leovarmak
commented
3 years ago Waiting for a write up here 😅
Open indianajson opened 3 years ago
leovarmak
commented
3 years ago Waiting for a write up here 😅
indianajson
commented
3 years ago Hi @leovarmak, I updated the original issue with the current details that are available.
dasarigollanaveen
commented
1 year ago shall we report this issue?
indianajson
commented
1 year ago shall we report this issue?
If by report, you mean submit a vulnerability report on their bug bounty program, I did submit one over a year ago and at the time provided both an extensive +100 domain POC and thorough explanation. Their staff said they won't fix it.
ServiceCloudflareStatusEdge CaseNameserver.ns.cloudflare.com .ns.cloudflare.com
Assigned in pairs of two, with a
boysname and agirlsname.DisclaimerConducting takeovers with Cloudflare is possible though complicated and can return false positives. To successfully perform targeted takeovers will probably necessitate some type of automation and has, in my experience, only a 10% chance of success even if you have all of the necessary prerequisites. If you're still interested... read on!
ExplanationCloudflare is a bit different than most DNS providers, because of the way they assign DNS names. According to the company's blog, they use people's names as their nameservers (e.g.
bob.ns.cloudflare.com,lola.ns.cloudflare.com, etc) with roughly 50boysnames and 50girlsnames. When you sign up to Cloudflare your account is assigned two semi-permanent nameservers, onegirlsname and oneboysname, meaning you will be assigned 1 of 2,500 possible nameserver combinations. Quite a bit of time has passed since that blog post and Cloudflare now operates around 900 nameservers (see my master nameserver list), thus there are over 200,000 possible combinations.That's not the whole story though. If the zone on Cloudflare has been deleted (i.e. returns
SERVFAIL), it is possible that when you generate a new zone one of your two assigned nameservers will match one of the domain's existing nameservers. This is similar to how Amazon AWS used to allow takeovers via Route 53 with only one of four nameservers matching. As an example, if the vulnerable domain points tobob.ns.cloudflare.comandlola.ns.cloudflare.comand your account hasbob.ns.cloudflare.comandedna.ns.cloudflare.comthe takeover may be possible.Here's the catch. At this point, it would take upwards of 450 Cloudflare accounts to get an account that matches one of your specific vulnerable domain's nameservers. Additionally, in my experience, there is only around a 10% chance of success even if the nameservers assigned to your account match the domain. While this is a far cry from the theoretical 200,000 accounts previously believed necessary, that's still a lot of work to perform a targeted takeover. To that end, I'm reassigning this to
Edge Caseunless someone figures out a way to reduce the need for so many accounts.