AWS Route 53 no longer vulnerable

Question

AWS Route 53 no longer vulnerable

thr3athunt3r opened this issue 2 years ago · 4 comments

AWS Route 53 no longer vulnerable to takeover domains with dangling delegation records

Answer 1 · 2022-09-13T13:39:32.000Z

Hi,

I did a Route53 takeover for a demo at BSIDES Newcastle just a couple weeks ago, what makes you think you cant take it over?

I've noted sometimes it doesnt work, but for me most of the time it does.

Linky to the recording: https://youtu.be/GGfQlPZSRk4?t=712

Answer 2 · 2022-09-13T13:48:49.000Z

My theory is that sometimes it doesnt work because the domain isactually configured, but as a private hosted zone ands not public. This means it is installed on the nameservers but only resolves when queired from the same aws account.

Unfortunately, you cannot tell if its not configured at all or configured as a private zone.

Answer 3 · 2022-09-13T13:56:43.000Z

My case is domain with ns records but not in a hosted zone is not vulnerable. Failed with 7 domains tested which have signature 'aws_ns' at yesterday. Some references from googling: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/protection-from-dangling-dns.html indianajson/can-i-take-over-dns#1

Answer 4 · 2022-09-13T14:24:55.000Z

Hmmm, its a fair point. It's a bit of an edge case.

This takeover is definitely possible in some cases, but there are some protections (which you have linked).

I'll add a comment to the information we return for this signature to state that its a bit of an edge case.