Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Microsoft Security IT

Microsoft Has a Subdomain Hijacking Problem (zdnet.com) 24

A security researcher has pointed out that Microsoft has a problem in managing its thousands of subdomains, many of which can be hijacked and used for attacks against users, its employees, or for showing spammy content. From a report: The issue has been brought up this week by Michel Gaschet, a security researcher and a developer for NIC.gp. In an interview with ZDNet, Gaschet said that during the past three years, he's been reporting subdomains with misconfigured DNS records to Microsoft, but the company has either ignored those reports or silently secured some subdomains, but not all. Gaschet says he reported 21 msn.com subdomains that were vulnerable to hijacks to Microsoft in 2017, and then another 142 misconfigured microsoft.com subdomains in 2019. Further, the researcher also privately shared with ZDNet another list of 117 microsoft.com subdomains that he also reported to Microsoft last year.
This discussion has been archived. No new comments can be posted.

Microsoft Has a Subdomain Hijacking Problem

Comments Filter:
  • Feigned incompetence is the new gremlin.

  • The hijackers re-direct you to videos of Clippy [wikipedia.org] singing "Never Gonna Give You Up" [wikipedia.org].
  • by TheDarkener ( 198348 ) on Wednesday February 19, 2020 @06:08PM (#59744944) Homepage

    So I don't get it, are the hijackers actually getting access to the internal DNS servers/configurations under Microsoft control or are they just taking over DNS servers of others and re-pointing to $badsites ?

    • MS is leaving old DNS entries pointing to machines which no longer exist. Then attackers put up a machine at that IP address and, BAM, they have a machine on an MS subdomain. How they get that IP address is beyond me, but apparently possible.

      • Then attackers put up a machine at that IP address

        Right. As you mentioned, how can attackers put up machines using Microsoft owned IP address space? That requires inside access.

        • by darkain ( 749283 ) on Wednesday February 19, 2020 @06:19PM (#59744980) Homepage

          Not quite. There are other reports of this in the past I've seen. People are using Azure to do the domain/IP jacking. Quite often, the subdomains pointed to services built on Azure, but then taken offline. Those IP addresses then release back into an Azure pool that ANYONE with an Azure account can possibly obtain.

          • Oh wow, ok. That makes more sense. Thanks for the clarification.

            You'd think Microsoft, one of the most powerful and richest companies in the world, would have more of a handle on maintaining their DNS infra...yikes.

            • Well they are using Windows to manage their DNS.

              I am not saying Windows DNS is horrible. But Microsoft products are rarely built for a company the scale of Microsoft.

            • I tend to find Azure in a "Management didn't authorize that!" mode more often then not... it's too easy for a sysadmin to throw the install on a Windows server in the IT room, then input their own payment details. Seems like we need to make the server owner more powerful than the sysadmin for this to be safe.

          • That's so easy to defend against though. Everyone who uses dynamic DNS already does it. Your server has to tell the DNS server "yes this is still my IP address" every few days. If a server fails to call in, the DNS server removes its entry.
          • by AmiMoJo ( 196126 )

            Microsoft seems prone to this kind of blunder. They famously forgot to renew hotmail.com once.

            This week corp.com was sold too. Older versions of Windows Server defaulted to using "corp.com" as the AD domain, and it's very easy for whoever owns corp.com to also own companies who didn't change the default.

        • by dgood ( 139443 ) on Wednesday February 19, 2020 @06:42PM (#59745088) Homepage

          In the article there's a link to a blog post explaining the issue. Some microsoft subdomains have CNAMEs pointing to other domains that they have let expire. If you purchase that domain you can host content on it that can be accessed using the original CNAME.

          An example is shown where racing.msn.com is a CNAME pointing to msnbrickyardsweeps.com which has expired and was available for purchase. The blogger bought that domain and put up an "Owned" page on it that shows the DNS entries that enabled it to use the name racing.msn.com.

      • by dereference ( 875531 ) on Wednesday February 19, 2020 @06:38PM (#59745074)
        This isn't quite correct. MS defines a CNAME record that points to some other domain, somewhere outside of their own domains. Eventually that other domain expires, but the CNAME records to it aren't removed. Now the researcher buys the abandoned domain and sets it to point to any IP address at all. Because browsers and email both honor the CNAME, this IP address will work exactly as if they're within an MS domain. The researcher can then even trivially obtain a DV certificate, because this subdomain is indeed under the researcher's control. Now everything looks valid and secure, but it's actually not at all controlled by MS. All the same-origin and other such policies treat this as a valid MS subdomain.
        • The browser won't alert you if a certificate is for a CNAME domain rather than the displayed domain?

          • by ahodgson ( 74077 )

            A CNAME resolves inside DNS, the browser doesn't change the URL domain to point to it. The cert can be for the displayed domain (certificate issuers' DNS validations also follow CNAMEs).

          • If partner.msn.com is redirected to partnersite.com, then if after the promotion the partner failed to renew their domain but MSN fails to pull the CNAME, somebody could set up a new partnersite.com, and then claim to be part of MSN when really they're not. A properly set new cert for partnersite.com would show no errors, and partner.msn.com can still trade on MSN's wildcard cert.

            • Would owning partnersite.com allow you to get a new certificate for partner.msn.com? You'd think CAs would require proof of ownership through the root domain rather than the subdomain.

              • Would owning partnersite.com allow you to get a new certificate for partner.msn.com?

                Yes, for Domain Validation (DV) certificates. Organizational Validation (OV) and Extended Validation (EV) certs require more than just domain control.

                For example, Let'sEncrypt (which only issues DV certs) just requires you to show that you control the domain by asking you to place a specific file on a website accessible via your claimed domain name. In this case, you'd simply need to publish a file at http://partner.msn.com/ which is exactly what's made possible here.

                You'd think CAs would require proof of ownership through the root domain rather than the subdomain.

                That's not how it works. Look at the

  • What else is new? That they screw up is a given, and that they are not even very original in it is too.

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...