Microsoft Azure proofs

[PatrikHudak]

Service name

Microsoft Azure

Proof

There is no general approach for PoC. Microsoft Azure offers multiple services (CloudApp, Azure Websites, etc.) that use different domain names.

General approach in verifying subdomain takeover is to check, whether the Azure domain responds with NXDOMAIN DNS status. This is (to my knowledge) the necessary condition of the domain, however it is not sufficient. In other words, not all Azure domains which are used in some CNAME and respond with NXDOMAIN are vulnerable to subdomain takeover. I personally got a case where Azure portal refused to create a domain even though it responded with NXDOMAIN.

Some H1 reports to prove this point:

• https://0xpatrik.com/subdomain-takeover-starbucks/ (HackerOne: https://hackerone.com/reports/325336)
• https://0xpatrik.com/subdomain-takeover-starbucks-ii/ (HackerOne: https://hackerone.com/reports/388622)

As mentioned before, the PoC creation depends on the service in question, however, they generally tend to have similar workflows.

Documentation

These are the domains that are identified as vulnerable. Each of these is used for particular Azure service:

• *.cloudapp.net
• *.cloudapp.azure.com
• *.azurewebsites.net
• *.blob.core.windows.net
• *.cloudapp.azure.com
• *.azure-api.net
• *.azurehdinsight.net
• *.azureedge.net
• *.azurecontainer.io
• *.database.windows.net
• *.azuredatalakestore.net
• *.search.windows.net
• *.azurecr.io
• *.redis.cache.windows.net
• *.azurehdinsight.net
• *.servicebus.windows.net
• *.visualstudio.com

[Phoenix1112]

today I tried to takeover a cname address called * .azurewebsites.net. I got this cname name, but it was necessary to add a custom domain. when i wanted to do this i got a warning and asked me to add TXT records issued by azure to my dns records. Since I was never able to do this, takeover is not possible.

[ethrx]

today I tried to takeover a cname address called * .azurewebsites.net. I got this cname name, but it was necessary to add a custom domain. when i wanted to do this i got a warning and asked me to add TXT records issued by azure to my dns records. Since I was never able to do this, takeover is not possible.

I was able to do a takeover only a week ago for azurewebsites.net. You aren't doing the takeover correctly. Make sure it is a azure "web app" (costs money to keep online) and then you can add a custom domain.

[Phoenix1112]

today I tried to takeover a cname address called * .azurewebsites.net. I got this cname name, but it was necessary to add a custom domain. when i wanted to do this i got a warning and asked me to add TXT records issued by azure to my dns records. Since I was never able to do this, takeover is not possible.

I was able to do a takeover only a week ago for azurewebsites.net. You aren't doing the takeover correctly. Make sure it is a azure "web app" (costs money to keep online) and then you can add a custom domain.

i know what i'm doing. i did create web app. I wanted to add a domain from custom domain options, but azure gave me a warning telling me to upgrade my plan otherwise I will not be able to add a domain. After upgrading my plan, the add domain button became active and I typed the subdomain name of the target site and clicked the check button. But while doing this, a new warning appeared and gave me some txt information and asked me to add it to the dns records. I turned it off as i could never do this. https was active in the dashboard section. I turned this option off and did the same, but the result was the same.

there is only one thing I have to tell you. example This was the target subdomain address.

awverify.test-bla.target.com

and this example cname

awverify.bla-bla.azurewebsites.net

when i tried to get this address azure did not allow this (awverify.bla-bla)... azure did not allow dot use. so i just tried to get this.(bla-bla)...I just tried to get this address with the hope that I could discover something new. maybe there is a problem with the cname address I want to get.If you think the cname addresses I explained in the example above can be received, we can cooperate.

[ethrx]

today I tried to takeover a cname address called * .azurewebsites.net. I got this cname name, but it was necessary to add a custom domain. when i wanted to do this i got a warning and asked me to add TXT records issued by azure to my dns records. Since I was never able to do this, takeover is not possible.

