Zendesk no more possible?
energiatel opened this issue · comments
As reported here https://support.zendesk.com/hc/en-us/articles/203664356-Changing-the-address-of-your-Help-Center-subdomain-host-mapping- Zendesk subdomain takeover requires making the subdomain an alias of default address. So it shouldn't be possible get a subdomain takeover without getting access to the domain registrar's control panel.
Am I wrong?
This takeover is possible when a Zendesk account has been deleted, but still remains available in the host domains DNS record.
When you dig the record you will see the CNAME, this corresponds to the name of the Zendesk account you need to (re)create. Once you've done so you'll now have claimed Zendesk on this host domain.
This is a much less valuable takeover than other scenarios as you aren't hosting content on the domain like you are in other takeovers (removing XSS/CORS possibilities) and you're instead hosting a new support (zendesk) instance . It's useful for red teaming and social engineering, but I wouldn't expect the bounty payments to be as much as in other scenarios where you can demonstrate more relevant risk.
My experience with a zendesk takeover attempt this morning.
Thank-you @JesseClarkND, I was also familiar with this one through a recent attempt. I've made a change to the repo in line with your proofs and will now close this issue (see: #51).
Appreciate your efforts!
Zendesk is still Vulnerable .. All Just check all the site subdomains if any subdomain is add to zendesk account and the other added too ( Only one will be the cname and the other one will redirect you to The finger print that give you the error )
Example if I add my subdomain ( support.example.com ) to my zendesk account with mine cname and add my other subdomain ( help.example.com ) to the same cname ..
my first subdomain support.example.com will show me my Zendesk Site But When I go to help.example.com I will find my self redirect to the finger print error
So you can takeover a Subdomain already Exist ?
Sure you can't !
Only if the company have an Only subdomain listed in Zendesk and the subdomain redirect you to finger print error So Sure you can Takeover!
i tried taking over an expired zendesk subdomain and it worked but after i active the hep center in zendesk setting menu, it should appear on the subdomain but it is still redirecting to the previous error. Anybody can tell me, if it takes time to get published on the main subdomain after activation.
upate: i have only trial account, is that why zendesk is not showing it on the subdomain?
Update: it worked.
@bgxdoc If you could describe your steps to achieve it so that it worked, that would be awesome.
I just got a successful takeover today.
Simply located a domain which was redirect to a Zendesk page saying "This help center has been deleted".
Found the CName. Registered that on ZenDesk as my account. Now it's pointing to mine. Setup an SSL cert so that it stops redirecting to my ZenDesk, and instead it actually hosts it on the real subdomain.
Need to figure out a way to get stored XSS via zendesk admin so that I can improve on the impact...
Double dipping there? Get a bounty from ZenDesk and the company?
@Cillian-Collins See if you can use the ZenDesk name to also generate emails from that domain, you can leverage that email to pivot into internal slack/jira instances.
Read:
https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c
If it works, I totally accept tips to my PayPal account. 🤣
If the Name of domain not taken you can take over it You need to Enable Ssl Certificate in security settings and Enable Host Maping option in account settings and it will work
i tried taking over an expired zendesk subdomain and it worked but after i active the hep center in zendesk setting menu, it should appear on the subdomain but it is still redirecting to the previous error. Anybody can tell me, if it takes time to get published on the main subdomain after activation.
upate: i have only trial account, is that why zendesk is not showing it on the subdomain?
Update: it worked.
how it worked what you changed
@gauravdrago:
on above comment, @YosefMahmoud has already described the solution. It's the same thing i did to make it work.
" If the Name of domain not taken you can take over it You need to Enable Ssl Certificate in security settings and Enable Host Maping option in account settings and it will work. "
@gauravdrago
I believe Zendesk has Free Trial option, use that. Incase you have used the trial account before then simply create a new account and then use free trial.
@gauravdrago
It worked for me back then. but why not now, I don't know, i guess they might have disabled it for trial accounts.
I will look into this once i get free time from my work.
@bgxdoc @gauravdrago
Not Sure About The Free Trial and Premium . To Solve This Zendesk has Three cases when you see helpdesk is close :
1- Deleted Help Desk You can Take over it
2- inactive you can't Take over it until 90 days passed
3- sometimes compaines used only chat widget from zendesk without help center it will respond with the same message but You can't take over
Not Sure if there are any cases or not if someone already faced another case he can put it to solve this issue
still possible
@roblox1488 Did you have a specific method that you used that is separate from the above comments?
@roblox1488 Did you have a specific method that you used that is separate from the above comments?
you have to wait a while after the subdomain stops being in use, then you can just register it normally like you would
Looks like it is vulnerable in some cases, This person was able to takeover the zendesk portal.
There are two possibilities when dealing with a closed Zendesk helpcenter as far as I've encountered so far.
Possibility 1: The domain the Zendesk domain is pointing towards, is in use. However, the host mapping has not been done correctly, which makes the domain displaying a 'help center closed' notice. This case is not vulnerable, because the Zendesk domain (so the CNAME reference (*.zendesk.com)) is occupied.
Possibility 2: The Zendesk domain is not in use and the target's domain name is displaying a 'help center closed' notice. Here, takeover is possible.
For succesfull takeover, follow the following steps:
- Go to zendesk.com and register for a free trial. When being asked what name you want the zendesk domain to have (foo.zendesk.com). If it is available for takeover, it will display a green checkmark.
- After registering, go to Settings > Account > Host mapping. Fill in the domain this Zendesk domain is pointing to.
