Threats & Research

Subdomain takeover – Chapter two: Azure Services

CyStack image

Trung Nguyen

CEO @CyStack|September 27, 2023
Subdomain takeover - Chapter two: Azure Services

As I described in the chapter one, we can control the content of a sub-domain d by  controlling the content of domain d1 that d points to through its CNAME record.

Azure, a popular cloud service offer many services that can create such a d1. In this article, I will go details about services of Azure that can be vulnerable and how I exploited in the wild, including: Traffic Manager Profile, Web App, Virtual Machine

Traffic Manager Profile

Traffic Manager profiles use traffic-routing methods to control the distribution of traffic to your cloud services or website endpoints.

My targets: Microsoft, Deloitte, HP

Normally, we can detect that a domain is using Traffic Manager if its CNAME record is like the following case.

The next step is checking whether the CNAME domain is available to register or not by using Azure API or using Azure portal.

If it is available, just create then in endpoint setting, select type External endpoint and enter your controlled IP address as the target. The final step is to create a PoC page in your server to make the PoC works.

Web App Service

Azure App Service enables you to build and host web apps, mobile back ends, and RESTful APIs in the programming language of your choice without managing infrastructure

My targets: Deloitte, US gov

In this case, the original domain points to

Similar to the Traffic Manager Profile, we have to check check the destination domain’s availability and if it’s available, create your own app. Then push whatever you want to it to prove that you can control the domain.

Note: I have reported that bug to the US Cert and they fixed afterwards.

Virtual Machine

Azure Linux Virtual Machines provides on-demand, high-scale, secure, virtualized infrastructure using Red Hat, Ubuntu, or the Linux distribution of your choice

My targets: BBC

Compare to those cases, the destination domain in this case includes the region name, its form is

Steps to exploit

  1. Create a Virtual Machine, Ubuntu server for example. You must select the correct region with the region in that CNAME. In this case, it is North Europe
  2. In Overview setting, change DNS name to
  3. Install a webserver (Apache, Nginx) in the VM just created and create a virtual host for it to serve requests to

Fun facts

  • Roughly 40 domains of Microsoft affected by this issue. Their security team responded quite slowly and did not reward for the finding since it is out of scope. However, they gave me a sincere thanks and acknowledged me in MS Hall of Fame (2 times for 2 reports)
  • BBC gave me a T-shirt and acknowledged me their Hall of Fame
  • About 140 domains of Deloitte, one of the world’s largest auditing companies, are vulnerable. Reporting bugs to them is probably one of the worst experiences in my career. When I found issues in their domains, I tried to find their security contact but got nothing; I also sent emails to the addresses I saw on their official websites but got no responses after 1 week. Finally, I used Linkedin and texted to some people that I think they work there, one of them replied me that she forwarded my message to the security team. Sadly, she just quit her job there for a short time. The security team then contacted me and asked me for details. What happened after that was that they said they received the information and ended the conversation. I’m also not sure if those problems have been fixed. Honestly, I have no intention of reporting the vulnerability to this company anymore.

Related posts

Flash Loan Attack
Flash Loan Attack
27/06/2022|Threats & Research

Mở đầu Flash Loan Attack là một hình thức tấn công DeFi đã xuất hiện từ lâu, gây ra rất nhiều thiệt hại cho các nền tảng DeFi. Tính từ đầu năm 2022 đến nay, đã có nhiều cuộc tấn công dựa trên hình thức này, điển hình như các cuộc tấn công nhắm đến […]

Cuộc tấn công vào ONUS – Góc nhìn kỹ thuật từ lỗ hổng Log4Shell
Cuộc tấn công vào ONUS – Góc nhìn kỹ thuật từ lỗ hổng Log4Shell
05/04/2023|Threats & Research

Read the English version here Log4Shell hiện đang là một cơn ác mộng (có lẽ là tồi tệ nhất cho tới thời điểm hiện tại) đối với nhiều doanh nghiệp. Không may thay, ONUS, một trong số những khách hàng của chúng tôi, đã trở thành nạn nhân của lỗ hổng này. Với tư cách […]

The attack on ONUS – A real-life case of the Log4Shell vulnerability
The attack on ONUS – A real-life case of the Log4Shell vulnerability
05/04/2023|Threats & Research

Đọc bản tiếng Việt tại đây Log4Shell has recently been a nightmare (probably the worst one for now) to businesses. ONUS, a client of ours, was an unfortunate victim. As their security partner, CyStack informed ONUS of the risks right after Log4Shell came to light; when the attack actually happened, we supported them in finding […]