AWS Route 53 no longer vulnerable #122
Comments
|
Hi, I did a Route53 takeover for a demo at BSIDES Newcastle just a couple weeks ago, what makes you think you cant take it over? I've noted sometimes it doesnt work, but for me most of the time it does. Linky to the recording: https://youtu.be/GGfQlPZSRk4?t=712 |
|
My theory is that sometimes it doesnt work because the domain isactually configured, but as a private hosted zone ands not public. This means it is installed on the nameservers but only resolves when queired from the same aws account. Unfortunately, you cannot tell if its not configured at all or configured as a private zone. |
|
My case is domain with ns records but not in a hosted zone is not vulnerable. Failed with 7 domains tested which have signature 'aws_ns' at yesterday.
Some references from googling:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/protection-from-dangling-dns.html
indianajson/can-i-take-over-dns#1
|
|
Hmmm, its a fair point. It's a bit of an edge case. This takeover is definitely possible in some cases, but there are some protections (which you have linked). I'll add a comment to the information we return for this signature to state that its a bit of an edge case. |
* fix: add note to r53 takover #122 * feat: add more_info_url to signatures * feat: add more_info_url to finding * fix: check the str rep * fix: handle NS record checks gracefully * feat: add aws ns more info url * fix: url is on the test not the signature * fix: cant provide multiple resolvers
AWS Route 53 no longer vulnerable to takeover domains with dangling delegation records
The text was updated successfully, but these errors were encountered: