CloudJack

AWS Route53/CloudFront Vulnerability Assessment Utility

CloudJack assesses AWS accounts for subdomain hijacking vulnerabilities as a result of decoupled Route53 and CloudFront configurations. This vulnerability exists if a Route53 alias references

1) a deleted CloudFront web distribution or

2) an active CloudFront web distribution with deleted CNAME(s).

If this decoupling is discovered by an attacker, they can simply create a CloudFront web distribution and/or CloudFront NAME(s) in their account that match the victim account’s Route53 A record hostname. Exploitation of this vulnerability results in the ability to spoof the victim’s website content, which otherwise would have been accessed through the victim’s account.

Changelog v1.0.5

• Fixing octal asterisk bug

Install

git clone https://github.com/prevade/cloudjack.git

Requirements:

1. AWS IAM access key ID and corresponding secret key
2. AWS CLI installation configured with profile(s), access key ID(s), and secret key(s) in ~/.aws/credentials

   [default]
   
    aws_access_key_id=<ACCESS_KEY>
   
    aws_secret_access_key=<SECRET>
   
   
   
    and/or
   
   
   
    [myprofile]
   
    aws_access_key_id=<ACCESS_KEY>
   
    aws_secret_access_key=<SECRET>

    

    

    

3. AWS IAM policy allowing Route53 ListHostedZones and ListResourceRecordSets actions
4. AWS IAM policy allowing CloudFront ListDistributions actions
5. Python and AWS SDK boto3 package
   • pip install boto3

Use

$ python cloudjack.py -o [text|json] -p [profile]

Demo

Copyright (C) 2018 bryanmcaninch

Source: https://github.com/prevade/