Microsoft Azure proofs

[PatrikHudak]

Service name

Microsoft Azure

Proof

There is no general approach for PoC. Microsoft Azure offers multiple services (CloudApp, Azure Websites, etc.) that use different domain names.

General approach in verifying subdomain takeover is to check, whether the Azure domain responds with NXDOMAIN DNS status. This is (to my knowledge) the necessary condition of the domain, however it is not sufficient. In other words, not all Azure domains which are used in some CNAME and respond with NXDOMAIN are vulnerable to subdomain takeover. I personally got a case where Azure portal refused to create a domain even though it responded with NXDOMAIN.

Some H1 reports to prove this point:

• https://0xpatrik.com/subdomain-takeover-starbucks/ (HackerOne: https://hackerone.com/reports/325336)
• https://0xpatrik.com/subdomain-takeover-starbucks-ii/ (HackerOne: https://hackerone.com/reports/388622)

As mentioned before, the PoC creation depends on the service in question, however, they generally tend to have similar workflows.

Documentation

These are the domains that are identified as vulnerable. Each of these is used for particular Azure service:

• *.cloudapp.net
• *.cloudapp.azure.com
• *.azurewebsites.net
• *.blob.core.windows.net
• *.cloudapp.azure.com
• *.azure-api.net
• *.azurehdinsight.net
• *.azureedge.net
• *.azurecontainer.io
• *.database.windows.net
• *.azuredatalakestore.net
• *.search.windows.net
• *.azurecr.io
• *.redis.cache.windows.net
• *.azurehdinsight.net
• *.servicebus.windows.net
• *.visualstudio.com

[Sechunt3r]

Hi All, Hope you are good!

if a Azure Domain not Respond with NXDOMAIN that means it is not Vulnerable. But if it shows this ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR,

Then what would be the answer is it vulnerable or not!

Hope you understand my points

Regards Shivam

[codingo]

Linked back on the main repository, closing this as @Sechunt3r's comment is already addressed in @PatrikHudak's summary.

[ghsec]

if subdomain return public IP is possible subdomain takeover?

[sumgr0]

If the sub-domain points to traffic manager service for Azure, is the takeover possible? When attempting to create a traffic manager profile using the same name as in the CNAME, getting error which mentions "Domain name xyz.trafficmanager.net already exists. Please choose a different DNS prefix".

Has Microsoft patched the service or am I doing something wrong?

Thanks

[PatrikHudak]

@sumgro Microsoft haven't patched the service and you are doing everything ok.

You are getting a error message because the Traffic Manager profile actually EXIST, so you are unable to claim it. When you make a DNS request to *.trafficmanager.net and get NXDOMAIN there are two possible outcomes:

1. The Traffic Manager with requested name really don't exist - you can go ahead and register it. In this context it is likely that the Subdomain Takeover is possible.
2. (From my own testing) Traffic Manager profile can be created, however there is no requirement to assign it any endpoints by default. Traffic Manager (as the name) implies is trying to distribute network traffic using different settings and acts just as a middleman. This means that in order it to work, you need to set up endpoints (a.k.a. FQDN) where the traffic will be forwarded once the user reaches to something.trafficmanager.net. Now to the core of the problem: When there is no endpoint assigned in the profile, you will get the same NXDOMAIN response as you would get with non-existing TM profile. In this case, you won't be able to take in over because the TM profile with the name in CNAME record actually exist, it just seems that the profile does not exist.

It is pretty easy to setup a automation for that using Azure API. You would need to test a creation of particular TM profile and not rely only on DNS request as some external indicator of TM profile existence.

Hope it helps.

[sumgr0]

Thank you for the revert @PatrikHudak, really appreciate the detailed reply.

I'm fairly new to the subdomain takeover subject. When testing for the subdomain in question, the dig confirmed the error NXDOMAIN (thereby bringing a smile) and then the CNAME pointed to xyz.trafficmanager.net.

From your reply, I understand that the profile already exists with the same name as the CNAME, even when the end-point may not have been setup, this results in the error message both when visiting the link and through the dig command. Hence, the takeover for in this situation may not be successful.

Not able to get the pointers on the Azure API for automation, kindly point in the direction to be able to research more on the topic to get an understand for future hunting.

Thanks

[sumgr0]

I've come across a sub-domain, pointing to an azure web app service. This CNAME itself has 3 levels like xyz.abc.m.azurewebsites.net. It shows the NXDOMAIN error when checking with dig.

However, when I try to create the App on the Azure Portal as xyz.abc.m to takeover, it does not allow periods in the same. Anyone aware of how can such scenario be handled for sub-domain takeover?

Thanks

[nikokosm]

I also faced this. I found a subdomain that resolved to xyz.easteurope.cloudapp.azure.com and could not use the . character. Anyone else got around this?

