Microsoft Has a Subdomain Hijacking Problem

A security researcher has pointed out that Microsoft has a problem in managing its thousands of subdomains, many of which can be hijacked and used for attacks against users, its employees, or for showing spammy content. From a report: The issue has been brought up this week by Michel Gaschet, a security researcher and a developer for NIC.gp. In an interview with ZDNet, Gaschet said that during the past three years, he's been reporting subdomains with misconfigured DNS records to Microsoft, but the company has either ignored those reports or silently secured some subdomains, but not all. Gaschet says he reported 21 msn.com subdomains that were vulnerable to hijacks to Microsoft in 2017, and then another 142 misconfigured microsoft.com subdomains in 2019. Further, the researcher also privately shared with ZDNet another list of 117 microsoft.com subdomains that he also reported to Microsoft last year.

As though there were any doubt.

[Narcocide]

Feigned incompetence is the new gremlin.

I'm unsure how I feel about this.

[fahrbot-bot]

The hijackers re-direct you to videos of Clippy [wikipedia.org] singing "Never Gonna Give You Up" [wikipedia.org].

DNS misconfigurations

[TheDarkener]

So I don't get it, are the hijackers actually getting access to the internal DNS servers/configurations under Microsoft control or are they just taking over DNS servers of others and re-pointing to $badsites ?

Re: DNS misconfigurations

[BKX]

MS is leaving old DNS entries pointing to machines which no longer exist. Then attackers put up a machine at that IP address and, BAM, they have a machine on an MS subdomain. How they get that IP address is beyond me, but apparently possible.

Re:

[TheDarkener]

Then attackers put up a machine at that IP address

Right. As you mentioned, how can attackers put up machines using Microsoft owned IP address space? That requires inside access.

Re: DNS misconfigurations

[darkain]

Not quite. There are other reports of this in the past I've seen. People are using Azure to do the domain/IP jacking. Quite often, the subdomains pointed to services built on Azure, but then taken offline. Those IP addresses then release back into an Azure pool that ANYONE with an Azure account can possibly obtain.

Re:

[TheDarkener]

Oh wow, ok. That makes more sense. Thanks for the clarification.

You'd think Microsoft, one of the most powerful and richest companies in the world, would have more of a handle on maintaining their DNS infra...yikes.

Re:

[jellomizer]

Well they are using Windows to manage their DNS.

I am not saying Windows DNS is horrible. But Microsoft products are rarely built for a company the scale of Microsoft.

Re:

[jellomizer]

From my experience A Microsoft based business network.
Is optimal for businesses the size from 1 - 500 employees (A small number of sysadmins, who do general purpose tasks. Windows GUI nearly everything, makes it possible for these people to go into settings and configurations that they may not be fully use to and give a decent setup).
500 - 5000 employees you are going to to be on par with a Unix/Linux based network. (At this level sysadmins begin to separate into specialties. Networking, Security, Deployme

Re:

[The New Guy 2.0]

I tend to find Azure in a "Management didn't authorize that!" mode more often then not... it's too easy for a sysadmin to throw the install on a Windows server in the IT room, then input their own payment details. Seems like we need to make the server owner more powerful than the sysadmin for this to be safe.

Re:

[Solandri]

That's so easy to defend against though. Everyone who uses dynamic DNS already does it. Your server has to tell the DNS server "yes this is still my IP address" every few days. If a server fails to call in, the DNS server removes its entry.

Re:

[AmiMoJo]

Microsoft seems prone to this kind of blunder. They famously forgot to renew hotmail.com once.

This week corp.com was sold too. Older versions of Windows Server defaulted to using "corp.com" as the AD domain, and it's very easy for whoever owns corp.com to also own companies who didn't change the default.

Re: DNS misconfigurations

[dgood]

In the article there's a link to a blog post explaining the issue. Some microsoft subdomains have CNAMEs pointing to other domains that they have let expire. If you purchase that domain you can host content on it that can be accessed using the original CNAME.

An example is shown where racing.msn.com is a CNAME pointing to msnbrickyardsweeps.com which has expired and was available for purchase. The blogger bought that domain and put up an "Owned" page on it that shows the DNS entries that enabled it to use the name racing.msn.com.

Not quite: CNAME not A

[dereference]

This isn't quite correct. MS defines a CNAME record that points to some other domain, somewhere outside of their own domains. Eventually that other domain expires, but the CNAME records to it aren't removed. Now the researcher buys the abandoned domain and sets it to point to any IP address at all. Because browsers and email both honor the CNAME, this IP address will work exactly as if they're within an MS domain. The researcher can then even trivially obtain a DV certificate, because this subdomain is indeed under the researcher's control. Now everything looks valid and secure, but it's actually not at all controlled by MS. All the same-origin and other such policies treat this as a valid MS subdomain.

Re:

[Pinky's Brain]

The browser won't alert you if a certificate is for a CNAME domain rather than the displayed domain?

Re:

[ahodgson]

A CNAME resolves inside DNS, the browser doesn't change the URL domain to point to it. The cert can be for the displayed domain (certificate issuers' DNS validations also follow CNAMEs).

Re:

[The New Guy 2.0]

If partner.msn.com is redirected to partnersite.com, then if after the promotion the partner failed to renew their domain but MSN fails to pull the CNAME, somebody could set up a new partnersite.com, and then claim to be part of MSN when really they're not. A properly set new cert for partnersite.com would show no errors, and partner.msn.com can still trade on MSN's wildcard cert.

Re:

[Pinky's Brain]

Would owning partnersite.com allow you to get a new certificate for partner.msn.com? You'd think CAs would require proof of ownership through the root domain rather than the subdomain.

Re:

[dereference]

Would owning partnersite.com allow you to get a new certificate for partner.msn.com?

Yes, for Domain Validation (DV) certificates. Organizational Validation (OV) and Extended Validation (EV) certs require more than just domain control.

For example, Let'sEncrypt (which only issues DV certs) just requires you to show that you control the domain by asking you to place a specific file on a website accessible via your claimed domain name. In this case, you'd simply need to publish a file at http://partner.msn.com/ which is exactly what's made possible here.

You'd think CAs would require proof of ownership through the root domain rather than the subdomain.

That's not how it works. Look at the

Re:

[Pinky's Brain]

CAs never cease to amaze me.

Yes, MS is incompetent and evil, don't trust them

[gweihir]

What else is new? That they screw up is a given, and that they are not even very original in it is too.