[Full-disclosure] NIC Chile CGI Script Zone Transfers

2005-05-04T00:00:00
ID SECURITYVULNS:DOC:8535
Type securityvulns
Reporter Securityvulns
Modified 2005-05-04T00:00:00

Description

NIC Chile CGI Script Zone Transfers.

Autor: Rodrigo Gutierrez <rodrigo at intellicomp.cl>

Affected: All ".cl" domains which use NIC's Chile Secondary NS.

Vendor url: http://www.nic.cl

Rate: Critical (*)

Background.

NIC Chile is a part of the University of Chile and is in charge of handling all the registrations for the ".cl"(CHILE) tld.

Description

One of NIC Chile's websites host a cgi script which allow you to grep the zone files in their secondary name server. (*) Even though I wouldn't have rate this vulnerability as Critical, I noticed that government (gob.cl) and Chile's central bank (bcentral.cl) within others use NIC Chile's secondary name server. in other words you are able to get a copy of the zone file for gob.cl ... ouch!.

Impact

If you are an attacker, looking for names such as vpn, mysql, firewall, oracle and so on can help identify specific targets and internal network addresses without a large detectable footprint. By trace routing the addresses in the zone files you can make a pretty good guess of the topology of the networks as well to where to strike first ;).

Exploit

http://secundario.nic.cl/cgi-bin/zone-grep?domain_without_the_dot_cl

The example bellow will show you the zone file for the foobar.cl domain.

------------ CUT HERE -------------

http://secundario.nic.cl/cgi-bin/zone-grep?foobar

------------ CUT HERE -------------

Workaround.

Figure it out!.

Comments

1.- Our friends at NIC Chile should be more careful about which scripts to host on their web servers, or at least protect them.

2.- The government people should really buy themselves a secondary dns server instead of depending in servers with unknown configurations.