[go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can aws elasticbeanstalk service be takeover with env? #194

Open
Phoenix1112 opened this issue Feb 17, 2021 · 11 comments
Open

Can aws elasticbeanstalk service be takeover with env? #194

Phoenix1112 opened this issue Feb 17, 2021 · 11 comments
Labels
question Further information is requested

Comments

@Phoenix1112
Copy link
Phoenix1112 commented Feb 17, 2021
edited
Loading

hello. I know it is possible for the aws elasticbeanstalk service to have a takeover if the conditions are met. For this, the region named elasticbeanstalk should be used. but if there is "env" in the same name, I don't know if it will be takeover.

example:

example.elasticbeanstalk.com > it is not vulnerable

example.us-west-2.elasticbeanstalk.com > it is vulnerable

example-env.6zycefn8gp.us-west-2.elasticbeanstalk.com > I don't know if this is vulnerable or not.

There is a 10-digit name in the subdomain after env. "6zycefn8gp" .. I think the aws service adds this automatically and I want to know if there is a method to get it.
@ethrx
Copy link
ethrx commented Mar 2, 2021

This 10-digit name is there for the exact reason you want to claim it. I remember reading a report once about someone who created tens of thousands of AWS services to try and get this same random code, but failed.

@EdOverflow EdOverflow added the question Further information is requested label Mar 8, 2021
@indianajson
Copy link
Contributor
indianajson commented Jun 17, 2021
edited
Loading

I have performed takeovers in the past with this exact scenario. Unless AWS has updated that system you can attempt to claim an ElasticBeanstalk instance under the name of 6zycefn8gp in the us-west-2 zone and then you will be able to control "example-env.6zycefn8gp.us-west-2.elasticbeanstalk.com".

@pahennig
Copy link

At this moment, Elastic beanstalk does not allow you to add special characters like . - And notice that this will happen if we create an environment without setting a name on it:

  • i.e., -> AWS will get your application's name and fetch it with a few random characters separated by a dot in order to generate an unique FQDN such as myapplication.6zycefn8gp.<region>.elasticbeanstalk.com. Even though this resource could not exist anymore, AWS won't allow me to use myapplication.6zycefn8gp due to the restriction above.

That is, at this moment, it's only possible to perform a takeover on this service if it was created with a custom name filled by the user, witch is quite normal.

@indianajson
Copy link
Contributor
indianajson commented Jun 30, 2021
edited
Loading

Taking over 6zycefn8gp.us-east-1.elasticbeanstalk.com, will give you access to any.6zycefn8gp.us-east-1.elasticbeanstalk.com (assuming the first is available here because you can configure the subdomain in your Apache/PHP configuration. You don't perform the takeover by adding the full name with the period.

@Phoenix1112
Copy link
Author

yes it makes sense but how to set "any.6zycefn8gp.us-east-1.elasticbeanstalk.com" after getting "6zycefn8gp.us-east-1.elasticbeanstalk.com"... aws then "." will it allow us to get a new elastic name using? Or do we need a wildcard cname-style setting without a new name?

@pahennig pahennig mentioned this issue Jun 30, 2021
Merged
@Phoenix1112
Copy link
Author

I don't speak English very well and if I'm not reading wrong, the answer to the question we're looking for is hidden here.

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.CNAMESwap.html

Alt Text

@indianajson
Copy link
Contributor

The CNAME record AWS adds to their system is wildcarded if I remember correctly. So you just need to setup the configuration within the ElasticBeanstalk instance I believe. I'm away from my desktop so I can't go check the steps at the moment.

@zy9ard3 zy9ard3 mentioned this issue Feb 27, 2023
Merged
2 tasks
@0xpr4bin
Copy link
0xpr4bin commented Mar 9, 2023

yes it makes sense but how to set "any.6zycefn8gp.us-east-1.elasticbeanstalk.com" after getting "6zycefn8gp.us-east-1.elasticbeanstalk.com"... aws then "." will it allow us to get a new elastic name using? Or do we need a wildcard cname-style setting without a new name?

did you find a way to takeover ? I have same problem here.
Is it still possible to takeover for any.ygxtg5zgwz.eu-west-1.elasticbeanstalk.com

@d55pak
Copy link
d55pak commented Apr 21, 2023

yes this is still vulnerable

@zy9ard3 zy9ard3 mentioned this issue Oct 11, 2023
Merged
2 tasks
@daxin09pp
Copy link

Can I apply for a domain name in the format eba-xxxxxxxx.us-east-1.elasticbeanstalk.com? When I sign up, I get this error. eba. - The beginning is reserved? How the others applied.
image

@coj337 coj337 mentioned this issue Jan 4, 2024
Closed
@Abhinavkuamr
Copy link
Abhinavkuamr commented Jan 19, 2024
edited
Loading

is this vulnearble ?
something_but_its_not_random-env.ap-northeast-1.elasticbeanstalk.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@indianajson @daxin09pp @EdOverflow @d55pak @Phoenix1112 @Abhinavkuamr @pahennig @ethrx @0xpr4bin and others