Flaw allowed anyone to modify and take control of ANY .as domain
Posted by Thomas Foster on 09 May 2016 08:59 AM
A few days ago a security researcher going by the ominous handle “ISECGUY” posted a bewildering account of incompetence and how he exploited a flaw within the nic.as domain registry which allowed him to take over any .as domain because they (nic.as) allowed you view not only the entire domain registration information but also the plain-text passwords of domain owners and, administrative and technical contacts but it does not stop there...
Who cares? Who even uses the .as TLD?
Well, here’s a short list:
McDonald’s Australia (macc.as)
Large educational establishments such as the University of Texas (utex.as)
American Samoa government institutions including the Department of Commerce (doc.as), and the Office of the Governor (gov.as)
If you thought, it ended at just plain-text passwords and domain information then you better buckle up brother because this journey of insecurity has just begun and it’s about to kick into overdrive.
The flaw also allowed you to edit the Domain Name System (DNS) records for the domains too and here’s the best part… the cherry on the top. You could also delete domains for the registry!
Now that you’ve recovered from that ride of misery, let MR ISECGUY show us the way…
It turns out by simply Base64 encoding a URL of the domain and subsequently a business’s web presence you wanted to control and pasting the string to the nic.as URL i.e.
That would take you straight to the riches as we previously discussed above.
Why base64 was used we do not know, maybe as an early 90s URL obfuscator perhaps?
So now we’ve talked about what happened and how, the aftermath of this very responsible disclosure is rather amusing.
It’s fair to say that nic.as were not too pleased about being made aware that their domain management system was vulnerable.
Which is laughable as it’s their responsibly to make sure their system is as secure as possible.
To prove that MR ISECGUY did indeed contact them first before disclosing the vulnerability he posted a disclosure Timeline with his original post:
So the vulnerability has been fixed but the owners of the .as domains still have not been contacted by nic.as letting them know that their domains records may have been changed.
I will leave you with this fantastic quote from Stephen Deerhake from the AS Domain Registry commenting on the great work of MR ISECGUY.
Responding to the allegation, Stephen Deerhake, for the AS Domain Registry said today:
"The report is inaccurate, misleading and sexed-up to the max".