(\.cn)?$
Which is mentioned in the documentation. OR
^[a-z0-9\.\-]{0,63}\.?s3.amazonaws\.com$/subdomain.domain.com/
Which is not.

my question is since it is not mentioned in the steps above how to make those regexes point to subdomain.domain.com?

@GDATTACKER-RESEARCHER
Copy link

is this service still vulnerable?

@pdelteil
Copy link
Contributor

Hi @soareswallace
I discovered a subdomain whose CNAME is point to *.elb.amazonaws.com.
How can I takeover this subdomain? Is the process same as creating a s3 bucket?

Not really, usually before the elb there's a random number.

@anantupadhya
Copy link

Hi,
I have found "The specified bucket does not exist" for few subdomains. But when I do a dig, the subdomains fail to give a CNAME record. So does it mean that they are not vulnerable. Or am I missing something here?

@empty00
Copy link

empty00 commented Mar 18, 2021

Hi @soareswallace
I discovered a subdomain whose CNAME is point to *.elb.amazonaws.com.
How can I takeover this subdomain? Is the process same as creating a s3 bucket?

did u find any info about it?

@soareswallace
Copy link

So far, from what I could search about it, is not possibly to take over amazon's load balance.

@soareswallace
Copy link

And as @pdelteil replied above:

Not really, usually before the elb there's a random number.

@empty00
Copy link

empty00 commented Mar 18, 2021

okey , thanks

@GDATTACKER-RESEARCHER
Copy link

id 64053
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
girishsarwal.me. IN CNAME
;ANSWER
;AUTHORITY
something.me. 899 IN SOA ns-732.awsdns-27.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
;ADDITIONAL

in s3 bucket, i'm facing this problem. What's solution for this ?
Screenshot_1

in this case i try to create bucket by deleteing at recreating it ofcourse it take time but work it.

@4nibhal
Copy link

4nibhal commented Sep 16, 2023

Hi guys, is this still vulnerable?
I get an error that the bucket name is already taken.🤔

@six2dez
Copy link

six2dez commented Nov 2, 2023

Hi guys I found the following scenario:

  1. subdomain.example.com returning NoSuchBucket

  2. dig cname subdomain.example.com returns:

> dig cname subdomain.example.com                                                                   

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> cname subdomain.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43658
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;subdomain.example.com.	IN	CNAME

;; ANSWER SECTION:
subdomain.example.com. 3600 IN	CNAME	RANDOM_NAME_SEQUENCE.s3.amazonaws.com.

;; Query time: 31 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Nov 02 10:55:24 CET 2023
;; MSG SIZE  rcvd: 131
  1. Checked bucket region by curl -sI RANDOM_NAME_SEQUENCE.s3.amazonaws.com | grep bucket-region

  2. Claimed and created an S3 bucket with the name RANDOM_NAME_SEQUENCE.s3.amazonaws.com on the region from the previous step and uploaded a poc to RANDOM_NAME_SEQUENCE.s3.amazonaws.com/poc, made it public, both the bucket and the poc file.

  3. Navigated to https://RANDOM_NAME_SEQUENCE.s3.amazonaws.com/poc and the file shows properly.

  4. subdomain.example.com/poc still shows NoSuchBucket.

Also tried the to create the bucket as static website hosting. Does anyone found this scenario or know what's happening here?

@C0oki3s
Copy link

C0oki3s commented Nov 2, 2023

@six2dez please refer to this issue #361 I have faced similar kind of scenario hope it will be useful

@cyberduck404
Copy link

Bucket with the same name already exists

Is this edge case now?

@GDATTACKER-RESEARCHER
Copy link

Bucket with the same name already exists

Is this edge case now?

No

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.
Projects
None yet
Development

No branches or pull requests