[Full-disclosure] NIC Chile CGI Script Zone Transfers
2005-05-04T00:00:00
ID SECURITYVULNS:DOC:8535 Type securityvulns Reporter Securityvulns Modified 2005-05-04T00:00:00
Description
NIC Chile CGI Script Zone Transfers.
Autor: Rodrigo Gutierrez <rodrigo at intellicomp.cl>
Affected: All ".cl" domains which use NIC's Chile Secondary NS.
Vendor url: http://www.nic.cl
Rate: Critical (*)
Background.
NIC Chile is a part of the University of Chile and is in charge of handling
all the registrations for the ".cl"(CHILE) tld.
Description
One of NIC Chile's websites host a cgi script which allow you to grep the zone
files in their secondary name server. (*) Even though I wouldn't have rate this
vulnerability as Critical, I noticed that government (gob.cl) and Chile's central
bank (bcentral.cl) within others use NIC Chile's secondary name server. in other
words you are able to get a copy of the zone file for gob.cl ... ouch!.
Impact
If you are an attacker, looking for names such as vpn, mysql, firewall, oracle and
so on can help identify specific targets and internal network addresses without a
large detectable footprint. By trace routing the addresses in the zone files you
can make a pretty good guess of the topology of the networks as well to where to
strike first ;).
The example bellow will show you the zone file for the foobar.cl domain.
------------ CUT HERE -------------
http://secundario.nic.cl/cgi-bin/zone-grep?foobar
------------ CUT HERE -------------
Workaround.
Figure it out!.
Comments
1.- Our friends at NIC Chile should be more careful about which scripts to host on their
web servers, or at least protect them.
2.- The government people should really buy themselves a secondary dns server instead of
depending in servers with unknown configurations.
{"id": "SECURITYVULNS:DOC:8535", "bulletinFamily": "software", "title": "[Full-disclosure] NIC Chile CGI Script Zone Transfers", "description": "NIC Chile CGI Script Zone Transfers.\r\n\r\n\r\n\r\nAutor: Rodrigo Gutierrez <rodrigo at intellicomp.cl>\r\n\r\nAffected: All ".cl" domains which use NIC's Chile Secondary NS.\r\n\r\nVendor url: http://www.nic.cl\r\n\r\nRate: Critical (*)\r\n\r\n\r\n\r\nBackground.\r\n\r\nNIC Chile is a part of the University of Chile and is in charge of handling \r\nall the registrations for the ".cl"(CHILE) tld.\r\n\r\n\r\nDescription\r\n\r\nOne of NIC Chile's websites host a cgi script which allow you to grep the zone\r\nfiles in their secondary name server. (*) Even though I wouldn't have rate this \r\nvulnerability as Critical, I noticed that government (gob.cl) and Chile's central\r\nbank (bcentral.cl) within others use NIC Chile's secondary name server. in other \r\nwords you are able to get a copy of the zone file for gob.cl ... ouch!.\r\n\r\n\r\nImpact\r\n\r\nIf you are an attacker, looking for names such as vpn, mysql, firewall, oracle and \r\nso on can help identify specific targets and internal network addresses without a \r\nlarge detectable footprint. By trace routing the addresses in the zone files you\r\ncan make a pretty good guess of the topology of the networks as well to where to \r\nstrike first ;).\r\n\r\n\r\nExploit\r\n\r\nhttp://secundario.nic.cl/cgi-bin/zone-grep?domain_without_the_dot_cl\r\n\r\nThe example bellow will show you the zone file for the foobar.cl domain.\r\n\r\n#------------ CUT HERE -------------\r\n\r\nhttp://secundario.nic.cl/cgi-bin/zone-grep?foobar\r\n\r\n#------------ CUT HERE ------------- \r\n\r\n\r\nWorkaround.\r\n\r\nFigure it out!.\r\n\r\n\r\nComments\r\n\r\n1.- Our friends at NIC Chile should be more careful about which scripts to host on their\r\nweb servers, or at least protect them.\r\n\r\n2.- The government people should really buy themselves a secondary dns server instead of \r\ndepending in servers with unknown configurations.", "published": "2005-05-04T00:00:00", "modified": "2005-05-04T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:8535", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:12", "edition": 1, "viewCount": 36, "enchantments": {"score": {"value": 4.7, "vector": "NONE", "modified": "2018-08-31T11:10:12", "rev": 2}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:F3563336B135A1D7C1251AE54FDC6286"]}, {"type": "nessus", "idList": ["EULEROS_SA-2020-1318.NASL", "EULEROS_SA-2020-1323.NASL", "EULEROS_SA-2020-1314.NASL", "DEBIAN_DLA-2164.NASL", "FREEBSD_PKG_40194E1C6D8911EA808280EE73419AF3.NASL", "EULEROS_SA-2020-1299.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201314", "OPENVAS:1361412562311220201299", "OPENVAS:1361412562311220201323", "OPENVAS:1361412562311220201318", "OPENVAS:1361412562310892164"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2164-1:52F3C"]}, {"type": "zdt", "idList": ["1337DAY-ID-34153", "1337DAY-ID-34144", "1337DAY-ID-34159", "1337DAY-ID-34134"]}, {"type": "cve", "idList": ["CVE-2015-8535"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:10149"]}, {"type": "kitploit", "idList": ["KITPLOIT:1907207623071471216"]}], "modified": "2018-08-31T11:10:12", "rev": 2}, "vulnersScore": 4.7}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-02-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **turkbawbaticli[.]tk** in [RST Threat Feed](https://rstcloud.net/profeed) with score **14**.