Can aws elasticbeanstalk service be takeover with env?
Phoenix1112 opened this issue ยท 11 comments
hello. I know it is possible for the aws elasticbeanstalk service to have a takeover if the conditions are met. For this, the region named elasticbeanstalk should be used. but if there is "env" in the same name, I don't know if it will be takeover.
example:
example.elasticbeanstalk.com > it is not vulnerable
example.us-west-2.elasticbeanstalk.com > it is vulnerable
example-env.6zycefn8gp.us-west-2.elasticbeanstalk.com > I don't know if this is vulnerable or not.
There is a 10-digit name in the subdomain after env. "6zycefn8gp" .. I think the aws service adds this automatically and I want to know if there is a method to get it.
This 10-digit name is there for the exact reason you want to claim it. I remember reading a report once about someone who created tens of thousands of AWS services to try and get this same random code, but failed.
I have performed takeovers in the past with this exact scenario. Unless AWS has updated that system you can attempt to claim an ElasticBeanstalk instance under the name of 6zycefn8gp in the us-west-2 zone and then you will be able to control "example-env.6zycefn8gp.us-west-2.elasticbeanstalk.com".
At this moment, Elastic beanstalk does not allow you to add special characters like . - And notice that this will happen if we create an environment without setting a name on it:
- i.e., -> AWS will get your application's name and fetch it with a few random characters separated by a dot in order to generate an unique FQDN such as
myapplication.6zycefn8gp.<region>.elasticbeanstalk.com. Even though this resource could not exist anymore, AWS won't allow me to usemyapplication.6zycefn8gpdue to the restriction above.
That is, at this moment, it's only possible to perform a takeover on this service if it was created with a custom name filled by the user, witch is quite normal.
Taking over 6zycefn8gp.us-east-1.elasticbeanstalk.com, will give you access to any.6zycefn8gp.us-east-1.elasticbeanstalk.com (assuming the first is available here because you can configure the subdomain in your Apache/PHP configuration. You don't perform the takeover by adding the full name with the period.
yes it makes sense but how to set "any.6zycefn8gp.us-east-1.elasticbeanstalk.com" after getting "6zycefn8gp.us-east-1.elasticbeanstalk.com"... aws then "." will it allow us to get a new elastic name using? Or do we need a wildcard cname-style setting without a new name?
I don't speak English very well and if I'm not reading wrong, the answer to the question we're looking for is hidden here.
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.CNAMESwap.html
The CNAME record AWS adds to their system is wildcarded if I remember correctly. So you just need to setup the configuration within the ElasticBeanstalk instance I believe. I'm away from my desktop so I can't go check the steps at the moment.
yes it makes sense but how to set "any.6zycefn8gp.us-east-1.elasticbeanstalk.com" after getting "6zycefn8gp.us-east-1.elasticbeanstalk.com"... aws then "." will it allow us to get a new elastic name using? Or do we need a wildcard cname-style setting without a new name?
did you find a way to takeover ? I have same problem here.
Is it still possible to takeover for any.ygxtg5zgwz.eu-west-1.elasticbeanstalk.com
yes this is still vulnerable
Can I apply for a domain name in the format eba-xxxxxxxx.us-east-1.elasticbeanstalk.com? When I sign up, I get this error. eba. - The beginning is reserved? How the others applied.
is this vulnearble ?
something_but_its_not_random-env.ap-northeast-1.elasticbeanstalk.com