Subdomain Takeover: Yet another Starbucks case

Recently, I was repeatedly awarded $2,000 bounty for subdomain takeover on Starbucks. You may remember my post about bug bounty report where I described how to subdomain takeover was possible using Azure. This case was pretty similar. However, I had to use another Azure service called Traffic Manager. In this post, I explain the step-by-step process for the proof of concept.

Report

On Monday evening, I noticed that wfmnarptpc.starbucks.com responds with NXDOMAIN. The more interesting fact was that it has CNAME set to s00149tmppcrpt.trafficmanager.net. From experience, I knew that this has a perfect chance of being a subdomain takeover. As you may remember, Azure mostly uses dedicated IP addresses, so when CNAME to Azure responds with NXDOMAIN, your bug bounty radar should be on.

Previously, I haven't mentioned that trafficmanager.net is also one of the domains where subdomain takeover is possible. Let's look at what is Traffic Manager about:

"Microsoft Azure Traffic Manager allows you to control the distribution of user traffic for service endpoints in different datacenters. [...] You can also use Traffic Manager with external, non-Azure endpoints."

$ dig a wfmnarptpc.starbucks.com

; <<>> DiG 9.10.6 <<>> a wfmnarptpc.starbucks.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20251
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wfmnarptpc.starbucks.com.	IN	A

;; ANSWER SECTION:
wfmnarptpc.starbucks.com. 33165	IN	CNAME	s00149tmppcrpt.trafficmanager.net.

Simply put, there is some domain which has link to non-existing subdomain of trafficmanager.net. To prove our point, we need to registered the previously removed asset in Azure. Thankfully (for us), Azure is not doing any domain ownership verification :-)

You may remember that this situation is still not the winning point since there might be disabled configuration with this subdomain in Azure. In this case, even though externally it seems that takeover is possible, PoC creation would fail.

I started by creating a new Traffic Manager profile in the Azure portal:

Traffic Manager profile creation

Nice! At this point, I knew that the subdomain takeover is possible. The s00149tmppcrpt.trafficmanager.net is available; I can take it and progress with PoC. Now I needed to point the domain to one of the servers that I own:

Traffic Manager endpoint creation

The only thing left was to create a new virtual host on my endpoint:

VHost Starbucks

Time well spent. Thank you very much.

Subdomain takeover PoC

Until next time!

Patrik