GitHub Pages zero day with wildcard subdomains allows anyone to publish on your site

Summary

Domains that use a wildcard subdomain to point (using CNAME or A records) to GitHub Pages allow anybody to host websites there. This could lead to serious problems such as phishing, malicious software downloads and damaging their brand.

We demonstrate this by publishing 20 subdomain websites to the most popular websites and explain how others could exploit this.

Recommendations are given to the owners of these websites and to GitHub Pages administrators.

Proof of concept

We launched these websites to show what is possible:

• https://vulnerability-demo.agilemanifesto.org (now fixed)
• https://vulnerability-demo.attractmode.org
• https://vulnerability-demo.indr.in
• https://vulnerability-demo.justjavac.com
• https://vulnerability-demo.nnedi.com
• https://vulnerability-demo.oiplug.com
• https://vulnerability-demo.opensourcedesign.net
• https://vulnerability-demo.shapeofdesignbook.com (now fixed)
• https://vulnerability-demo.skulpt.org (now fixed)
• https://vulnerability-demo.haxeflixel.com (now fixed)
• https://vulnerability-demo.tigervnc.org (now fixed)
• https://vulnerability-demo.benchmarkdotnet.org
• https://vulnerability-demo.evolutionzone.com
• https://vulnerability-demo.lrcr.com
• https://vulnerability-demo.neatline.org
• https://vulnerability-demo.prevayler.org
• https://vulnerability-demo.royalopera.org
• https://vulnerability-demo.statnet.org (now fixed)
• https://vulnerability-demo.realorfake3d.com
• https://vulnerability-demo.stephen.band (now fixed)

Other notes

Through this vulnerability, anyone can create a website and make it look like it was coming from you. Malicious hackers can perform illegal activity via this subdomain, and make it appear as if the owner of this domain was responsible for this, or, at least tarnish the domain owner’s reputation.

Right now, somebody could publish a page on your domain name, like login. api. password-reset. and make it look just like your website. They could:

• Link to an illegal drug marketplace using your brand’s reputation
• Phishing attacks to source emails and personal information from others
• Provide false or fake information using your brand’s credibility
• Publish fake/backdoored software

Most websites do not want this type of subdomain freedom, however some sites like Wikia, GitHub pages, and Blogspot use this technique to give people their own sites, however this is closely monitored for any of the activity mentioned above.

Recommendations for domain owners

You will need to login to your domain name registrar to fix this problem.

GitHub Pages warns that:

Warning: We strongly recommend not using wildcard DNS records, such as *.example.com. A wildcard DNS record will allow anyone to host a site at one of your subdomains.

And also:

In all cases, you probably want to delete the wildcard record (“*”) that points to GitHub Pages urls—185.199.108.153, 185.199.109.153, 185.199.110.153, 185.199.111.153.

Then some of this advice might apply to you:

• If you don’t want any subdomains on your website, you are done.
• If you want www subdomain to work then see the GitHub Pages documentation for this.
• If you do want subdomains, create specific records for the subdomains used if using a web server like nginx or apache for proxy-passing internally.

Recommendations for GitHub Pages

The most secure fix would be to verify domain ownership by using a TXT record before publishing sites. This also prevents domain frontrunning, separate attack not discussed here.

Because domain verification slows down the most common scenario it might be not desirable.

At a minimum, consider to resolve some random subdomain for Pages websites, this will show you if there is a problem. You could then warn customers if there is a problem and/or include a required “confirm” button to acknowledge the risk.

Tools used to discover bug

Thank you to Majestic for providing the Majestic Million list of websites. We used this as a starting point for checking for vulnerable sites.

A basic check for vulnerability is done with:

dig +noall +answer foobar-ploople-boopersnoot.example.com

Where foobar-ploople-boopersnoot is some random text.

This can be run in batch by selecting the domain name column, prepending the random text, into a flat file and running:

cat domains | xargs -P 100 – dig +noall +answer | tee -a fpb

⚠️ Warning, this will simultaneously look up one million DNS queries across 100 threads at full blast. Your ISP might not like this. Verizon FiOS banned me from using DNS about halfway through the list.

Total search time is less than an hour on one machine.

⚠️ Consider using a VPN (including passthrough DNS) for any project like this :-)

Disclosure schedule

• 2021-05-01 Initial discovery and confirmation // livestream Zero Day Live
• 2021-05-01 Published to Privacy Log
• 2021-05-01 Notification to GitHub Pages
• 2021-05-01 Notification to some affected website owners
• 2023-02 publish videos as mini series show off all this above https://x.com/fulldecent/status/1625369686891266048
• 2023-03-26 publish list of affected sites https://x.com/fulldecent/status/1640176458411700226

Acknowledgements

Thank you to the many contributors here for preparing command line approaches, looking up contact information, discussing the ethical approach we are using here and providing the motivation to get through an afternoon to help some random other souls out there who’s websites might be misconfigured.

• Christy Caraballo

• Michael Milord (Milord)

• Derek

• Jonathan Liu

▧

Comments

There are no comments yet.

Please discuss this topic anywhere and let me know any great comments or media coverage I should link here.