[HN Gopher] How I hijacked the top-level domain of a sovereign s...
___________________________________________________________________
How I hijacked the top-level domain of a sovereign state
Author : Berg0X00
Score : 237 points
Date : 2021-01-15 12:24 UTC (10 hours ago)
(HTM) web link (labs.detectify.com)
(TXT) w3m dump (labs.detectify.com)
| 0x0 wrote:
| Could this be leveraged to hijack additional TLDs? If any other
| TLD uses a ".cd" NS, like .cd used a ".com" NS...? (Are there
| any?)
| jaywalk wrote:
| Yes, although it's hard to imagine any TLD using .cd for NS.
|
| It would also be less effective unless that TLD was using .cd
| for ALL of it's NS records.
| 0x0 wrote:
| Maybe you could find a cluster of TLDs delegating to each
| other in a loop. Combined with huge TTLs you might be able to
| bootstrap a full takeover of a subset of all DNS?
| fjiizrsdfjjj wrote:
| Shouldn't he have acted when he noticed the soonish expiration
| instead of hoping to be the only one watching for expiration?
| lovasoa wrote:
| Exactly what I thought. It would have been more ethical to
| write to them the day BEFORE the expiration (and still buy the
| domain if they didn't act fast enough).
| yaveti wrote:
| It's not uncommon for organisations to be late with renewing
| their domains and you probably don't want to send false alarms.
| CydeWeys wrote:
| Once it's in the redemption grace period the domain is
| already on the way to deletion. That's not part of the normal
| domain lifecycle; that's part of the deletion lifecycle.
|
| This was not a false alarm.
| cesarb wrote:
| > If I had operated with malicious intent, I could have also
| [...]
|
| Wouldn't most of these be mitigated if that ccTLD used DNSSEC
| (according to dnsviz, it currently doesn't)? The hijacked DNS
| servers wouldn't be able to provide correctly-signed DNS records,
| so the fake answers would be rejected by all validating
| resolvers.
| dougk wrote:
| I had a gut feeling it will be '.cd' before clicking on the
| article and I was right. Dealing with the state entity (SCPT)
| that manages this TLD is quite a pain. It's so painful that I've
| given up managing all the .cd domains I used to own.
|
| .cd domains are also some of the most expensive to get. Hopefully
| the new government will take this seriously.
| dewey wrote:
| > .cd domains are also some of the most expensive to get.
| Hopefully the new government will take this seriously.
|
| I bought one a few years ago for 80 Euros / year. Aren't there
| a lot of TLDs that are way more expensive?
| kweks wrote:
| Kiribati (.ki) comes to mind - 900EUR per year via ghandi.net
| or 1350EUR at eurodns...
| Tepix wrote:
| According to tld-list.com, the .th TLD is the most
| expensive ccTLD at $5000 and .ru is the cheapest at $2.99
| KMnO4 wrote:
| Not too many ccTLDs. AI comes to mind (Anguilla, expensive
| for obvious reasons), but it's still cheaper than .CD.
|
| Many gTLDs are expensive due to their target demographics or
| to dissuade bad actors (eg .auto, .bank).
| 4ec0755f5522 wrote:
| The new crop of TLDs are really cheap. I bought a .download
| for like $2 a year or something. Not all are that cheap (I
| bought it as a throwaway for a project that relied on my
| having DNS control) but there are literally hundreds of them
| that are.
| kadoban wrote:
| Only issue is I don't think there's anything preventing the
| price going sky-high in coming years, for most of these
| TLDs. For a throwaway it doesn't matter, but could really
| hurt if you start relying on one.
| hsbauauvhabzb wrote:
| What's to stop a TLD seller doubling their price? Is there any
| regulation against the practice?
| Tepix wrote:
| You can register/renew it for $59, see https://tld-
| list.com/tld/cd
| ricardo81 wrote:
| Of course, the moral of the story goes beyond TLDs and for
| nameserver hostnames in general.
|
| Interesting that it wasn't drop-catched, as .com names tend to
| be. I suppose it didn't have any metrics that'd qualify it for
| automatic registration.
