lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAEGH4AZiJTukM00QLsJrQkNNu7bj8_bQS+5cNMWzSpYs8ZGgNQ@mail.gmail.com>
Date: Sat, 21 May 2016 21:01:15 +0545
From: Bipin Gautam <bipin.gautam@...il.com>
To: fulldisclosure <fulldisclosure@...lists.org>
Cc: Nepali computer security and hacking community
 <NepSecure@...glegroups.com>,
 "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [FD] poisoning / hijacking DNS locally of a third party domain: in
 shared and custom web hosting and in ISP,
 in automated /custom control panel software

Hi,

vulnerability summary :  a design / process flaw

Severity : Moderate / High

In most automated control pannel software, for shared and custom web
hosting and in ISP, anyone can register / signup any domain after you
have a paid account for website hosting

- and the dns record of the added domain gets synced indiscriminately
in the local  / ISP master DNS name server /resolver (for that
webhosting and ISP locally)

when any local website in such shared hosting or ISP request for dns resolving

- for a website IP, or mx or subdomain record etc

the local entry get priority over the global / root entry (like when
you edit /etc/hosts or %windir%\system32\etc\drivers the local record
gets priority over remote resolver in such situation, analogy )

- when a user of such ISP or a website in shared hosting try to
locally request a third party website (say linkedin, twitter, facebook
or any domain ) via website API, or email and when site accepts both
https or..... http redirect requests, api logins are at risk

- or a potential attacker can use such to disrupt the dns request on
such shared hosting for a third party domain

- or get / hijack all email sent for a third party domain, in such
shared hosting via catchall@[domain_name] poisoning / deliberate entry


possible affected software:
- cpanel
- many self customized / automatic dns registration / control panel /
shared hosting software
- direct admin / plesk and other popular... such control panel
software ( please test and let us know ? )

Respectfully,
-bipin

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