RSS Feed
News
May
9
Flaw allowed anyone to modify and take control of ANY .as domain
Posted by Thomas Foster on 09 May 2016 08:59 AM

A few days ago a security researcher going by the ominous handle “ISECGUY” posted[1] a bewildering account of incompetence and how he exploited a flaw within the nic.as domain registry which allowed him to take over any .as domain because they (nic.as) allowed you view not only the entire domain registration information but also the plain-text passwords of domain owners and, administrative and technical contacts but  it does not stop there...

Who cares? Who even uses the .as TLD?

Well, here’s a short list:

Adidas (a.did.as)

Bose (bose.as)

Flickr (flickr.as)

McDonald’s Australia (macc.as)

Opera (oper.as)

Twitter (twitter.as)

Large educational establishments such as the University of Texas (utex.as)

American Samoa government institutions including the Department of Commerce (doc.as), and the Office of the Governor (gov.as)

If you thought, it ended at just plain-text passwords and domain information then you better buckle up brother because this journey of insecurity has just begun and it’s about to kick into overdrive.

The flaw also allowed you to edit the Domain Name System (DNS) records for the domains too and here’s the best part… the cherry on the top. You could also delete domains for the registry!

But how?!

Now that you’ve recovered from that ride of misery, let MR ISECGUY show us the way…

It turns out by simply Base64[2] encoding a URL of the domain and subsequently a business’s web presence you wanted to control and pasting the string to the nic.as URL i.e.

https://www.nic.as/whois.cfm?[BASE64 HERE]

That would take you straight to the riches as we previously discussed above.

Why base64 was used we do not know, maybe as an early 90s URL obfuscator perhaps?

The fallout

So now we’ve talked about what happened and how, the aftermath of this very responsible disclosure is rather amusing.

It’s fair to say that nic.as were not too pleased about being made aware that their domain management system was vulnerable.

Which is laughable as it’s their responsibly to make sure their system is as secure as possible.

To prove that MR ISECGUY did indeed contact them first before disclosing the vulnerability he posted a disclosure Timeline with his original post:

  • 21st January 2016 09:13 – Responsible disclosure to AS Registry
  • 23rd January 2016 07:03 – AS Registry “noted” concern, but dismissed severity
  • 2nd February 2016 17:36 – AS Registry finally acknowledge problem and severity
  • 24th February 2016 19:31 – AS Registry report flaw has been resolved & customers in the process of being notified
  • As of 25th April 2016 09:00 – .as domain owners, technical, administrative, and billing contacts have still not been notified by the AS Registry
  • 25th April 2016 09:00 – Public Disclosure

So the vulnerability has been fixed but the owners of the .as domains still have not been contacted by nic.as letting them know that their domains records may have been changed.

I will leave you with this fantastic quote from Stephen Deerhake from the AS Domain Registry commenting on the great work of MR ISECGUY.

Responding to the allegation, Stephen Deerhake, for the AS Domain Registry said today:

"The report is inaccurate, misleading and sexed-up to the max".

 

[1] https://isecguy.wordpress.com/2016/04/25/flaw-allowed-anyone-to-modify-take-control-over-any-as-domain/

[2] https://www.base64encode.org/