- Enable SSL on the domain to stop the redirect when you browse to your target's domain (if SSL is not enabled, when browsing to the vulnerable domain (foo.vulnerable.com), Zendesk will redirect to your Zendesk subdomain).
- Start up a guide and enable unsafe content in Admin settings.
- In an article, add an extra line of source code (f.e. <script>alert("stored XSS for PoC")</script>)
- ???
- Profit.
There are two possibilities when dealing with a closed Zendesk helpcenter as far as I've encountered so far.
..............
Thanks @JvdHout1011 for good write-up. Yes it is still possible to hijack/takeover subdomain through zendesk portal. I takover the subdomain of support.*******.com and i'm receiving their help desk emails on zendesk dashboard.
POC : https://drive.google.com/file/d/1h4QomND3n7O5dRCzyGmHQ78qdFcpK51L/view?usp=sharing
Thank you @JvdHout1011
I can confirm the takeover still working, i tookover a subdomain through zendesk portal few minutes ago.
POC here :
https://prnt.sc/s80l2i
https://prntscr.com/s80mhi
Update : There's something wrong with the trial period ending just after confirming my email. Happened 5 times in 5 subdomains I was trying to takeover.
Is it cause i was using the same ip? (will try from another ip)
Anyone confirm this issue please?
@JvdHout1011 I can confirm the takeover still works.
@EdOverflow Please update this. Using @JvdHout1011's method, the takeover is still possible.
There is a report already about this take over on H1. I believe it is possible.
@soareswallace I confirm, already took over 10 subdomains the last 3 days, I sent reports to hackerone but most of them are "ineligible" and they said "We do in fact consider bounty payment on a case by case basis for bounty ".
Seems is still vulnerable.
https://www.youtube.com/watch?v=sBTVWKeh7xY
Seems is still vulnerable.
https://www.youtube.com/watch?v=sBTVWKeh7xY
Hello, I didn't test if it's still vulnerable or not (been 4 months since my last report as shown in the video), I will check hat tomorrow and will keep you updated.
(The POC video is mine from my report here : https://hackerone.com/reports/869605 but someone downloaded it and posted it on youtube, so the youtube channel is not mine)
Not sure why this is marked as "Not vulnerable"... As others have reported above, Zendesk is still vulnerable, although the necessary conditions may have changed over time. Let's take zendesk.example.com as an example in what follows.
Regarding impact:
- Such a subdomain takeover is a phisher's wet dream. I've even seen cases in which emails sent to
support@example.comautomatically created a ticket in Zendesk; not bad for phishing users asking for help. - You can achieve stored XSS in the context of the subdomain, which may have implications for other subdomains of the target (e.g. if they have sensitive cookies improperly scoped to a common parent domain).
Signature
In my experience, there are two necessary conditions for a host to be vulnerable. First, zendesk.example.com must have a CNAME record targeting some zendesk.com subdomain corresponding to a Help Center. Second, zendesk.example.com must be available as custom domain name on the platform. You can check that programmatically by sending a request of the following form (which the Zendesk frontend sends to the backend when you sign up for a free trial):
$ target="zendesk.example.org"
$ curl -s 'https://www.zendesk.com/wp-content/themes/zendesk-twentyeleven/lib/domain-check.php' \
-H 'authority: www.zendesk.com' \
-H 'pragma: no-cache' \
-H 'cache-control: no-cache' \
-H 'accept: */*' \
-H 'x-requested-with: XMLHttpRequest' \
-H 'user-agent: REDACTED' \
-H 'content-type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'origin: https://www.zendesk.com' \
-H 'sec-fetch-site: same-origin' \
-H 'sec-fetch-mode: cors' \
-H 'sec-fetch-dest: empty' \
-H 'referer: https://www.zendesk.com/register/' \
-H 'accept-language: en-GB,en-US;q=0.9,en;q=0.8,fr;q=0.7' \
--data-raw "domain=$target" \
--compressedInspect the JSON response. You can safely ignore the value of the available field, which I have found to be misleading. What truly matters is the presence of a suggestion field in the response; if that field is present, the custom domain name is unavailable; otherwise, the custom domain name is available.
Be mindful that Zendesk sits behind Cloudflare, and if you hammer it with such requests, you'll likely get a temporary IP ban from Cloudflare.
A subtlety regarding cert provisioning
Zendesk offers you to provision a TLS cert (using Let's Encrypt) for your custom domain, but this provisioning can fail. Be aware that cert provisioning may fail multiple times at first, for no good reason, really; be patient but persistent: retry a few times.
However, one remarkable reason for cert-provisioning failure is when the root domain of your custom domain name features on Let's Encrypt deny list; in that case, provisioning of the cert will fail, but the error message shown in Zendesk's frontend will be indistinguishable from that of a transitory cert-provisioning failure. You simply won't be able to tell that it's due to a problem with Let's Encrypt, unless, perhaps, you ask Zendesk's support nicely.
If you cannot obtain a certificate for your custom domain, visiting it will simply redirect you to the associated Zendesk subdomain, which greatly reduces impact of the subdomain takeover :(
Tip: disable email notifications
As soon as you get a foothold and before notifying the target, I recommend disabling all email notifications in the Zendesk settings. Why? Once the target removes the offending CNAME record, you won't be able to access the Zendesk account; as a result, you won't be able to disable email notifications, and you'll keep receiving emails (marketing, etc.) until your free trial expires, which can be annoying.