Amazon S3 proofs

[PatrikHudak]

Service name

Amazon (AWS) S3

Proof

Amazon S3 service is indeed vulnerable. Amazon S3 follows pretty much the same concept of virtual hosting as other cloud providers. S3 buckets might be configured as website hosting to serve static content as web servers. If the canonical domain name has website in it, the S3 bucket is specified as Website hosting. I suspect that non-website and website configured buckets are handled by separate load balancers, and therefore they don't work with each other. The only difference will be in the bucket creation where correct website flag needs to be set if necessary. Step-by-step process:

1. Go to S3 panel
2. Click Create Bucket
3. Set Bucket name to source domain name (i.e., the domain you want to take over)
4. Click Next multiple times to finish
5. Open the created bucket
6. Click Upload
7. Select the file which will be used for PoC (HTML or TXT file). I recommend naming it differently than index.html; you can use poc (without extension)
8. In Permissions tab select Grant public read access to this object(s)
9. After upload, select the file and click More -> Change metadata
10. Click Add metadata, select Content-Type and value should reflect the type of document. If HTML, choose text/html, etc.
11. (Optional) If the bucket was configured as a website
    1. Switch to Properties tab
    2. Click Static website hosting
    3. Select Use this bucket to host a website
    4. As an index, choose the file that you uploaded
    5. Click Save

To verify the domain, I run:

http -b GET http://{SOURCE DOMAIN NAME} | grep -E -q '<Code>NoSuchBucket</Code>|<li>Code: NoSuchBucket</li>' && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible"

Note that there are two possible error pages depending on the bucket settings (set as website hosting or not).

Some reports on H1, claiming S3 buckets:

• https://hackerone.com/reports/121461
• https://hackerone.com/reports/294201

Documentation

There are several formats of domains that Amazon uses for S3 (RegExp):

• ^[a-z0-9\.\-]{0,63}\.?s3.amazonaws\.com$
• ^[a-z0-9\.\-]{0,63}\.?s3-website[\.-](eu|ap|us|ca|sa|cn)-\w{2,14}-\d{1,2}\.amazonaws.com(\.cn)?$
• ^[a-z0-9\.\-]{0,63}\.?s3[\.-](eu|ap|us|ca|sa)-\w{2,14}-\d{1,2}\.amazonaws.com$
• ^[a-z0-9\.\-]{0,63}\.?s3.dualstack\.(eu|ap|us|ca|sa)-\w{2,14}-\d{1,2}\.amazonaws.com$

Note that there are cases where only raw domain (e.g. s3.amazon.com) is included in CNAME and takeover is still possible.

(Documentation taken from https://0xpatrik.com/takeover-proofs/)

[PatrikHudak]

Official documentation link: https://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html

[sumgr0]

I've come across a sub-domain which confirms the error message:

NoSuchBucket The specified bucket does not exist randombucket-assets When use the dig command, the CNAME points to a random.cloudfront.net URL. On trying to follow the above steps, getting below message while creating the S3 bucket with same name: "Bucket name already exists" I'm entering the full sub-domain name in the bucket name. Am I missing something to check? **Update:** I've been able to find the S3 bucket URL: subdomain.s3.amazonaws.com

[soynek]

id 64053 opcode QUERY rcode NOERROR flags QR RD RA ;QUESTION girishsarwal.me. IN CNAME ;ANSWER ;AUTHORITY something.me. 899 IN SOA ns-732.awsdns-27.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 ;ADDITIONAL

in s3 bucket, i'm facing this problem. What's solution for this ?

[codingo]

@soynek You're going to need to dig into the documentation for this one, we've had to draw the line at this repository being treated like a support desk. This is here to outline the work people have contributed back, and to outline vulnerable areas, but if you have a specific subdomain takeover question then the documentation for that service is where you should be looking.

[soynek]

@codingo I want to takeover a subdomain and i face that problem as in picture showing. Any solution for this?

[yoursquad13]

Hi I found a domain with CNAME *.cloudfront.net When I access it from browser it returned empty. I tried to add it to bucket by steps above and was successfully added. But when I access it, it's still empty, I tried other subdomains from same domain but they say 'Bucket name already exist'. Please explain me this

[PatrikHudak]

@yoursquad13 Because *.cloudfront.net is not a subdomain for S3

[nynuz]

Hi, during a bug bounty activity I have found a subdomain vulnerable to takeover, the dig command returns this information: sub.example.com CNAME [bucket_name].s3.amazonaws.com and then: [bucket_name].s3.amazonaws.com CNAME s3-1-w.amazonaws.com I haven't the region information from dig command.