I was able to do a takeover only a week ago for azurewebsites.net. You aren't doing the takeover correctly. Make sure it is a azure "web app" (costs money to keep online) and then you can add a custom domain.

i know what i'm doing. i did create web app. I wanted to add a domain from custom domain options, but azure gave me a warning telling me to upgrade my plan otherwise I will not be able to add a domain. After upgrading my plan, the add domain button became active and I typed the subdomain name of the target site and clicked the check button. But while doing this, a new warning appeared and gave me some txt information and asked me to add it to the dns records. I turned it off as i could never do this. https was active in the dashboard section. I turned this option off and did the same, but the result was the same.

there is only one thing I have to tell you. example This was the target subdomain address.

awverify.test-bla.target.com

and this example cname

awverify.bla-bla.azurewebsites.net

when i tried to get this address azure did not allow this (awverify.bla-bla)... azure did not allow dot use. so i just tried to get this.(bla-bla)...I just tried to get this address with the hope that I could discover something new. maybe there is a problem with the cname address I want to get.If you think the cname addresses I explained in the example above can be received, we can cooperate.

I remember having a similar txt option and I just skipped it (possibly just pressing continue or yes?) and it worked fine. If domain verification succeeds then it's fine even if you still get the 404.

Try claiming:

*.bla-bla.azurewebsites.net

and

bla-bla.azurewebsites.net

And send the results.

[Phoenix1112]

@ethrx i did speak with my friend.. he is good for subdomain takeover. he said that subdomains starting with awverify will not be takeover. they are cname s for verify only. they are not real entries. he said that is probably why I was having trouble.

[mcipekci]

Any verify.profilename.azureservice.tld is not vulnerable since they are just entries for verifying domain ownership. For azure edge or with new name front door previews it's cdnverify, for azurewebsites it's awverify etc.

So when you see such entry ignore them, however profilename.azureservice.tld is still vulnerable if pointing NXDOMAIN, only few edge cases for trafficmanager.net when profile owner just disabled it, so you have 50/50 chance to takeover them, all others when having NXDOMAIN results are vulnerable.

[pdelteil]

An interesting case I'm not use is possible to exploit is domains pointing to xx.usgovcloudapp.net

[mcipekci]

@pdelteil when you see "gov" as a part of service, it's not possible to normal user to register these services.

You must be either US government employee or contractor to gain ability to create and use accounts and services from provider.

So none of US government employees or contractors gonna abuse it or they will face legal issues and lose their jobs.

These stuff considered as safe area for that targets.

[pdelteil]

@pdelteil when you see "gov" as a part of service, it's not possible to normal user to register these services.

You must be either US government employee or contractor to gain ability to create and use accounts and services from provider.

So none of US government employees or contractors gonna abuse it or they will face legal issues and lose their jobs.

These stuff considered as safe area for that targets.

Hello, thanks for your opinion. I know what gov means. Like I said I don't know if it's possible yet.

[mcipekci]

@pdelteil when you see "gov" as a part of service, it's not possible to normal user to register these services. You must be either US government employee or contractor to gain ability to create and use accounts and services from provider. So none of US government employees or contractors gonna abuse it or they will face legal issues and lose their jobs. These stuff considered as safe area for that targets.

Hello, thanks for your opinion. I know what gov means. Like I said I don't know if it's possible yet.

Hello, I didn't want to sound you don't know it. I was just making it clear it's not possible and why it's :)

[tarunkant]

Can anyone confirm if this isn't possible or im just stupid?

when tryin to claim a CNAME with multiple levels like abc.aaa.azurewebsite.net i get

. is an invalid character

this means it is only possible to claim 1 level subdomains like abc.azurewebsite.net?

Did you get solution for this? @marcelo321

[Shoaib18]

hi guys, I found that one subdomain whose CNAME is pointing to subdomain.windows.net . This can be vulnrable to subdomain takever?

[harishsg99]

Hi , guys I found a subdomain .t-msedge.net. Is it vulnerable to subdomain takeover ?

[DreyAnd]

Are *.cloudapp.net takeovers still possible in 2021? I heard the old azure xplat cli (https://github.com/Azure/azure-xplat-cli) can be used to create classic VMs but i'm still forced to do it using the Resource Manager instead:

[pdelteil]

Still possible to takeover domains that point to:

• NAME.ZONE.cloudapp.azure.com (e.g. dev.centralus.cloudapp.azure.com)
• NAME.azurewebsites.net (eg. testing.azurewebsites.net)

[OffensiveBugHunter]

Hi, I'm new to this, any help is really appreciated, I have a subdomain that is pointing to {{something}}.azurewebsites.net, but when I'm trying to create an app service in azure and register {{something}}.azurewebsites.net, it's giving me following error -

The app name {{something}} is not available

But here everyone is saying that it's possible to takeover these, I'm attaching the ui in actual subdomain when I visit that. Please, someone help me on this. Thanks.