|
| Not even for 'domain tasting', though I guess it depends on drop
| catchers setups, which I imagine is just interested in any
| traffic on port 80/443.
| SoSoRoCoCo wrote:
| Wow. An entire country can accidentally be hosed if their domain
| name used by their NS expires? Is it that perilous?
| xwdv wrote:
| It pisses me off that for something of this magnitude this guy
| will probably only be paid no more than a couple thousand
| dollars, if at all. He still has no response.
| prosaic-hacker wrote:
| It may not directly pay but his reputation as Security Expert
| is enhanced.
|
| I don't know if "Big Internet" (ICANN, IANA, IETF, RIRs) does
| not have its own security group like the Commercial companies
| do (Project Zero, various EH companies). RFC3013???
|
| We have to depend on people who can take time to look for
| exploits in exchange for reputation.
| LegitShady wrote:
| Getting paid in exposure is not getting paid.
| pedro596 wrote:
| It seems more likely that the OP even lost money buying a
| useless domain name that no one will pay for. Most probably not
| even a "Thank You" they will give.
| gumby wrote:
| This was good work.
|
| The DRC has a lot of problems (to say the least) at the moment
| and has had for a while and this is pretty low priority in
| their scheme of things. Countries with weird residual TLDs for
| non-sovereign territory (e.g. .as or .ac) surely pay more
| attention to these trivial domains than anyone in the DRC can.
|
| Which is all to say the amount of effort expended on _any_
| task, or the amount of knowledge brought to bear on a task, is
| only sometimes correlated with its value. Ever worked hard on a
| company that failed?
|
| I felt I needed to put the first line in because my comment on
| your question could have been misinterpreted as criticism of
| the hacker.
| u678u wrote:
| DR Congo is one of the poorest countries in the world. GDP/cap
| is $457 a year. If he does get a few thousand that is more than
| one worker earns in 10 years.
| https://en.wikipedia.org/wiki/List_of_countries_by_GDP_(nomi...
| xwdv wrote:
| What on earth does that have to do with anything here? I
| probably make more as a software developer than some
| Americans make in 10 years.
| avh02 wrote:
| Understandable stance, but the damage he was capable of
| causing was probably millions of dollars worth. So yeah, a
| few thousand bucks as a thank you is reasonable.
| lostlogin wrote:
| > the damage he was capable of causing was probably
| millions of dollars
|
| That applies to most of us.
|
| It also doesn't change the fact that there is very little
| money available in the DRC.
| nerdponx wrote:
| If rich countries and private charities were serious about
| foreign aid, they'd consider helping fund things like this.
| lostlogin wrote:
| Paying developers outside the DRC? I'd imagine that most who
| wanted to help would prefer something more direct.
| toshk wrote:
| I work for a few a cities in Europe, and happen to know one of
| the cities had a site with an sql injection issue. An external
| person found and let the city know but didn't want to reveal
| the specifics before getting money. The city has no bounty
| program and for some people in the City it came across as if
| the guy was distorting them. The guy probably felt like he
| didn't get money for his work. Probably both have a point. In
| the end it got resolved.
| jessaustin wrote:
| s/distort/extort/
| toshk wrote:
| Yes right. Apologies.
| lovasoa wrote:
| The guy has no reason to expect a reward if the city has no
| bug bounty program. They could just sue him.
| Chris2048 wrote:
| sue him for what? Discovering an exploit without disclosing
| the details?
| lovasoa wrote:
| It depends on the country, but in France for instance,
| there is a maximum sentence of one year in prison and a
| 15000EUR fine just for "fraudulently accessing a data
| processing system", or trying to do so even if you don't
| succeed.
| Chris2048 wrote:
| And they'll prove that without knowing what the exploit
| is?
| LegitShady wrote:
| What are their damages? He's not required to disclose their
| security vulnerabilities to them. It's his work not theirs.
| high_density wrote:
| I think lovasoa is pointing out what could happen in
| real-life, not 'what should happen
| morally/ethically/etc'.
