Pierluigi Paganini March 05, 2020

Security researchers demonstrated that hundreds of sub-domains belonging to Microsoft could potentially be hijacked and abused to deliver malware and for phishing attacks.

Researchers have devised another way to carry out an attack, for example, inviting victims to download a fake update from an apparently trusted URL such as mybrowser.microsoft.com.

Security researchers Numan Ozdemir and Ozan Agdepe from security firm VULLNERABILITY demonstrated that hundreds of sub-domains belonging to Microsoft could potentially be abused by attackers in malware and phishing attacks.

Experts identified at least 670 subdomains for microsoft.com, skype.com, visualstudio.com, and windows.com properties that could be potentially hijacked.

Many sub-domains belonging to the IT giant, such as dev.social.microsoft.com and web.visualstudio.com, are hosted on Azure cloud.

Let’s consider mybrowser.microsoft.com, it might have resolved by the DNS to something like webserver9000.azurewebsites.net.

But experts discovered that Microsoft did not take care of DNS entries for the sub-domains that for some reason it stops to update.

Back to the above example, the sub-domain mybrowser.microsoft.com would still point to a server instance on webserver9000.azurewebsites.net even it has been shut down.

In this scenario, an attacker could potentially get an Azure account, set up a web server instance, and request the hostname webserver9000 (webserver9000.azurewebsites.net). This means that visitors for mybrowser.microsoft.com will be redirected to the web server instance managed by attackers (webserver9000.azurewebsites.net) that could be used to deliver malware or to display a phishing page.

“If a subdomain is vulnerable to controlling by another persons excluding system authorities, its called as subdomain takeover. It may happen because of expired hosting services or DNS misconfigurations. Attacker will has full-privilege on the system after tookover the subdomain. Attacker can upload his own files, create his own databases, track data traffic and create a clone of main website.” states a report published by the security duo.

“So, it is not possible to detect that the subdomain is hijacked by an attacker and it threaten the security with various attack scenarios. Our team VULLNERAB1337 beat the records and discovered 670+ subdomains of Microsoft is vulnerable to takeover. Let us show you how we found them and what can an attacker do by this vulnerability.”

Ozdemir and Agdepe demonstrated that hundreds of Microsoft sub-domains could be hijacked and reported them to the company.

“There are 2 points we should care about:

• status: NXDOMAIN
• CNAME takeovertest-host.azurewebsites.net

This informations tell us about this subdomain is vulnerable to takeover and it is hosting on azurewebsites.net. So, attacker can create a source on Microsoft Azure portal and takeover the subdomain.” added the experts.

Microsoft acknowledged the issue and deactivated these sub-domains.

Ozdemir explained that is is quite simple for an attacker to take full control over a sub-domain, it could take anywhere from five to 30 minutes to attackers.

“Attacker firstly detects subdomains, then scan them to determine if they are vulnerable or not. We have developed an automated tool for it.” Ozdemir told me. “Once the attacker has found a vulnerable sub-domain, he will register the hosting provider and get that namespace.
It is easy to do, and it is also generally free. So, everybody can do it.
You have to follow your subdomains regularly If your hosting service expires, attacker can easily take over your subdomains.”

The bad aspect of the story is the way Microsoft has managed the situation, it has refused to pay out bug bounties for the issue even if the bug bounty program of the company covers sub-domain security.

Experts pointed out that Microsoft only needs to delete DNS entries for sub-domains when decommissioning their servers or remove DNS entries for those sub-domains that no longer respond to HTTP requests.

Experts explained that there are a lot of service providers vulnerable to subdomain takeover.

“There are lots of service providers vulnerable to subdomain takeover attacks, for example Github, Amazon Web Services, Azure, Pantheon, Shopify, WordPress, Fastly, Heroku, Tumblr etc…” concludes the advisory.

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft sub-domains)

[adrotate banner=”5″]

[adrotate banner=”13″]