Dangling DNS: Amazon EC2

Inspired by Matt Bryant research on AWS dangling domains in 2015, I was able to revisit the research and apply the technique to bug bounty programs during my bug bounty journey

Timeline

Oct 3rd, 2019 - First Clue

Asset: Private Program [fig.example.com]

Report:

Details:

I began with enumerating subdomains using Sublist3r when I stumbled upon interesting subdomain fig.example.com(I have no idea why it was interesting but it was).

I opened http://fig.example.com/ on the browser It showed nothing but a blank page with empty HTML code, So I decided to brute force directories using Dirsearch. when I found http://fig.example.com/includes/directory with directory listing enabled.

Response:

Then I decided to look for similar issues with affecting other subdomains. Soon after, I found two other subdomains github.example.com and goose.example.com with the same issue. How did I figured it out? It’s simple it was redirecting to a totally different site.

GET request for https://github.example.com/

Then I checked DNS records for github.example.com maybe it will help me identify other subdomains with same issue.

dig command result for github.example.com

When I realized what they all have in common “Amazon Web Service”.

At this point I decided to filter subdomains based on CNAME records, I used this tool which I have created with Python. Now let’s check for similar issue, After spending some time, I had no luck. I had to take some timeout. Then I realized what I have missed, Port scanning dah!

Nov 24th, 2019 - Second Clue

Asset: Private Program [emu.example.com]

Report:

Respond:

Now I know that this program has serious issue with dangling DNS records.

Nov 26th, 2019 - Third Clue

Asset: Private Program [rev.example.com]

Report:

Dec 26th, 2019 - Dangling Record

Now I have a list of subdomain with possible dangling DNS records with no way to make sure it’s really is. What can we do?

  1. Let’s check SSL certificate data for pilot.example.com And this turned out very helpful as I found SSL certificate issued for totally different Org.

SSL certificate data for pilot.example.com

2. Let’s check Shodan for archived data (SSL certificates - HTML) for henry.example.com, And again SSL certificate issued for totally different Org.

Shodan Query: net:54.161.231.55

SSL certificate for henry.example.com subdomain

3. Let’s use Google or Bing dorks ip:54.161.231.55 And check for crawled data.

4. Maybe all you have to do is asking.

E-mail from [email protected]

Jun 16th, 2020 - Payment Day

Asset: Private Program [ipa01.example.com]

Report:

Details:

After monitor subdomains and confirming that every subdomain has a dangling DNS record before reporting, Program asked me to supply every possible dangling record and they will confirm it all at once.

list of subdomains send in report

Turned out they all had a dangling DNS records, Yay!!

Jul 10th, 2020 - Underlying Issue

It’s all started on Oct 7, 2015 when Matt Bryant blogged "Fishing the AWS IP Pool for Dangling Domains" about AWS IP pool.

“What happened to that IP tied to that EC2 instance that you just killed? Well, when you terminate an instance, that IP address isn’t put to waste. Instead, it’s reused by other AWS customers. There is a massive pool of IP addresses that are constantly being recycled and trusted by various organizations and people.”

The issue happens when company use EC2 instance public DNS as CNAMEor A record, without using elastic IP. If the EC2 instance is killed or terminated and the DNS not updated this will lead to creating a dangling DNS record for the subdomain. Then EC2 IP will be released to AWS IP pool, This mean it’s possible to assign the IP to new EC2 instance.

How to find this kind of issues?

Check for compute.amazonaws.com or compute-1.amazonaws.com in CNAME record.

Ensure that subdomain has dangling DNS before reporting to avoid N/A, As mentioned before. Avoid managed bug bounty programs as they required a PoC file.

Case Studies

  • Asset: Amazon (Ironically, Amazon had a similar issue)

  • Asset: Private Programs

Private Program #2
Private Program #3

A piece of advice

  • Don’t ignore old researches, It might be old but not dead.

  • Building trust with security teams is great and it’s a two-way street.