Also if I visit the page, I get an XML error. Below is the screenshot:

The subdomain would seem vulnerable to takeover, but when I go to create the bucket from my AWS console, I get the following error: Bucket name already exists

Anyone can help me? Thank You!

[OGoodness]

@webliqui Any news on this issue? I am running into the same thing

[soareswallace]

Have you guys ran the AWS CLI like aws s3 ls <bucket_name>? I think this command search in all regions for a bucket name.

[theinfosecguy]

@webliqui You found something? I'm facing the same issue. @codingo Do you have some solution for this?

[Zachswan1]

same issue as @webliqui. @codingo?

[soareswallace]

I believe, as I mentioned above, this issue is related to the region. This bucket may not be created on the region that you are testing on. But if you use the AWS CLI (aws s3 ls <bucket_name>) I believe you would find the bucket. I suggest you to test using the AWS CLI.

[Mik317]

Hi @soareswallace :), I got the same error and when I execute the command you suggested in the latest reply, I get this error: An error occurred (AllAccessDisabled) when calling the ListObjectsV2 operation: All access to this object has been disabled ... any tip to make possible the take over ?

Regards, Mik

[soareswallace]

I believe when we get this message @Mik317 , the take over is not possible. This message show that the bucket does exist and has an owner.

Stay safe,

Wallace

[Mik317]

Hi @soareswallace :). Thanks for the reply. I'll be lucky the next time ;)

Until that, stay safe and hack the world ;)

Regards, Mik

[FaizanNehal]

Hi @soareswallace I discovered a subdomain whose CNAME is point to *.elb.amazonaws.com. How can I takeover this subdomain? Is the process same as creating a s3 bucket?

[soareswallace]

Hi @FaizanNehal,

I tried once, but never found out how to do it. I also would like to know how we can takeover. Let us know if you discover anything.

Wallace

[vemoa]

Anyone knows about amazon route 53???? Is it vulnerable?

[PxHunt3r]

I found a subdomain.domain.com that is vulnerable, and confirmed with dig that CNAME was for s3 bucket in Verginia When I tried creating the bucket with the same name it worked but the endpoint for the bucket was like so: ^[a-z0-9\.\-]{0,63}\.?s3-website[\.-](eu|ap|us|ca|sa|cn)-\w{2,14}-\d{1,2}\.amazonaws.com(\.cn)?$ Which is mentioned in the documentation. OR ^[a-z0-9\.\-]{0,63}\.?s3.amazonaws\.com$/subdomain.domain.com/ Which is not.

my question is since it is not mentioned in the steps above how to make those regexes point to subdomain.domain.com?

[GDATTACKER-RESEARCHER]

is this service still vulnerable?

[pdelteil]

Hi @soareswallace I discovered a subdomain whose CNAME is point to *.elb.amazonaws.com. How can I takeover this subdomain? Is the process same as creating a s3 bucket?

Not really, usually before the elb there's a random number.

[anantupadhya]

Hi, I have found "The specified bucket does not exist" for few subdomains. But when I do a dig, the subdomains fail to give a CNAME record. So does it mean that they are not vulnerable. Or am I missing something here?

[empty00]

Hi @soareswallace I discovered a subdomain whose CNAME is point to *.elb.amazonaws.com. How can I takeover this subdomain? Is the process same as creating a s3 bucket?

did u find any info about it?

[soareswallace]

So far, from what I could search about it, is not possibly to take over amazon's load balance.

[soareswallace]

And as @pdelteil replied above:

Not really, usually before the elb there's a random number.

[empty00]

okey , thanks

[GDATTACKER-RESEARCHER]

id 64053 opcode QUERY rcode NOERROR flags QR RD RA ;QUESTION girishsarwal.me. IN CNAME ;ANSWER ;AUTHORITY something.me. 899 IN SOA ns-732.awsdns-27.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 ;ADDITIONAL

in s3 bucket, i'm facing this problem. What's solution for this ?

in this case i try to create bucket by deleteing at recreating it ofcourse it take time but work it.

