piątek, 5 września 2014

GetClouder domain takeover

GetClouder is cloud hosting service having bug bounty program. In Administration Panel we have some domain management tool for hosting our own domain names. After adding ANY domain - zone is configured on two DNS servers: nimbus.getclouder.com and cumulus.getclouder.com - even if we are not owner of the domain. 

If you get NS records for getclouder.com domain, you'll see that it's hosted on same servers:

zoczus@hell:~$ host -t ns getclouder.com
getclouder.com name server nimbus.getclouder.com.
getclouder.com name server cumulus.getclouder.com.

So my first try was trying to add getclouder.com domain - of course it failed. ;)

Then - I tried to search if GetClouder have any other interesting domains. Here's what I found:

In short - yes, they have other domains. One of interesting - clouder.us or getclouder.info are hosted on ns1.clev1.net and ns2.clev1.net. Now - just check the IP addresses of this servers:

zoczus@hell:~$ host ns1.clev1.net
ns1.clev1.net has address
zoczus@hell:~$ host ns2.clev1.net
ns2.clev1.net has address
zoczus@hell:~$ host nimbus.getclouder.com
nimbus.getclouder.com has address
zoczus@hell:~$ host cumulus.getclouder.com
cumulus.getclouder.com has address

So we have few other possibilities to check. I tried to add clev1.net, it failed - but adding ns1.clev1.net - not. :) Win?

Yup - it was deffinetly win. 

zoczus@hell:~$ host wow.ns1.clev1.net
wow.ns1.clev1.net has address
zoczus@hell:~$ dig +trace ns1.clev1.net

; <<>> DiG 9.8.3-P1 <<>> +trace ns1.clev1.net
;; global options: +cmd
. 85638 IN NS l.root-servers.net.
. 85638 IN NS b.root-servers.net.
. 85638 IN NS k.root-servers.net.
. 85638 IN NS j.root-servers.net.
. 85638 IN NS i.root-servers.net.
. 85638 IN NS a.root-servers.net.
. 85638 IN NS m.root-servers.net.
. 85638 IN NS h.root-servers.net.
. 85638 IN NS e.root-servers.net.
. 85638 IN NS f.root-servers.net.
. 85638 IN NS d.root-servers.net.
. 85638 IN NS c.root-servers.net.
. 85638 IN NS g.root-servers.net.
;; Received 241 bytes from in 122 ms

net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS a.gtld-servers.net.
;; Received 488 bytes from in 132 ms

clev1.net. 172800 IN NS ns1.clev1.net.
clev1.net. 172800 IN NS ns2.clev1.net.
;; Received 95 bytes from in 167 ms

ns1.clev1.net. 86400 IN A
ns1.clev1.net. 86400 IN A
ns1.clev1.net. 86400 IN NS cumulus.getclouder.com.
ns1.clev1.net. 86400 IN NS nimbus.getclouder.com.
;; Received 152 bytes from in 174 ms

We have full control of ns1.clev1.net - so everyone asking for - let's say - clouder.us will got response about it's hosted on ns1.clev1.net (and ns2.clev1.net) which points to IP addresses controled by us.

The second vulnerability was ability to add root-servers.net zone. 

After adding just 3 root servers (a,b,c), pointing it to IP with DNSChef on board, and waiting few minutes this is what I got:

As GetClouder told me - it was result of one tool for checking if customer's domains are still pointed to its nameservers.

I want to thank GetClouder security team for realy fast responses and the way how they did treat me as researcher. That was one of my best bounty experiences :) 

15 komentarzy:

  1. Softhof Best Web Hosting Pakistan UAE, Free Web Hosting and SEO Pakistan UAE, Affordable Search Engine Optimization. Domain registration services and Web Designing and Development. We are providing special web hosting packages with free domains only to customer’s in Pakistan. We have servers available in both Linux and Windows. We provide service 24/7 in a year.
    web hosting in Pakistan

  2. nice information shared by you for domain takeover.best hosting company for host your website

  3. Giày là một trong những thời trang không thể thiếu, đặc biệt đối với những chàng trai chân ngắn thì lựa chọn đôi giày phù hợp rất quan trọng. Bạn có thể tham khảo cách lựa chọn qua bài viết
    nam chân ngăn nên mang giày nào. hoặc có thể tham khảo
    cách chọn giày cho phái mạnh giúp bạn lựa chọn được những sản phẩm thích hợp nhất.

    Hướng dẫn cách bảo vệ giày đi mưa giúp bạn bảo vệ đôi giày của bạn được tốt nhất.

    Bài viết chia sẽ Cách đeo đồng hồ đẹp và quý phái giúp bạn lựa chọn cho mình những chiếc đồng hồ có thể tôn lên nét đẹp riêng cho bạn. Ngoài ra, chúng tôi còn chuyên cung cấp dây da dùng cho đồng hồ dây da nữ với giá rẻ và chất lượng tốt nhất trên thị trường hiện nay. Tìm hiểu chi tiết về thương hiệu đồng hồ nổi tiếng trên thế giới

  4. Thanks for sharing your information with us.

    UAE Hosting

  5. A befuddling web diary I visit this blog, it's incredibly grand. Strangely, in this present blog's substance made motivation behind fact and sensible. The substance of information is instructive
    Oracle Fusion Financials Online Training
    Oracle Fusion HCM Online Training
    Oracle Fusion SCM Online Training

  6. offshorededicated.net committed to provide reliable anonymous offshore hosting with protection from any encroachment, maintaining our client’s rights to full freedom of information and independence.

  7. Ten komentarz został usunięty przez autora.

    1. SEO company in Pune

  8. PMP and Scrum Master certification in Pune