Open indianajson opened 3 years ago
Waiting for a write up here 😅
Hi @leovarmak, I updated the original issue with the current details that are available.
shall we report this issue?
shall we report this issue?
If by report, you mean submit a vulnerability report on their bug bounty program, I did submit one over a year ago and at the time provided both an extensive +100 domain POC and thorough explanation. Their staff said they won't fix it.
Service
CloudflareStatus
Edge CaseNameserver
.ns.cloudflare.com .ns.cloudflare.com
Assigned in pairs of two, with a
boys
name and agirls
name.Disclaimer
Conducting takeovers with Cloudflare is possible though complicated and can return false positives. To successfully perform targeted takeovers will probably necessitate some type of automation and has, in my experience, only a 10% chance of success even if you have all of the necessary prerequisites. If you're still interested... read on!
Explanation
Cloudflare is a bit different than most DNS providers, because of the way they assign DNS names. According to the company's blog, they use people's names as their nameservers (e.g.
bob.ns.cloudflare.com
,lola.ns.cloudflare.com
, etc) with roughly 50boys
names and 50girls
names. When you sign up to Cloudflare your account is assigned two semi-permanent nameservers, onegirls
name and oneboys
name, meaning you will be assigned 1 of 2,500 possible nameserver combinations. Quite a bit of time has passed since that blog post and Cloudflare now operates around 900 nameservers (see my master nameserver list), thus there are over 200,000 possible combinations.That's not the whole story though. If the zone on Cloudflare has been deleted (i.e. returns
SERVFAIL
), it is possible that when you generate a new zone one of your two assigned nameservers will match one of the domain's existing nameservers. This is similar to how Amazon AWS used to allow takeovers via Route 53 with only one of four nameservers matching. As an example, if the vulnerable domain points tobob.ns.cloudflare.com
andlola.ns.cloudflare.com
and your account hasbob.ns.cloudflare.com
andedna.ns.cloudflare.com
the takeover may be possible.Here's the catch. At this point, it would take upwards of 450 Cloudflare accounts to get an account that matches one of your specific vulnerable domain's nameservers. Additionally, in my experience, there is only around a 10% chance of success even if the nameservers assigned to your account match the domain. While this is a far cry from the theoretical 200,000 accounts previously believed necessary, that's still a lot of work to perform a targeted takeover. To that end, I'm reassigning this to
Edge Case
unless someone figures out a way to reduce the need for so many accounts.