[PR3R00T]

Theres two parts to these types of subdomain takeovers, Firstly the {{something}}.azurewebsites.net registration. This is the creation of the service which in your case has been done by someone.

Secondly once you have created the service you must link the vulnerable subdomain {{something}}.example.com as a "custom domain" In this case, this has not been done.

Unfortunately this case you cannot take over the subdomain. Vulnerable Microsoft takeovers normally return a NXDOMAIN when you do a dns lookup for the subdomain.

[OffensiveBugHunter]

In my case it's returning NOERROR, And all other informations I've already provided already, so does this mean this subdomain is not possible to takeover? And pardon me for asking, generally *.azurewebsites.net are still vulnerable to subdomain takeovers?

Thanks anyway for clarifying these to me.

[PR3R00T]

Yeah so a NOERROR means the DNS lookup worked and the host is alive. So in your case this subdomain is not possible to be taken over as its already registered just not assigned the custom domain. But due to the subdomain.example.com is pointing to this registered resource, this is stopping you from taking it over. So I guess the rule of thumb, I believe (anyone correct me if im wrong) and Subdomain DNS record that is pointing to a Microsoft Azure domain like the "azurewebsites.net" that return a NXDOMAIN is able to taken over (with the exception to "*.trafficmanager.net".

[OffensiveBugHunter]

Thanks for the detailed clarification, it was very much needed for me, hoping to get subdomain takeover next time.

Happy hacking! Cheers!

[PR3R00T]

@OffensiveBugHunter No problem :) Reach out to me over Twitter @PR3R00T if you need any help :) Good Luck on the hunt!

[OffensiveBugHunter]

Sure, happy hunting to you as well. @PR3R00T

[Botami143]

hlw bro I have found cname pointing to cabocd.azurefd.net and 2nd cname pointing to abcd.trafficmanager.net this is vulnerable bro

[pdelteil]

*.azure-api.net is not longer vulnerable.

[abd-4fg]

Can anyone guide me how to takeover a domain cnamed like xxxxx.westus.cloudapp.azure.com The region part "westus" got me confused , and the domain return NXDOMAIN result >>unclaimed .

Any help plz ?

[PR3R00T]

@abd525 Check out https://cystack.net/research/subdomain-takeover-chapter-two-azure-services - section - Virtual Machine.

[PreethamBomma]

@pdelteil I recently took over a azure-api.net successfully :)

[pdelteil]

How? Describe the steps!

[s41n1k]

Hello,

dig -t A lockscreenapi.example.com

I found azure CNAME looks below.

lockscreenapi.example.com. 3600 IN   CNAME   lockscreen.azurewebsites.net.
lockscreen.azurewebsites.net. 60 IN   CNAME   hosts.lockscreen.azurewebsites.net

If I create app services with lockscreenapi then I got a domain ownership problem.

If I create an app service with lockscreen then it's saying not available. Which name I should use for creating app services.

thank you.

[PreethamBomma]

@pdelteil I recently took over a azure-api.net successfully :)

How? Describe the steps!

Hi @pdelteil

Login to the portal and search for Api Management and select API Management Services then create API management service and configure accordingly - region, name, etc. It does take about 30-40 mins to be deployed though.

[pdelteil]

Thanks, I will give it a try.

[phoenix-sec]

cname *.trafficmanager.net are vuln or not ?

[xqd-ai]

It seems taking over xyz.cloudapp.net subdomains is no longer possible, at least using new deployments, maybe someone who already have the old Azure Cloud Servce (classic) running can change it's url to the dangled DNS name

[itsbriany]

cname *.trafficmanager.net are vuln or not ?

Yup, these are still vulnerable. I was able to take over one today.

[pdelteil]

cname *.trafficmanager.net are vuln or not ?

Yup, these are still vulnerable. I was able to take over one today.

Hello,

Can you provide more information ?

