NIC Chile CGI Script Zone Transfers.
Autor: Rodrigo Gutierrez <rodrigo at intellicomp.cl>
Affected: All ".cl" domains which use NIC's Chile Secondary NS.
Vendor url: http://www.nic.cl
Rate: Critical (*)
NIC Chile is a part of the University of Chile and is in charge of handling all the registrations for the ".cl"(CHILE) tld.
One of NIC Chile's websites host a cgi script which allow you to grep the zone files in their secondary name server. (*) Even though I wouldn't have rate this vulnerability as Critical, I noticed that government (gob.cl) and Chile's central bank (bcentral.cl) within others use NIC Chile's secondary name server. in other words you are able to get a copy of the zone file for gob.cl ... ouch!.
If you are an attacker, looking for names such as vpn, mysql, firewall, oracle and so on can help identify specific targets and internal network addresses without a large detectable footprint. By trace routing the addresses in the zone files you can make a pretty good guess of the topology of the networks as well to where to strike first ;).
The example bellow will show you the zone file for the foobar.cl domain.
Figure it out!.
1.- Our friends at NIC Chile should be more careful about which scripts to host on their web servers, or at least protect them.
2.- The government people should really buy themselves a secondary dns server instead of depending in servers with unknown configurations.