U.S. Dept Of Defense: Subdomain takeover ████████.mil

Description:

The subdomain █████.mil is pointing to peosol-lg.███████., the domain ██████ is currently available for registration as can be seen at https://www.godaddy.com/nl-nl/domainsearch/find?domainToCheck=█████

Given the rules, residency of the US, of the us-tld I decided not to register the domain, also I do believe the output to be enough.

References

Impact

Using this vulnerability an attacker can:

• host unwanted/malicious content under your domain
• receive email on subdomains mentioned above
• effectively execute cross-site scripting attacks
• in some cases, steal cookie data
• in some cases, trick password managers into filling passwords

System Host(s)

██████████.mil

Affected Product(s) and Version(s)

CVE Numbers

Steps to Reproduce

See the DIG output:

√ martinvw@denali:~/src > dig █████.mil

; <<>> DiG 9.10.6 <<>> ████.mil
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44977
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;█████████.mil.			IN	A

;; ANSWER SECTION:
██████████.mil.		3600	IN	CNAME	peosol-lg.███.

;; AUTHORITY SECTION:
us.			900	IN	SOA	a.cctld.us. admin.tldns.godaddy. 1715345748 1800 300 604800 1800

;; Query time: 166 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri May 10 15:06:32 CEST 2024
;; MSG SIZE  rcvd: 148

And the GoDaddy page: https://www.godaddy.com/nl-nl/domainsearch/find?domainToCheck=███

And whois:

√ martinvw@denali:~/src > whois ████████.
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object

refer:        whois.nic.us

domain:       US

organisation: Registry Services, LLC
address:      100 S. Mill Ave, Suite 1600
address:      Tempe AZ 85281
address:      United States of America (the)

contact:      administrative
name:         IANA Contact
organisation: Registry Services, LLC
address:      100 S. Mill Ave, Suite 1600
address:      Tempe AZ 85281
address:      United States of America (the)
phone:        +1 480 505 8800
fax-no:       +1 480 393 4275
e-mail:       [email protected]

contact:      technical
name:         IANA Contact
organisation: Registry Services, LLC
address:      100 S. Mill Ave, Suite 1600
address:      Tempe AZ 85281
address:      United States of America (the)
phone:        +1 480 505 8800
fax-no:       +1 480 393 4275
e-mail:       [email protected]

nserver:      B.CCTLD.US 156.154.125.70 2001:502:ad09:0:0:0:0:29
nserver:      F.CCTLD.US 2001:500:3682:0:0:0:0:11 209.173.58.70
nserver:      K.CCTLD.US 156.154.128.70 2001:503:e239:0:0:0:3:1
nserver:      W.CCTLD.US 2001:dcd:1:0:0:0:0:15 37.209.192.15
nserver:      X.CCTLD.US 2001:dcd:2:0:0:0:0:15 37.209.194.15
nserver:      Y.CCTLD.US 2001:dcd:3:0:0:0:0:15 37.209.196.15
ds-rdata:     59017 8 2 7daf469d42b5d8e5537fd4dd4b6057710e9a61f72c32eb7fb6526f52277ec2b0

whois:        whois.nic.us

status:       ACTIVE
remarks:      Registration information: http://www.nic.us

created:      1985-02-15
changed:      2024-04-16
source:       IANA

# whois.nic.us

No Data Found
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2024-05-10T13:10:37Z <<<

Suggested Mitigation/Remediation Actions

Remove CNAME record █████████.mil