[itsbriany]

cname *.trafficmanager.net are vuln or not ?

Yup, these are still vulnerable. I was able to take over one today.

Hello,

Can you provide more information ?

1. Login to your Azure console

2. Create a traffic manager profile, and enter the name of the domain you wish to take over.

3. Open the traffic manager profile you created, and add an external endpoint with an IP pointing to your VPS. The idea is that all traffic will be load balanced to it.

Enjoy your takeover! :)

[unf0rgvn]

CNAME to *.azureedge.net is vulnerable? If it is, can you provide how to do this?

[vanssec]

how can i claim azurewebsites.net this one

[pablo2025]

Hi everyone,

I found a sub domain with this content:

I checked its CNAME. It is pointing to *.trafficmanager.net and the status is:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR,

Is it possible to perform subdomain takeover in this case?

[muhyuddin]

I've come across a sub-domain, pointing to an azure web app service. This CNAME itself has 3 levels like xyz.abc.m.azurewebsites.net. It shows the NXDOMAIN error when checking with dig.

However, when I try to create the App on the Azure Portal as xyz.abc.m to takeover, it does not allow periods in the same. Anyone aware of how can such scenario be handled for sub-domain takeover?

Thanks

Have you found any solution for multi-level domain takeover? Facing the same problem.

[sumgr0]

I've come across a sub-domain, pointing to an azure web app service. This CNAME itself has 3 levels like xyz.abc.m.azurewebsites.net. It shows the NXDOMAIN error when checking with dig. However, when I try to create the App on the Azure Portal as xyz.abc.m to takeover, it does not allow periods in the same. Anyone aware of how can such scenario be handled for sub-domain takeover? Thanks

Have you found any solution for multi-level domain takeover? Facing the same problem.

Nope, not yet... Please share if you come across the solution.

Thanks

[0xElmalky]

now i am working on subdomain with this record and i had claimed it and make a website with same record but it refused to add a new custom domain as below

i think the vuln has been resolved and azure not vulnerable anymore. if anyone could to solve this problem and managed to complete the poc pls tell me.

[pdelteil]

Hello,

It's still vulnerable. Some domains would require domain ownership while others won't.

[0xElmalky]

my bad luck :-)

[batmanscode]

I've come across a sub-domain, pointing to an azure web app service. This CNAME itself has 3 levels like xyz.abc.m.azurewebsites.net. It shows the NXDOMAIN error when checking with dig. However, when I try to create the App on the Azure Portal as xyz.abc.m to takeover, it does not allow periods in the same. Anyone aware of how can such scenario be handled for sub-domain takeover? Thanks

Have you found any solution for multi-level domain takeover? Facing the same problem.

Nope, not yet... Please share if you come across the solution.

Thanks

Is this still the case for multilevel [trafficmanager.net] domains?

[abdullahmunir9x]

@pdelteil I recently took over a azure-api.net successfully :)

How? Describe the steps!

Hi @pdelteil

Login to the portal and search for Api Management and select API Management Services then create API management service and configure accordingly - region, name, etc. It does take about 30-40 mins to be deployed though.

Can you please let me know if it is still vulnerable or not found a subdomain with status : NXDOMAIN and dont know how to take over it , can you describe the steps please

[b1bek]

Even after claiming cname pointing to azurewebsites.net, it requires TXT record verification for the vulnerable subdomain. So I think it's not vulnerable anymore.

[mohnqwerty]

If the *.cloudapp.net responds with 0.0.0.0 is it vulnerable to takeover

[sumgr0]

0.0.0.0 would ideally mean, it’s setting up the application.

For Azure, the Status should be NXDOMAIN to be potential for takeover.

On Sun, 18 Sep 2022 at 10:53 AM, mohnqwerty @.***> wrote:

If the *.cloudapp.net responds with 0.0.0.0 is it vulnerable to takeover

— Reply to this email directly, view it on GitHub https://github.com/EdOverflow/can-i-take-over-xyz/issues/35#issuecomment-1250194775, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACW5BD5TUMMWFDERHZWKRATV62RNNANCNFSM4FUUY4JQ . You are receiving this because you were mentioned.Message ID: @.***>

-- Best, Sumit Grover

[CharlieTheHack1]

is cloudapp.net still vulnerable ?