Dangling DNS zone a danger for cloud security
Security researchers have earned a $11,756 bug bounty after discovering a mechanism to takeover Microsoft Azure DevOps accounts using just one click.
Sean Yeoh, engineering lead at Assetnote, a platform for continuous security monitoring, writes that his team uncovered the problem after first discovering that the subdomain project-cascade.visualstudio.com was vulnerable to an Azure Zone DNS takeover.
The security weakness — identified through automated scanning — was found in what is known technically as a “dangling DNS zone”, opening the door to exploitation.
“The NS [Name Server] records for project-cascade.visualstudio.com were pointing to Azure DNS, however they were no longer registered on Azure DNS,” Yeoh explains in a technical write up.
“As the lookups were being refused, we were able to to register the subdomain under an Azure account that we owned. By doing so, we were able to create arbitrary DNS records for the subdomain project-cascade.visualstudio.com.”
Hacking the authentication flow
After overwriting the DNS records for the domain, Yeoh and his colleagues began exploring the impact of this hack. This turned out to be quite considerable as there were subdomains underneath visualstudio.com that facilitated an authentication flow through login.microsoftonline.com.
Worse yet, this path wasn’t tied down and so any domain under *.visualstudio.com could receive authentication tokens.
The combined security weaknesses created a mechanism for hackers to steal authentication tokens before abusing these credentials to gain deeper access.
“We found that we could exchange the stolen authentication token for a Bearer token through app.vsaex.visualstudio.com,” Yeoh explains. “This Bearer token could then be used to authenticate to vsaex.visualstudio.com, dev.azure.com and vssps.dev.azure.com.”
Read more of the latest cloud security news
The researchers were able to ultimately abuse the compromised tokens on dev.azure.com to access resources.
“A malicious attacker could perform a one click drive attack on an unsuspecting user by directing them to a URL that would result in their app.vsaex.visualstudio.com tokens being disclosed,” Yeoh explains.
“From this point, the attacker would have full control over the user’s Azure DevOps account,” he added.
The fundamental security weakness in DNS record setups exposed by the security researchers also created a means to change MX records in order to capture emails.
The possibility of capturing emails in itself opened up the possibility of obtaining rogue SSL certificates.
Fortunately, the problem was addressed by Microsoft Azure just a couple of days after it was reported. Assetnote earned a $11,756 bounty for its research.
Kicks on Route53
In response to questions from The Daily Swig, Assetnote said it had discovered vulnerabilities of the same type in many organizations.
“We’ve found dangling zone takeovers for a lot of large companies, especially when they are using Route53,” it explained.
Such takeovers can often be escalated so that it’s possible to register SSL certs and receive email, as in the Azure case. The latest case therefore offers plenty of generally applicable lessons.
Assetnote advised: “Clean up your DNS records frequently, ensure there is a change control process that ensures you delete your DNS records first before deleting the hosted zone on your cloud provider. Scan for hosted zone takeovers frequently on your attack surface.”
The Daily Swig also approached Microsoft for comment. We’ll update this story as and when more information comes to hand.