\n First seen: 2020-11-19T03:00:00, Last seen: 2021-02-24T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 195[.]20.42.219\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-11-19T00:00:00", "id": "RST:03900E56-2908-3BF2-8535-ECBA4E776754", "href": "", "published": "2021-02-25T00:00:00", "title": "RST Threat feed. IOC: turkbawbaticli.tk", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **https://waxi[.]applxwd.com/ios** in [RST Threat Feed](https://rstcloud.net/profeed) with score **17**.\n First seen: 2021-02-25T03:00:00, Last seen: 2021-02-25T03:00:00.\n IOC tags: **phishing**.\nIOC could be a **False Positive** (Resource unavailable).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-25T00:00:00", "id": "RST:67AC912D-AA35-3E9B-8535-FCDC2D790DA2", "href": "", "published": "2021-02-25T00:00:00", "title": "RST Threat feed. IOC: https://waxi.applxwd.com/ios", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **67[.]205.161.8** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-02-24T03:00:00.\n IOC tags: **generic**.\nASN 14061: (First IP 67.205.128.0, Last IP 67.205.191.255).\nASN Name \"DIGITALOCEANASN\" and Organisation \"DigitalOcean LLC\".\nThis IP is a part of \"**digitalocean**\" address pools.\nASN hosts 3376589 domains.\nGEO IP information: City \"North Bergen\", Country \"United States\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:CA3B42F0-73D5-390B-8535-1A9CB5976C69", "href": "", "published": "2021-02-25T00:00:00", "title": "RST Threat feed. IOC: 67.205.161.8", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **93[.]90.206.167** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-02-24T03:00:00.\n IOC tags: **generic**.\nASN 8560: (First IP 93.90.192.0, Last IP 93.90.207.255).\nASN Name \"ONEANDONEAS\" and Organisation \"Brauerstrasse 48\".\nASN hosts 11304758 domains.\nGEO IP information: City \"\", Country \"United Kingdom\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:350803CD-681C-3F17-8535-BC0B09D2DD08", "href": "", "published": "2021-02-25T00:00:00", "title": "RST Threat feed. IOC: 93.90.206.167", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **1[.]2.208.52** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **37**.\n First seen: 2021-02-15T03:00:00, Last seen: 2021-02-24T03:00:00.\n IOC tags: **generic**.\nASN 23969: (First IP 1.2.128.0, Last IP 1.2.255.255).\nASN Name \"TOTNET\" and Organisation \"TOT Public Company Limited\".\nASN hosts 1796 domains.\nGEO IP information: City \"Pak Kret\", Country \"Thailand\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-15T00:00:00", "id": "RST:83D55B72-CF48-300A-8535-57880BD535CA", "href": "", "published": "2021-02-25T00:00:00", "title": "RST Threat feed. IOC: 1.2.208.52", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **79[.]96.39.55** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2020-01-02T03:00:00, Last seen: 2021-02-24T03:00:00.\n IOC tags: **malware**.\nASN 12824: (First IP 79.96.0.0, Last IP 79.96.255.255).\nASN Name \"HOMEPLAS\" and Organisation \"\".\nASN hosts 493034 domains.\nGEO IP information: City \"\", Country \"Poland\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-01-02T00:00:00", "id": "RST:E2D1AB9B-ABD7-39E0-8535-5FA3AC8AD8E7", "href": "", "published": "2021-02-25T00:00:00", "title": "RST Threat feed. IOC: 79.96.39.55", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **77[.]39.8.184** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **17**.\n First seen: 2020-11-16T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **generic**.\nASN 12683: (First IP 77.39.0.0, Last IP 77.39.23.255).\nASN Name \"STATELAS\" and Organisation \"Stavropol branch of Rostelecom\".\nASN hosts 403 domains.\nGEO IP information: City \"Stavropol\", Country \"Russia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-11-16T00:00:00", "id": "RST:975DB9B7-9B1A-3F8E-8535-508EB1BBD4E1", "href": "", "published": "2021-02-25T00:00:00", "title": "RST Threat feed. IOC: 77.39.8.184", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **110[.]185.185.17** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **7**.\n First seen: 2020-10-05T03:00:00, Last seen: 2021-02-24T03:00:00.\n IOC tags: **generic**.\nASN 38283: (First IP 110.185.184.0, Last IP 110.185.187.255).\nASN Name \"CHINANETSCIDCASAP\" and Organisation \"CHINANET SiChuan Telecom Internet Data Center\".\nASN hosts 184927 domains.\nGEO IP information: City \"\", Country \"China\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-10-05T00:00:00", "id": "RST:B61A91AF-C60E-3A6B-8535-B4F782311C4F", "href": "", "published": "2021-02-25T00:00:00", "title": "RST Threat feed. IOC: 110.185.185.17", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **soifdepromos[.]fr** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-02-24T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 213[.]186.33.5\nWhois:\n Created: 2016-06-16 17:38:00, \n Registrar: unknown, \n Registrant: OVH NET.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:1D6EA179-2C48-3C16-8535-FC2B8AF2AF03", "href": "", "published": "2021-02-25T00:00:00", "title": "RST Threat feed. IOC: soifdepromos.fr", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **procrearteescobar[.]com.ar** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-02-24T03:00:00.\n IOC tags: **spam**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:9D2F6B0F-8535-3FE5-A49C-06702B3BBA9E", "href": "", "published": "2021-02-25T00:00:00", "title": "RST Threat feed. IOC: procrearteescobar.com.ar", "type": "rst", "cvss": {}}]}