| murphy1312 wrote:
| if he was smart, then he said nothing that sounds like
| blackmail. but you could say, for example, that I have to
| settle the expense of reproducing it and writing it down
| properly or something similar.
| psim1 wrote:
| Why should he get anything at all? Does every "ethical hacker"
| need to hold his hand out for a reward? (Doesn't seem as
| ethical, then, does it?)
| rvnx wrote:
| The most ethical move would have been to write to people listed
| at https://www.iana.org/domains/root/db/cd.html and put IANA in
| copy (likely ROOT-MGMT@IANA.ORG as listed in the public document:
| 24x7 Emergency Process Step-by-Step Description).
| hannob wrote:
| I feel it's problematic that whenever someone writes about an
| ethically tricky security vulnerability disclosure someone will
| come up with some variant of "but doing it a bit differently
| would've been more ethical".
|
| The reason I think this is problematic is that there are
| already more than enough people in the security community who
| will either say "fuck it, I'm not gonna bother with that" or
| "let's sell it to the highest bidder".
|
| We should appreciate more when people are trying to do the
| right thing and worry more about the people doing clearly the
| wrong thing and less about whether the people doing overall the
| right thing did it perfectly.
| TheJoeMan wrote:
| I think this situation is like knowing a car crash is about
| to happen and then still waiting for it to happen though. Why
| not email someone to pay their bill?
| cmehdy wrote:
| I assume you mean that he should have done that when he noticed
| the domain was pending renewal? (edited to "renewal", not
| deletion)
|
| He definitely acted decently overall (and did reach out to the
| people you mention afterwards). But I can empathize with the
| author for simply thinking "pending renewal? alright whatever"
| and later on "pending DELETE? shit I should make sure they're
| OK!".
|
| I guess there's always what's best in hindsight and what's
| actually done.
| [deleted]
| electricmonk wrote:
| And if he wasn't going to contact anyone, watching for the
| domain name to drop, and manually registering it at that point,
| is a recipe for disaster. It may not have been feasible for him
| to set up an automatic registration script (although I see he
| was using Route 53, so maybe it would have been?), but being
| first in line to drop-catch a domain name is the exact purpose
| of services such as SnapNames. Took a terrible and unnecessary
| risk on top of not doing the "most ethical" thing.
| superjan wrote:
| That would be the most ethical, sure. But this was a faster and
| safer course of action. And it wasn't unethical.
| sb057 wrote:
| Quoting the article:
|
| >On January 7th, I reached out to the Administrative and
| Technical contacts listed for .cd on
| [https://www.iana.org/domains/root/db/cd.html].
| electricmonk wrote:
| A week after he registered the domain name. That's not the
| same thing as "before," which I believe the top comment in
| this thread was implying about what he should have done
| instead of what he did do.
| tailspin2019 wrote:
| Yes I spotted that "week" too.
|
| Seems odd to wait a week to make contact if this was purely
| a white-hat exercise.
| sdfhbdf wrote:
| Interesting read and also the reaction from authorities in DRC is
| interesting - they changed the records with IANA. Probably good
| course of action because OP could hold them hostage and they
| shouldn't risk relying on his written confirmation in such a
| important matter.
|
| Good decision making on the DRC in the end. Well Done.
| als0 wrote:
| The TL;DR: he registered one of the expired domains that manage
| the TLD namespace of Democratic Republic of Congo.
| justinclift wrote:
| > Although one of the contacts replied and delegated to their
| colleague, as of this writing, I haven't received any follow-up
| confirmation that they fixed the issue.
|
| Wonder if that means they're investigating a "legal response" to
| his report?
|
| eg the old "shoot the messenger" approach :/
| tsjq wrote:
| Many countries would do that, unfortunately
| spoonjim wrote:
| The Democratic Republic of the Congo does not have a lot of
| muscle to flex on the world stage.
| saadalem wrote:
| Many times, you scan an IP, look at the easy hackable websites
| that may be on the same IP, you upload the shell and try to go
| all-in and take over all the websites in same IP, ez and I dont't
| know why we still face these problems that are outdated !
___________________________________________________________________
(page generated 2021-01-15 23:01 UTC)