search

trufflesuite / trufflesuite.com

Trufflesuite website source ✨
https://trufflesuite.com
181 stars 418 forks source link

Security Report: Subdomain Takeover of https://relay.trufflesuite.com/ Pointing to Github #1194

Closed aparcekarl closed 2 years ago

aparcekarl commented 2 years ago

Hi Trufflesuite Security Team,

I just want to reach out to you. I'm trying to submit this report weather your interested on it.

Thanks for taking a look.

Recently, i just found some of your subdomain (*trufflesuite.com) pointing to vulnerable Third Party site "Github"

This issue is about your subdomain being misconfigured in Github

https://relay.trufflesuite.com/ POC

This vulnerability can reflect to an email leak from your company, due to the situation that the attacker can receive email transactions from the company and clients.

Please refer to this report for further information; https://hackerone.com/reports/388622 https://hackerone.com/reports/325336

Impact

I was able to hijack the domain relay.trufflesuite.com because an outdated DNS entry pointed to Github. I created a resource in that web hosting and was able to host my own content accessible via your domain. HTML files located on this domain are able to use JavaScript to access globally-scoped non-HTTPOnly cookies. For example, a cookie used to authenticate against topsecret.trufflesuite.com is scoped to *.trufflesuite.com, so a page on my hijacked domain can steal it.

This vulnerability is rated as severe due to the increased impact that can be escalated to a high severity threat and boils down to the registration of a domain by somebody else (with bad intentions) in order to gain control over one or more (sub)domains. This presents an interesting attack vector, which can even lead to several high severity risks, like this authentication bypass explained in a bug bounty report https://hackerone.com/reports/172137 by @ArneSwinnen.

The attacker can use this method to steal cookies by hosting malicious javascript/spread malware/steal money by setting up the sale/setup fake dapp application to steal private keys/ steal login details of users/spear-phishing/authentication bypass and other bad stuff.

Risk Breakdown

Risk: Severe Difficulty to Exploit: Easy Complexity: Easy Weakness Categories: Deployment Misconfiguration/Stored XSS/Authentication Bypass (CWE: 16) CVSS2 Score: 9.3 (AV:N/AC:M/Au:S/C:C/I:C/A:N) Reference: https://0xpatrik.com/subdomain-takeover/

Remediations

  1. Check your DNS-configuration for subdomains pointing to services, not in use
  2. Set up your external service so it fully listens to your wildcard DNS.
  3. Our advice is to keep your DNS entries constantly vetted and restricted.
  4. Preventing subdomain takeovers is a matter of order of operations in lifecycle management for virtual hosts and DNS. Depending on the size of the organization, this may require communication and coordination across multiple departments, which can only increase the likelihood for a vulnerable misconfiguration.
  5. Create an inventory of all of your organization’s domains and their hosting providers, and update it as things change, to ensure that nothing is left dangling.

Thank you

MicaiahReid commented 2 years ago

Thanks @aparcekarl. We'll forward this to security as well.

jlazoff commented 2 years ago

Here is the page rule used by this subdomain:

Screen Shot 2022-03-21 at 1 45 39 PM

Perhaps making this into a Cloudflare worker, we can block the threat.

aparcekarl commented 2 years ago

Yes, that’s a good remediation

jlazoff commented 2 years ago

Hi @aparcekarl and @MicaiahReid ,

I made a small change to the dummy DNS record. Is the relay subdomain still vulnerable?

If yes, we will create a stronger page rule or Cloudflare worker.

We should also look into the solc subdomain, as I believe it is susceptible to the same vulnerability.

Appreciate your help,

Joshua

davidmurdoch commented 2 years ago

@jlazoff I was unable to exploit this before, since GitHub requires domain verification first. Were you able to exploit it?

aparcekarl commented 2 years ago

@jlazoff

It's all fixed now. great work.

https://solc.trufflesuite.com/ this is not vulnerable. Thanks

jlazoff commented 2 years ago

Excellent, replacing the dummy or broken GitHub cname, with a dummy A IP address seems to have fixed everything!

aparcekarl commented 2 years ago

@jlazoff Great work. Is this eligible for a bounty? And the other report? thank you

kevinweaver commented 2 years ago

Hi @aparcekarl, I've reached out to the security team to check. We'll get back to you soon!

kevinweaver commented 2 years ago

Hi @aparcekarl, I just spoke with the security team. We are still in the process of adding Truffle assets to the ConsenSys bounty program. However, we believe that this find is worth giving a retroactive bounty!

Please submit a report to HackerOne and ask to be redirected to the security team at our request. Given the nature of these two issues stemming from the same domain, they should be combined into one report, but please link to both github issues:

-https://github.com/trufflesuite/trufflesuite.com/issues/1194 -https://github.com/trufflesuite/trufflesuite.com/issues/1193

Thanks so much for your help! Closing this issue now that it's resolved.

aparcekarl commented 2 years ago

Thank you so much. Report submitted to hackerone. https://hackerone.com/reports/1560671