[knowthetech]

@technicaljunkie which kind?

[Sim4n6]

Hi,

I've got the fingerprint The specified bucket does not exist However, when I dig for dns records using dig +nocmd +noall +answer CNAME sub.domain.com I get nothing on CNAME record ?

Does it mean some measures have already been taken ? can I take it over ?

Thank you in advance

[GDATTACKER-RESEARCHER]

Try ping to know region and in case of subdomain not necessary you usually see them clear when firewall being used

[Sim4n6]

Do you mean traceroute?

[GDATTACKER-RESEARCHER]

@Sim4n6 no i mean ping sub.site.com

[Sim4n6]

Well, either dig or ping got me the IP address. And it is located in Zurich. Now the question is the bucket name is unknown.

[Sim4n6]

CNAME of sub.domain.com does not show a domain of format ^[a-z0-9.-]{0,63}.?s3.amazonaws.com$

But curl -v does return the fingerprint.

[Sim4n6]

I've got the bucket name, so unfortunate the name is already taken 😕😕

[GDATTACKER-RESEARCHER]

id 64053 opcode QUERY rcode NOERROR flags QR RD RA ;QUESTION girishsarwal.me. IN CNAME ;ANSWER ;AUTHORITY something.me. 899 IN SOA ns-732.awsdns-27.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 ;ADDITIONAL

in s3 bucket, i'm facing this problem. What's solution for this ?

Got this errror solved in some of my takeovers

[AkshayraviC09YC47]

I was checking for subdomain takeover and got a s3 bucket which doesn't exists and confirmed the takeover vulnerability with subzy, but the problem is im not able to create bucket with the vulnerable domain name, its says, Bucket with the same name already exists, so how to takeover this bucket??

[knowthetech]

I was checking for subdomain takeover and got a s3 bucket which doesn't exists and confirmed the takeover vulnerability with subzy, but the problem is im not able to create bucket with the vulnerable domain name, its says, Bucket with the same name already exists, so how to takeover this bucket??

It can possibly be a honeypot i saw same during one target else confirm you are entering bucket name because sometimes it's not same as host url

[Finlay1010]

id 64053 opcode QUERY rcode NOERROR flags QR RD RA ;QUESTION girishsarwal.me. IN CNAME ;ANSWER ;AUTHORITY something.me. 899 IN SOA ns-732.awsdns-27.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 ;ADDITIONAL

in s3 bucket, i'm facing this problem. What's solution for this ?

@soynek did you ever find a solution to this? If so, how did you fix it?

[GDATTACKER-RESEARCHER]

id 64053 opcode QUERY rcode NOERROR flags QR RD RA ;QUESTION girishsarwal.me. IN CNAME ;ANSWER ;AUTHORITY something.me. 899 IN SOA ns-732.awsdns-27.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 ;ADDITIONAL in s3 bucket, i'm facing this problem. What's solution for this ?

@soynek did you ever find a solution to this? If so, how did you fix it?

Bucket region mismatch change region

[GDATTACKER-RESEARCHER]

id 64053 opcode QUERY rcode NOERROR flags QR RD RA ;QUESTION girishsarwal.me. IN CNAME ;ANSWER ;AUTHORITY something.me. 899 IN SOA ns-732.awsdns-27.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 ;ADDITIONAL in s3 bucket, i'm facing this problem. What's solution for this ?

@soynek did you ever find a solution to this? If so, how did you fix it?

In your case us-west-2 is region

[Finlay1010]

id 64053 opcode QUERY rcode NOERROR flags QR RD RA ;QUESTION girishsarwal.me. IN CNAME ;ANSWER ;AUTHORITY something.me. 899 IN SOA ns-732.awsdns-27.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 ;ADDITIONAL in s3 bucket, i'm facing this problem. What's solution for this ?

@soynek did you ever find a solution to this? If so, how did you fix it?

Bucket region mismatch change region

@GDATTACKER-RESEARCHER how can you find out which one you need to change to out of the 22 options?

[GDATTACKER-RESEARCHER]

id 64053 opcode QUERY rcode NOERROR flags QR RD RA ;QUESTION girishsarwal.me. IN CNAME ;ANSWER ;AUTHORITY something.me. 899 IN SOA ns-732.awsdns-27.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 ;ADDITIONAL in s3 bucket, i'm facing this problem. What's solution for this ?

