Cloudflare
indianajson opened this issue · 11 comments
Service
Cloudflare
Status
Not Vulnerable
Nameserver
*.ns.cloudflare.com
*.ns.cloudflare.com
Assigned in pairs of two, with a boys
name and a girls
name.
Explanation
@Woutifier (an engineer on Cloudflare's DNS team) has confirmed the logic that allow a user to get randomly assigned a nameserver that was previously attached to a given domain has been removed. There is no known exploit by which to achieve takeovers on Cloudflare.
Old Disclaimer (for posterity)
Conducting takeovers with Cloudflare is possible though complicated and can return false positives. To successfully perform targeted takeovers will probably necessitate some type of automation and has, in my experience, only a 10% chance of success even if you have all of the necessary prerequisites. If you're still interested... read on!
Old Explanation (for posterity)
Cloudflare is a bit different than most DNS providers, because of the way they assign DNS names. According to the company's blog, they use people's names as their nameservers (e.g. bob.ns.cloudflare.com
, lola.ns.cloudflare.com
, etc) with roughly 50 boys
names and 50 girls
names. When you sign up to Cloudflare your account is assigned two semi-permanent nameservers, one girls
name and one boys
name, meaning you will be assigned 1 of 2,500 possible nameserver combinations. Quite a bit of time has passed since that blog post and Cloudflare now operates around 900 nameservers (see my master nameserver list), thus there are over 200,000 possible combinations.
That's not the whole story though. If the zone on Cloudflare has been deleted (i.e. returns SERVFAIL
), it is possible that when you generate a new zone one of your two assigned nameservers will match one of the domain's existing nameservers. This is similar to how Amazon AWS used to allow takeovers via Route 53 with only one of four nameservers matching. As an example, if the vulnerable domain points to bob.ns.cloudflare.com
and lola.ns.cloudflare.com
and your account has bob.ns.cloudflare.com
and edna.ns.cloudflare.com
the takeover may be possible.
Here's the catch. At this point, it would take upwards of 450 Cloudflare accounts to get an account that matches one of your specific vulnerable domain's nameservers. Additionally, in my experience, there is only around a 10% chance of success even if the nameservers assigned to your account match the domain. While this is a far cry from the theoretical 200,000 accounts previously believed necessary, that's still a lot of work to perform a targeted takeover. To that end, I'm reassigning this to Edge Case
unless someone figures out a way to reduce the need for so many accounts.
Waiting for a write up here 😅
Hi @leovarmak, I updated the original issue with the current details that are available.
shall we report this issue?
shall we report this issue?
If by report, you mean submit a vulnerability report on their bug bounty program, I did submit one over a year ago and at the time provided both an extensive +100 domain POC and thorough explanation. The bug bounty management staff said they won't fix it.
Currently if you sign up a domain on Cloudflare, you will never be assigned the nameservers that that domain is pointing at prior to that moment. So say "example.com" is delegated to "ben.ns.cloudflare.com", "joe.ns.cloudflare.com", however many times you add that domain to an account, you'll never get either ben or joe.
In the past it was just random and it was possible to get the correct NS just by being lucky (or trying often).
(I'm an engineer on Cloudflare's DNS team)
@Woutifier This is an interesting update! Thank you for sharing and I will update the status accordingly. In the past it was possible to get one of the name servers but not both (which was the point of my report at the time). Out of curiosity, can you share when this was changed?
Currently if you sign up a domain on Cloudflare, you will never be assigned the nameservers that that domain is pointing at prior to that moment. So say "example.com" is delegated to "ben.ns.cloudflare.com", "joe.ns.cloudflare.com", however many times you add that domain to an account, you'll never get either ben or joe.
In the past it was just random and it was possible to get the correct NS just by being lucky (or trying often).
(I'm an engineer on Cloudflare's DNS team)
This is interesting, and apparently prevents or removes the edge case vulnerability if I understand correctly.
But, if true, it means the following: if a domain EVER had name servers: (dropping “.ns.cloudflare.com”), ben, joe, lola, sue, tom, ann. That domain can never have those nameservers again.
Thus, if a domain is re-assigned name servers on CF too many times, eventually all the name servers would be exhausted w.r.t. the domain name, ie “example.com”, and that domain name could not be provided DNS service at CF.
Sure, that’s another weird edge case, but worth noting.
Also, I think it would be useful to lay people, and not just DNS experts, to clarify whether this vulnerability existed only with domains registered outside CF, and not with domains registered with CF, ignoring the never-reuse-nameservers fix now applied by CF according to @Woutifier
@cameronelliott Based on my testing, I believe domains registered with Cloudflare but then removed could be exploited, too. I did extensive testing as part of the report I submitted to their bug bounty program (which was denied at the time).
I had a quick search through our internal ticket system but couldn't find your report unfortunately (to be fair the search functionality isn't great), not sure if our team actually saw that or if it stranded somewhere else.
Excluding the current nameservers was implemented some time last year. Mainly as part of work done in response to this paper. Note that it doesn't exclude all nameservers a domain has ever used, just the ones that are currently authoritative.
With regards to domains registered through Cloudflare Registrar, that's a different team so I'm not 100% up to date, but in principle the zones associated with those domains should not be deleted (and thus never be dangling) as long as the domain is active. I do believe this may have been possible to do at some point.
@Woutifier Thanks for checking. I'm not surprised it's not there. I submitted my report in June 2021, but the bug bounty management team basically refused to pass it onto the Cloudflare team for a while. Supposedly someone from Cloudflare eventually saw it, but I can't be sure.
I'm honestly just glad this finally got fixed.