Read proper write-up here: https://publish.whoisbinit.me/subdomain-takeover-on-api-techprep-fb-com-through-aws-elastic-beanstalk
I have included my script in another file (main.sh), which I used in discovering this vulnerability.
I didn't do any form of manual work in finding this vulnerability, and my workflow was fully automated with Bash scripting.
I have shortened my actual script, and only included the part which helped me in finding this vulnerability in the main.sh file.
Hi @madneal,
There isn't an open report for this vulnerability since Facebook's bug bounty reports are always hidden, but you can go through: https://www.dotsec.com/2020/09/17/dns-records-part-2/ to find out more information about this kind of attack vector.
Also, I am providing a part of my vulnerability report to Facebook in this response.
Complete Details
api.techprep.fb.com is pointed to techprep-backend.us-east-1.elasticbeanstalk.com via CNAME records. This Elastic Beanstalk URL in the us-east-1 region of AWS appears to be removed now, and anyone having an AWS account with privileges to create Elastic Beanstalk instances in the North Virginia region can create one with techprep-backend.us-east-1.elasticbeanstalk.com as the URL. Therefore, there are dangling CNAME records at api.techprep.fb.com.
Impact
As a result of dangling CNAME records, whenever techprep-backend.us-east-1.elasticbeanstalk.com (which has been removed now) is claimed by an AWS user, he/she will gain access over api.techprep.fb.com as well.
Setup
Users: N/A
Environment: N/A
Browser: Any web browser!
App version: N/A
OS: Debian 10 (Buster)
Description: fb.com is in scope of the Facebook's Bug Bounty Program.
Steps
Reference for Step 2:
nmap -sV -O techprep-backend.us-east-1.elasticbeanstalk.com -Pn
This shows that there are dangling DNS Records at this sub-domain.
Mitigation/Remediation Actions
To mitigate this issue, one simple step that can be taken would be to change or remove the CNAME records from the target sub-domain.
References
My Further Response to Facebook:
"This is a Dangling DNS Records issue. Previously, Facebook had done the following things:
But now, Facebook appears to have reverted the #2 point; i.e. deleting the Elastic Beanstalk instance.
Therefore, an attacker can create an Elastic Beanstalk instance in the same AWS Region with the same name, and hence claim the instance URL, and along with that, host his/her contents there, which means the same contents would appear in the FB.com's vulnerable sub-domain; i.e. api.techprep.fb.com.
To resolve this issue, Facebook needs to do one of the following:
I hope this much information is enough to answer your queries, and yes, this Dangling DNS vulnerability could have been escalated to a Sub-domain Takeover vulnerability by registering a techprep-backend Elastic Beanstalk instance in the us-east-1 region in Amazon AWS.
Thanks,
Binit Ghimire
@TheBinitGhimire