poisoning / hijacking DNS locally of a third party domain: in shared and custom web hosting and in ISP, in automated /custom control panel software

[Bipin Gautam <bipin.gautam () gmail com>]

Hi,

vulnerability summary :  a design / process flaw

Severity : Moderate / High

In most automated control pannel software, for shared and custom web
hosting and in ISP, anyone can register / signup any domain after you
have a paid account for website hosting

- and the dns record of the added domain gets synced indiscriminately
in the local  / ISP master DNS name server /resolver (for that
webhosting and ISP locally)

when any local website in such shared hosting or ISP request for dns resolving

- for a website IP, or mx or subdomain record etc

the local entry get priority over the global / root entry (like when
you edit /etc/hosts or %windir%\system32\etc\drivers the local record
gets priority over remote resolver in such situation, analogy )

- when a user of such ISP or a website in shared hosting try to
locally request a third party website (say linkedin, twitter, facebook
or any domain ) via website API, or email and when site accepts both
https or..... http redirect requests, api logins are at risk

- or a potential attacker can use such to disrupt the dns request on
such shared hosting for a third party domain

- or get / hijack all email sent for a third party domain, in such
shared hosting via catchall@[domain_name] poisoning / deliberate entry


possible affected software:
- cpanel
- many self customized / automatic dns registration / control panel /
shared hosting software
- direct admin / plesk and other popular... such control panel
software ( please test and let us know ? )

Respectfully,
-bipin

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/