@soynek did you ever find a solution to this? If so, how did you fix it?

Bucket region mismatch change region

@GDATTACKER-RESEARCHER how can you find out which one you need to change to out of the 22 options?

Different ways depend on case by case bases by ping, other buckets in use by site, cname etc

[SAGEof6iixPATHS]

Is this vulnerable? asdasd.target.com shows this

<Error>
<Code>NoSuchBucket</Code>
<Message>The specified bucket does not exist.</Message>
<Resource>/asd</Resource>
<RequestId>uzEH...</RequestId>
</Error>

And DIG shows this:

target.com.       *   IN      NS      ns-*.awsdns-53.net.
target.com.       *   IN      NS      ns-*.awsdns-58.org.
target.com.       *   IN      NS      ns-*.awsdns-23.co.uk.
target.com.       *   IN      NS      ns-*.awsdns-44.com.

* - Stars are in the place of some numbers

[GDATTACKER-RESEARCHER]

Is this vulnerable? asdasd.target.com shows this

<Error>
<Code>NoSuchBucket</Code>
<Message>The specified bucket does not exist.</Message>
<Resource>/asd</Resource>
<RequestId>uzEH...</RequestId>
</Error>

And DIG shows this:

target.com.       *   IN      NS      ns-*.awsdns-53.net.
target.com.       *   IN      NS      ns-*.awsdns-58.org.
target.com.       *   IN      NS      ns-*.awsdns-23.co.uk.
target.com.       *   IN      NS      ns-*.awsdns-44.com.

* - Stars are in the place of some numbers

Yes

[SAGEof6iixPATHS]

Is this vulnerable? asdasd.target.com shows this

<Error>
<Code>NoSuchBucket</Code>
<Message>The specified bucket does not exist.</Message>
<Resource>/asd</Resource>
<RequestId>uzEH...</RequestId>
</Error>

And DIG shows this:

target.com.       *   IN      NS      ns-*.awsdns-53.net.
target.com.       *   IN      NS      ns-*.awsdns-58.org.
target.com.       *   IN      NS      ns-*.awsdns-23.co.uk.
target.com.       *   IN      NS      ns-*.awsdns-44.com.

* - Stars are in the place of some numbers

Yes

Have you tried?

[GDATTACKER-RESEARCHER]

Is this vulnerable? asdasd.target.com shows this

<Error>
<Code>NoSuchBucket</Code>
<Message>The specified bucket does not exist.</Message>
<Resource>/asd</Resource>
<RequestId>uzEH...</RequestId>
</Error>

And DIG shows this:

target.com.       *   IN      NS      ns-*.awsdns-53.net.
target.com.       *   IN      NS      ns-*.awsdns-58.org.
target.com.       *   IN      NS      ns-*.awsdns-23.co.uk.
target.com.       *   IN      NS      ns-*.awsdns-44.com.

* - Stars are in the place of some numbers

Yes

Have you tried?

🤣😂 nice question i still hai 15 buckets claimed i guess

[SAGEof6iixPATHS]

Is this vulnerable? asdasd.target.com shows this

<Error>
<Code>NoSuchBucket</Code>
<Message>The specified bucket does not exist.</Message>
<Resource>/asd</Resource>
<RequestId>uzEH...</RequestId>
</Error>

And DIG shows this:

target.com.       *   IN      NS      ns-*.awsdns-53.net.
target.com.       *   IN      NS      ns-*.awsdns-58.org.
target.com.       *   IN      NS      ns-*.awsdns-23.co.uk.
target.com.       *   IN      NS      ns-*.awsdns-44.com.

* - Stars are in the place of some numbers

Yes

Have you tried?

🤣😂 nice question i still hai 15 buckets claimed i guess

Good for you, thanks for the help!!

[pdelteil]

Hello everyone,

I can confirm this takeover is still possible, adding some details:

• If you get an error as 'the bucket .... already exists' --> it's not vulnerable.
• A CNAME pointing to a AWS domain name is not necessary. I took a bucket that was pointing to several IP addresses. The relevant part is the response fingerprint.
• The error with Code: IncorrectEndpoint can be fixed removing and creating the bucket in another region. It takes around 1 hour for the bucket to be removed, before that you won't be able to create it. Use AWS Cli to automate this part.
• If you are getting Access denied errors, check this guide