Summary by U.S. Fish and Wildlife Service
An organizational subdomain pointed to a now defunct external domain previously hosted on behalf of the organization. When the site was no longer needed/funded, a DNS CNAME remained in the public DNS record until this was identified.
Summary by thelicato
Description
You have a subdomain aka rtncf-rci.ral.r4.fws.gov
has a CNAME record that points to a .org
domain (to be more specific it was pointing to rtncf-rci.ncusfws.org
). The nslookup command shows the DNS configuration.
nslookup rtncf-rci.ral.r4.fws.gov 8.8.8.8
The .org
domain, on the other hand, was free and an attacker can buy it and take possession of the .gov
domain. In fact I bought it (for just 7 dollars) and created a simple HTML PoC with a link to my BugBounty profiles. In fact if you execute the nslookup
now you will see that the .gov
domain points to the .org
domain (the one I bought) which in returns points to my GitHub page (I did not want to spend money on a hosting so I used a free GitHub page).
Risk
A subdomain takeover is pretty risky, especially for gov
websites because the user assumes that it is on the correct domain, here is a list of the major risks of subdomain takeover:
- fake website
- malicious code injection
- users tricking
- company impersonation
This issue can have really huge impact on the companies reputation someone could post malicious content on the compromised site and then your users will think it's official but it's not.
PoC
Visit https://rtncf-rci.ral.r4.fws.gov
Remediation
Remove the CNAME entry. As soon as you remove the CNAME entry I will delete the GitHub page.
See also
Additional note
As I said before as soon as you remove the CNAME entry I will delete the GitHub page.
Best regards,
thelicato