Edit: turns out you could take over this by registering an Azure VM in the easteurope region ;)

[sumgr0]

found this in relation to the above, but haven't been able to go through in details to understand: https://docs.microsoft.com/en-us/azure/app-service/environment/using-an-ase

[AdmiralGaust]

I found a subdomain pointing to 104.211.97.138. The ip certificate is issued to *.azurewebsites.net and the subdomain does not contain txt record.

Is it vulnerable to subdomain takeover?

[marcelo321]

I think it is a Edge case too.

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2616 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

"Domain name redacted.trafficmanager.net already exists. Please choose a different DNS prefix."

[marcelo321]

Can anyone confirm if this isn't possible or im just stupid?

when tryin to claim a CNAME with multiple levels like abc.aaa.azurewebsite.net i get

. is an invalid character

this means it is only possible to claim 1 level subdomains like abc.azurewebsite.net?

[hamzaavvan]

Which azure service gives us mysubdomain.windows.net ? Any help would be appreciated.

[chiko360]

how can i claim this *.cloudapp.azure.com ?

[davisfreimanis]

how can i claim this *.cloudapp.azure.com ?

You can simply create a Virtual Machine in the specific region and then in the left menu select "Configure" and set a desired DNS name label.

The format of the URL will be: <dnsname>.<region>.cloudapp.azure.com

[stark0de]

Does anyone know if it is possible to claim *.azurewebsites.us domains?

[adityathebe]

Is this still vulnerable ? Because Azure requires a unique Custom Domain Verification ID to be put as a TXT record in the DNS.

Until the TXT record is configured the following error will show up

I have only tried this for Web Apps (.azurewebsites.net)

[EdOverflow]

https://docs.microsoft.com/en-us/microsoft-365/admin/dns/create-dns-records-for-azure-dns-zones

@adityathebe, it appears that this is no longer vulnerable. :(

[EdOverflow]

Never mind, it’s still vulnerable. Just observed one get snatched live. 😂

[adityathebe]

Never mind, it’s still vulnerable. Just observed one get snatched live.

😮 How was the TXT verification bypassed ?

EDIT Nevermind

[sumgr0]

Any hints of how to bypass the TXT verification?

[adityathebe]

Any hints of how to bypass the TXT verification?

@sumgr0 It's not required.

[sumgr0]

@adityathebe Okay...thanks for the quick revert.

[D1rk9ghT]

Hello all i found a subdomain which is pointing to cloudapp.net.But when i tried to takeover i got false any one can help or reply me with this i'll gave you that domain

[D1rk9ghT]

when i try to add custom domain it says add verification id in txt record please tell how can i add custom domain without txt record verification @PatrikHudak

[yashswarup12]

Hello everyone, I was following @PatrikHudak steps in this blog https://0xpatrik.com/subdomain-takeover-starbucks/ to takeover cloudapp.net subdomain but when I deploy my cloud service I get the following error. "The requested VM tier is currently not available in Central India for this subscription. Please try another tier or deploy to a different location." Anyway to bypass it

Update: Was able to takeover by just changing the region to something else.

[Lolz246]

Can i takeover abc.xxx.com (not found) subdomain if it is pointing to clientconfig.microsoftonline-p.net?

[Avileox]

Does anyone know if it is possible to claim *.azurewebsites.us domains?

hey @stark0de Did you found any way to claim *.azurewebsites.us?

[theinfosecguy]

Hey @Lolz246

You found anything regarding that? I've also found a subdomain pointing to clientconfig.microsoftonline-p.net

[PR3R00T]

Hey! I just found a subdomain pointing to azurefd.net, investigations show that its azures (front door) service, you can do subdomain takeover on this domain type. You can use the backend pool to point to a resource you own.

[FaizanNehal]

@PatrikHudak I think you should also add .trafficmanager.net is the list of vulnerable services on Azure.

[chaitu577]

hey all.

dig on a subdomain responds with a status: NOERROR, and the cname points to *.azurewebsites.net.

is it vulnerable for takeover?

Regards, Che

[ravkishu]

I've seen the comments of all participants and few are in doubt that Azure takeover is not vulnerable anymore.

But let me assure you the takeover is certainly possible and I've confirmed it on microsoft.com domain, if you don't want to believe my comment then go to this link "http://smpaccountexceptionservice-int.dps.microsoft.com"

Is Azure Takeover still vulnerable?

The above screenshot was taken on Oct 02, 2020, for PoC purposes and can be confirmed below that Azure Takeover is still vulnerable & possible

[pdelteil]

hey all.

dig on a subdomain responds with a status: NOERROR, and the cname points to *.azurewebsites.net.

is it vulnerable for takeover?

Regards, Che

You need to try to add the subdomain using the Azure portal under Custom domains

![Uploading Screenshot from 2020-10-13 00-17-19.png…]()

[pdelteil]

Hey, How can I claim this? - *.azurewebsites.net Provide steps please I am stuck

https://blog.cystack.net/subdomain-takeover-chapter-two-azure-services/

[sumgr0]

Where are you getting stuck?

