The Secrets Behind EC2 Takeovers
Have you heard of what a subdomain takeover is? Do you know the impact it has? Well, if you haven’t, I will shortly summarize it for you.
Subdomain takeovers arise when there is a dangling DNS record that is pointing to a resource that is “free” to take it, and if taken, it is possible to control that subdomain.
Those services can be like a s3 bucket:
media.venmo.com. CNAME media.venmo.com.s3.amazonaws.com
If at any point the S3 bucket ‘media.venmo.com’ is deleted, anyone on the internet can create that S3 bucket and control the content of “media.venmo.com” subdomain.
Well, with EC2 is not that straight forward. Subdomains can also have ‘A’ records:
business-signup.stage.paypal.com. IN A 188.8.131.52
# host 184.108.40.206
220.127.116.11.in-addr.arpa domain name pointer ec2-23-23-198-93.compute-1.amazonaws.com
In this case
business-signup.stage.paypal.com points to an IP, and that IP belongs to the AWS ip range of EC2 service.
That IP belongs to a EC2 Server (we will call it ec2 server) from AWS, so what happens if paypal decides to delete the ec2 server and forgets to delete the DNS record..?
Can I go to AWS and create a EC2 server and get that IP? Well you can create a server/VPS there, but the IP you will get will be randomly taken from the +5 million IP range AWS has… So how can you actually takeover it?
You takeover subdomains pointing to EC2 with **Luck ❤**. Yes, with “luck” and a bunch of automation. To takeover ec2 subdomains you would have to continuously get IPs from EC2 and check if any subdomain that you want is pointing to the EC2 IPs you are getting.
You don’t decide which subdomain you takeover, it chooses you! ok jokes aside, it is like this, you get an IP and if a domain you are interested is pointing to that IP, you now have a subdomain takeover.
To quickly explain how one would achieve this with automation:
- Resolve list of domains/subdomains (once a day, not every loop)
2. Get IPs from EC2, ‘allocating’ them
3. Check if any subdomain is pointing to the IPs you just allocated
4. If yes, congrats you got a sub tko. If not release IP
5. Repeat endlessly
There are some limitations… 5 IPs per minute per account per region (of all aws regions), not that great. How do we get more IPs/min..?? yes! more accounts! This ended up with some automation kings having hundreds of AWS accounts getting IPs all the time which resulted in hundreds of thousands of dollars in bounties and thousands of subdomain takeovers across all bug bounty programs (sadly probably not a single report to VDPs, no $ no bug).
There are more subdomains pointing to EC2 ips than there are subdomains pointing to all of the other resources that are “possible to takeover” together across bug bounty programs. It’s a bit crazy when you process it.
From a quick check I found out that I have +100k unique IPs from +500k subdomains. +500k subdomains point to more than 100k unique IPs of ec2, multiple subs pointing to the same IP, which could result in multiple subdomain takeovers (yes, it happened in the past, getting 1 IP but at least 10 different subdomain takeovers).
For a lot of time it was a gold mine, researchers that automated this would get a lot of takeovers per week, at some point I believe it could have been at least 1 per day or more.
But at the end of the day AWS decided it was time to fix this takeovers!
Right but how do they fix it? The AWS fix on this was to ban the AWS accounts that were allocating/releasing IPs to prevent both malicious actors and sec researchers of getting subdomain takeovers.
If you create an account on AWS and you start allocating/releasing IPs you will get banned in less than a few days:
“Just ban everyone! doesn’t matter if it is a whitelisted bug bounty hunter!! it affects negatively our customers because they pay a lot of money for subdomain takeovers!!!” ok it was joke, don’t get mad.
Is the issue fixed?
Nope. Not at all, but the thing is you can’t get a working AWS account doing this for a long period of time without getting banned to find more takeovers (we miss the old days). If you allocate IPs, you will eventually pop in the radar and say goodbye to your account.
Funny thing. It is possible to have “Accidental” takeovers. Meaning a random guy creates a EC2 server, points his domain to the IP and at the same time there is a subdomain from X company that is also pointing to that IP because the company forgot to remove the DNS record.
Are there any workarounds?
Well this is hard to tell. Some used to create accounts that lasted weeks, and after getting those banned they would create more and more in a never ending process.
Some used to *buy accounts from other people* so they would just add them to automation to start getting subdomain takeovers
I am not aware of a way of doing it right now, but I think that some people are still getting ec2 takeovers somehow. Whether the AWS sec/verification team allows it or they found a way to stay behind the radar is unknown to me.
From the AWS team I got “allocating/releasing IPs affects customers negatively”. I don’t think that’s true because it can be done with rate limits at the rate they choose, but they don’t want to know anything about it, allocating/releasing IPs (functions of aws) repeatedly is prohibited.
Since there are almost no accounts doing ec2 takeovers, it is most likely that there are tons of vulnerable subdomains out there, so buying X person 20 accounts for $200 dollars (or other amount) is way too profitable even if they last 1 week, you would end up with a few takeovers by the end of it and some $$$. Of course you need a good set up and a large dataset of subdomains.
btw I buy your old aws account for $25, let me know via twitter dm.. haha it’s a joke (or not..?)
Until the next writeup!