Last active
December 18, 2018 20:28
-
-
Save jasonmcintosh/1615905fa8e1c198e805827b68139a89 to your computer and use it in GitHub Desktop.
Find Route53 records pointing to CloudFront with NO aliases (allows domain hijacking)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
########################################################################################################### | |
## Requires: jq, awk, sed, aws-cli - and that you are using creds for the aws account you want to connect to | |
########################################################################################################### | |
function evaluateMissingAliasesInCloudFront() { | |
#INFO: This has been tested with the following use cases... | |
#INFO: * RECORD (CNAME) -> CF Distro | |
#INFO: * RECORD (A) -> CF Distro | |
#INFO: * RECORD (CNAME) -> RECORD(A) -> CF Distro | |
#INFO: Note that Alias records are "A" records | |
ALIASES=`aws cloudfront list-distributions|jq -r '.DistributionList[][]|select(.Aliases.Items != null)|.Aliases.Items[]'` | |
#echo "INFO: Evaluating aliases $ALIASES for missing Route53 records" | |
ZONE_IDS="`aws route53 list-hosted-zones|jq -r '.HostedZones[]|select(.Config.PrivateZone == false)|.Id'|awk -F/ '{print $3}'`" | |
for zoneId in $ZONE_IDS; do | |
## Attack vector 1 - someone has a cname to a record that points to CF. CF misses this record, and someone else can take over the CNAME CF Distro | |
CNAMES=`aws route53 list-resource-record-sets --hosted-zone-id $zoneId|jq -r '.ResourceRecordSets[]|select(.Type == "CNAME")|"\(.ResourceRecords[0].Value),\(.Name)"'|sed 's/\.,/,/g'|sed 's/.\$//g'` | |
## Attack vector 2 someone has a Route53 record pointing to CF, but no alias in CF for that record. | |
RECS=`aws route53 list-resource-record-sets --hosted-zone-id $zoneId|jq -r '.ResourceRecordSets[]|select(.Type == "A")|select(.AliasTarget.DNSName!=null)|select(.AliasTarget.DNSName|contains(".cloudfront.net")).Name' |sed 's/\.$//'` | |
echo "INFO: Looking for CF aliases missing a CF alias" | |
for rec in $RECS; do | |
FOUND=`echo "$ALIASES"|grep "^$rec\$"` | |
#echo "INFO: Looking to see if $rec has a CF Alias" | |
if [[ -z "$FOUND" ]]; then | |
echo "FAILED: Found Route53 record pointing to CloudFront with NO CloudFront alias for the record! $rec" | |
fi | |
done | |
echo "INFO: Looking for CNAMES missing a CF alias" | |
for cname in $CNAMES; do | |
AREC=`echo $cname|awk -F, '{print $1}'` | |
R53_RECORD=`echo $cname|awk -F, '{print $2}'` | |
## Evaluate if the destination points to a CF Distro... | |
if [[ ! -z "`echo $AREC|grep "cloudfront.net"`" ]] && [[ -z "`echo \"$ALIASES\"|grep \"$R53_RECORD\"`" ]];then | |
echo "FAILED: Found a $R53_RECORD CNAME that points $AREC (CF Distro) and CF is missing the alias. Another account could create a CF distro with the cname and hijack our content" | |
fi | |
## Check the chain... look for a pointer to a record which points to CF | |
if [[ ! -z "`echo $RECS|grep "$AREC"`" ]] && [[ -z "`echo \"$ALIASES\"|grep \"$R53_RECORD\"`" ]];then | |
echo "FAILED: Found a $R53_RECORD ALIAS -> $AREC -> CF, but CF is missing an alias for $R53_RECORD Another account could create a CF distro with the alias and hijack our content" | |
fi | |
done | |
done | |
} | |
evaluateMissingAliasesInCloudFront |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://www.mindpointgroup.com/blog/pen-test/cloudfront-hijacking/ . for more info... script is a work in progress!