Recently, I was repeatedly awarded $2,000 bounty for subdomain takeover on Starbucks. You may remember my post about bug bounty report where I described how to subdomain takeover was possible using Azure. This case was pretty similar. However, I had to use another Azure service called Traffic Manager. In this post, I explain the step-by-step process for the proof of concept.
On Monday evening, I noticed that
wfmnarptpc.starbucks.com responds with
NXDOMAIN. The more interesting fact was that it has CNAME set to
s00149tmppcrpt.trafficmanager.net. From experience, I knew that this has a perfect chance of being a subdomain takeover. As you may remember, Azure mostly uses dedicated IP addresses, so when CNAME to Azure responds with
NXDOMAIN, your bug bounty radar should be on.
Previously, I haven't mentioned that
trafficmanager.net is also one of the domains where subdomain takeover is possible. Let's look at what is Traffic Manager about:
"Microsoft Azure Traffic Manager allows you to control the distribution of user traffic for service endpoints in different datacenters. [...] You can also use Traffic Manager with external, non-Azure endpoints."
$ dig a wfmnarptpc.starbucks.com ; <<>> DiG 9.10.6 <<>> a wfmnarptpc.starbucks.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20251 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;wfmnarptpc.starbucks.com. IN A ;; ANSWER SECTION: wfmnarptpc.starbucks.com. 33165 IN CNAME s00149tmppcrpt.trafficmanager.net.
Simply put, there is some domain which has link to non-existing subdomain of
trafficmanager.net. To prove our point, we need to registered the previously removed asset in Azure. Thankfully (for us), Azure is not doing any domain ownership verification :-)
You may remember that this situation is still not the winning point since there might be disabled configuration with this subdomain in Azure. In this case, even though externally it seems that takeover is possible, PoC creation would fail.
I started by creating a new Traffic Manager profile in the Azure portal:
Nice! At this point, I knew that the subdomain takeover is possible. The
s00149tmppcrpt.trafficmanager.net is available; I can take it and progress with PoC. Now I needed to point the domain to one of the servers that I own:
The only thing left was to create a new virtual host on my endpoint:
Time well spent. Thank you very much.
Until next time!