Best, Sumit Grover

On 16 Oct 2020, at 23:11, Philippe Delteil wrote:

Hey, How can I claim this? - *.azurewebsites.net Provide steps please I am stuck

https://blog.cystack.net/subdomain-takeover-chapter-two-azure-services/

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/EdOverflow/can-i-take-over-xyz/issues/35#issuecomment-710293926

[h4ckdi]

Hi everyone!

I've found subdomain that can be taken over and which is registered on *azurewebsites.net. I'm getting this in return when I type dig command:

But when I register website on the portal.azure.com -> Custom Domain Names it is still asking me to define TXT or MX, but I'm not allowed to do that. Status of claimed domain is "Unverified" and I don't know what to do next.

Next thing is when I'm adding custom domain and when I try to enter CNAME of that domain, I'm getting in return message which says: "The value must have a length of at most 48." because that link of the CNAME is very long.

Can someone give me a hint what to do next in order to claim this subdomain?

Thanks in advance guys!

[savirsuda]

I dont think this is a vulnerbale case anymore. You can see above how I asked for help on the same but didnt get any replies and my case is still the same. I tried a lot but couldnt make it work :(

[davisfreimanis]

App services (ending with *.azurewebsites.net) does not seem to be vulnerable anymore with the TXT verification as stated here https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain#get-a-domain-verification-id.

A TXT record is required to verify ownership of the domain. I cannot get it to work. Can anyone confirm this?

[h4ckdi]

@ravkishu Then can you explain what is correct and what not? You are not helping, we know it's wrong because it doesn't work :)

[davisfreimanis]

@ravkishu Well I need to create a CNAME and a TXT record on the victims domain (let's say google.com). There is no way that I can verify the ownership of the domain by creating a TXT record.

I would gladly hear from you to understand how this could be bypassed.

[adityathebe]

@ravkishu Well I need to create a CNAME and a TXT record on the victims domain (let's say google.com). There is no way that I can verify the ownership of the domain by creating a TXT record.

I would gladly hear from you to understand how this could be bypassed.

https://github.com/EdOverflow/can-i-take-over-xyz/issues/35#issuecomment-634139457

[ravkishu]

For your reference @savirsuda @davisfreimanis @h4ckdi @adityathebe, I can only provide you a link as a proof of concept http://smpaccountexceptionservice-int.dps.microsoft.com/ or click this link if you're visiting this issue in late 2021

Also, let's take this conversation out of GitHub because I don't want to annoy people with so many messages.

Those who need assistance can WhatsApp me on @ravkishu or drop me a mail on ravkishu@gmail.com

[davisfreimanis]

@ravkishu Well I need to create a CNAME and a TXT record on the victims domain (let's say google.com). There is no way that I can verify the ownership of the domain by creating a TXT record. I would gladly hear from you to understand how this could be bypassed.

#35 (comment)

Without the validation, traffic is not routed to the app service. In that case I am presented with a 404 screen as people has posted previously.

[davisfreimanis]

I have verified that Cloud Services (ending with *.cloudapp.net) are still vulnerable and does not require domain validation. Just create a resource with the same name as the dangling domain.

[xqd-ai]

@ravkishu Well I need to create a CNAME and a TXT record on the victims domain (let's say google.com). There is no way that I can verify the ownership of the domain by creating a TXT record. I would gladly hear from you to understand how this could be bypassed.

#35 (comment)

Without the validation, traffic is not routed to the app service. In that case I am presented with a 404 screen as people has posted previously.

I also stumbled on an .azurewebsites.net service without the ability to takeover it due to the TXT record verification! was anyone able to bypass it, or does this just confirm that .azurewebsites.net service is no longer vulnerable?!

[bsysop]

@ravkishu Well I need to create a CNAME and a TXT record on the victims domain (let's say google.com). There is no way that I can verify the ownership of the domain by creating a TXT record. I would gladly hear from you to understand how this could be bypassed.

#35 (comment)

Without the validation, traffic is not routed to the app service. In that case I am presented with a 404 screen as people has posted previously.

I also stumbled on an .azurewebsites.net service without the ability to takeover it due to the TXT record verification! was anyone able to bypass it, or does this just confirm that .azurewebsites.net service is no longer vulnerable?!

Just ignoring TXT validation works fine for me.

[saurabh96216]

Hey guys, Need your help. One of the subdomains let's say blah.blah.blah.target.com is pointing to blah-blah.azurewebsites.net but in the dig authority section it is pointing to another subdomain of the target but the other subdomain has no name. Is takeover possible for this ? also when navigating to the blah.blah.blah.target.com it says DNS_PROBE_FINISHED_NXDOMAIN ? Thank you

[ethrx]

Could you maybe post all of the outputs of your digs? For a clearer picture. @saurabh96216

[moein9]

I have found something pointing to adverify.beacon.azurefd.net in front door how can i takeover it while making beacon.azurefd.net is not allowed