The S3 Bucket Problem - The Latest Vuln to Become Popular

Yes, yes, I'm late to the party, I know. Poorly secured Amazon S3 buckets have been a thing for a while now, but recently there's been a large uptick again as some awesome tools were written to help find these misconfigured buckets. Let's chat a little about the problem at hand and show-off some cool tools!

Why all the drama about S3 Buckets?

For the uninitiated, Amazon Web Services offers a service called S3. S3, for lack of a better definition, is a web-based storage solution. It's not a database. It's not a key-value store. It's literally a place to store files (Amazon calls it a cloud object storage). In fact, it's closer to Google Drive and Dropbox than anything else.

So, this leads the question - "So, what?" I'm glad you asked... You see, AWS is a very popular platform to host all sorts of things (servers, applications, storage, you name it and Amazon probably has an AWS service for it). For the longest time, AWS had very poor default permissions on a newly created S3 Bucket (an S3 instance is called a bucket). This meant anyone with a web browser and the ability to guess what you named your S3 Bucket could view, download, and even add new files to your S3 Bucket.

Organizations were hosting all sorts of interesting files in their S3 buckets. We've seen everything from flat-files (CSVs, Documents, Excel Sheets) to full database backup files. The only thing protecting someone from having their files stolen was guessing the name of their bucket. Once people got wind of this, we started seeing a handful of dictionary-based bruteforcers then the intelligent bruteforcers and now tools that detect when a bucket is created due to the HTTPS certificate being created. The InfoSec community really brought their A-Game to this party.

You mentioned tools...?

We'll start basic and move our way up. If you're a bug hunter or just dabble in bug bounties in your spare time, I would highly suggest looking into S3 Bucket problems (especially if the target uses AWS to host their application).

Bruteforce tools. These are nothing out of the ordinary. They take a dictionary and bruteforce if that word has an associated S3 Bucket (and will see if it is configured wrong). I've tried my best to be language agnostic with these tools, so pick the language of your choice.

• https://github.com/gwen001/s3-buckets-finder (PHP?? Yeah, that's still a thing)
• https://github.com/Ucnt/aws-s3-bruteforce (Python)
• https://github.com/nahamsec/lazys3 (Ruby)

Certificate scanning tools. These watch for new HTTPS certificates being created (thank you, CertStream) and filter everything out except for S3 Buckets. They then test if the S3 Bucket is world-readable. They're truly magical.

• https://github.com/eth0izzle/bucket-stream (Python)
• https://github.com/bbb31/slurp (Go)

Obviously, in specific engagements there are upsides to testing a curated dictionary of words, but in other situations, it may be more interesting to see a real-time stream of new insecure buckets being created. I'm willing to bet Threat Intelligence companies will be eating this data and alerting based on keywords in the near future.

Fixing insecure buckets

Like all of my previous posts, I always try to include a section on remediating the discussed risk. So, let's do just that.

You will need access to your organization's AWS management console and an account with enough permission to administrate your S3 buckets.

1. Sign into your AWS management console
2. Navigate to Amazon S3 (using search or the option under the millions of services)
3. In the bucket listing, ensure none say Public under Access
4. For a bucket you want to remove public access, click the bucket name, then click the Permissions tab
5. Under Public Access, ensure there are no permissions granted (refer to image below)
   

Conclusions

"The cloud" can be truly revolutionary, but we've got to work on better default configurations so it is harder for people to make these mistakes. I have always been a big fan of stricter default security policies - Yes, I know this may make some users frustrated that they need to configure your product instead of just install and go. But consider the security implications of a 3-Letter agency letting classified information be leaked due to a poorly configured S3 Bucket (Source: https://www.upguard.com/breaches/cloud-leak-inscom). Yes, that did indeed happen.

Thanks for making it this far -- Got something to say or wanna correct my inane rambling? Post it below.

Subdomain Takeover - Preventing the PR Disaster

I've been meaning to write about this for a while now, but I never took the time to make it happen. So, here we go... Hope it turns out like I was expecting!

What is Subdomain Takeover?

Subdomain takeover has become a popular security topic due to the increasing prevalence of Bug Bounties and how easy it is to detect. Plenty of people have written scripts to check for this issue:

• https://github.com/nahamsec/HostileSubBruteforcer
• https://github.com/haccer/subjack
• https://github.com/michenriksen/aquatone

Simply put, subdomain takeover is a type of DNS misconfiguration where a DNS entry (a CNAME record) points to another site where that domain is no longer registered. For example, let's assume you own myimportantbusiness.com and your important business has a blog. Your blog is located at blog.myimportantbusiness.com but is hosted on Google's Blogger platform. Your business decides you'd rather switch over to Wordpress (cause Wordpress is what everyone else in the industry is using) and your important business blog is now located at wordpress.myimportantbusiness.com.

Your network administrator never removed blog.myimportantbusiness.com but instead just made a new DNS entry. Your web content team deleted the old Blogger blog and migrated the content to Wordpress. Now when you navigate to blog.myimportantbusiness.com you see a Blogger error stating that blog is not registered.

This is where the problem lies. Anyone else on the internet can now go re-register your company's old blog and now technically owns blog.myimportantbusiness.com. They can post whatever rude, malicious, or potentially incriminating content under your the guise of your domain.

How do we exploit this?

Unfortunately, this is the complicated part. Not all dangling subdomains can be exploited as it requires the target service to allow you to re-register the old entry. For example, many CDNs won't let you re-register a service without proving you own the domain. The short answer is: You need to check out where the subdomain is pointing to and determine if you can re-register the old entry. Not a great answer, I know.

The good part though: Others have already made lists of common services which people tend to leave old DNS entries for and can even automatically re-register the entry to your account. A few examples:

• AWS Cloudfront
• Heroku
• Zendesk
• Tumblr/Blogger/Wordpress.com

I linked to a collection of tools above which can assist in determining if a subdomain is vulnerable.

How do we fix these problems?

Quick Solution: Remove the DNS entry -- This works for most situations

Longer Term Solution: Define a policy where whomever manages DNS at your organization performs a regular audit of your DNS entries. Yes, this can be tedious, but it can ensure your DNS records are up-to-date.

Conclusions

While subdomain takeover isn't anything sexy or technically complicated or cool, it is a serious problem facing organizations large and small. Just go search Google for "site:hackerone.com subdomain takeover" - Check out all the results.

Thanks for making it this far. Did I miss something? Let me know below.