Zendesk no more possible? #23
Comments
|
This takeover is possible when a Zendesk account has been deleted, but still remains available in the host domains DNS record. When you dig the record you will see the CNAME, this corresponds to the name of the Zendesk account you need to (re)create. Once you've done so you'll now have claimed Zendesk on this host domain. This is a much less valuable takeover than other scenarios as you aren't hosting content on the domain like you are in other takeovers (removing XSS/CORS possibilities) and you're instead hosting a new support (zendesk) instance . It's useful for red teaming and social engineering, but I wouldn't expect the bounty payments to be as much as in other scenarios where you can demonstrate more relevant risk. |
EdOverflow
added
edge case
|
My experience with a zendesk takeover attempt this morning. |
codingo
added
the
not vulnerable
|
Thank-you @JesseClarkND, I was also familiar with this one through a recent attempt. I've made a change to the repo in line with your proofs and will now close this issue (see: #51). Appreciate your efforts! |
|
Zendesk is still Vulnerable .. All Just check all the site subdomains if any subdomain is add to zendesk account and the other added too ( Only one will be the cname and the other one will redirect you to The finger print that give you the error ) Example if I add my subdomain ( support.example.com ) to my zendesk account with mine cname and add my other subdomain ( help.example.com ) to the same cname .. my first subdomain
Only if the company have an Only subdomain listed in Zendesk and the subdomain redirect you to finger print error So Sure you can Takeover! |
|
i tried taking over an expired zendesk subdomain and it worked but after i active the hep center in zendesk setting menu, it should appear on the subdomain but it is still redirecting to the previous error. Anybody can tell me, if it takes time to get published on the main subdomain after activation. upate: i have only trial account, is that why zendesk is not showing it on the subdomain? Update: it worked. |
|
@bgxdoc If you could describe your steps to achieve it so that it worked, that would be awesome. |
|
I just got a successful takeover today. Simply located a domain which was redirect to a Zendesk page saying "This help center has been deleted". Found the CName. Registered that on ZenDesk as my account. Now it's pointing to mine. Setup an SSL cert so that it stops redirecting to my ZenDesk, and instead it actually hosts it on the real subdomain. Need to figure out a way to get stored XSS via zendesk admin so that I can improve on the impact... |
|
Double dipping there? Get a bounty from ZenDesk and the company? @Cillian-Collins See if you can use the ZenDesk name to also generate emails from that domain, you can leverage that email to pivot into internal slack/jira instances. Read: If it works, I totally accept tips to my PayPal account. 🤣 |
|
If the Name of domain not taken you can take over it You need to Enable Ssl Certificate in security settings and Enable Host Maping option in account settings and it will work |
how it worked what you changed |
|
@gauravdrago: " If the Name of domain not taken you can take over it You need to Enable Ssl Certificate in security settings and Enable Host Maping option in account settings and it will work. " |
|
I got one takeover but it seems zendesk need premium option to stop
redirection any trick to get rid of premium or to get zendesk premium free
for testing
|
|
@gauravdrago |
|
But in trial hostmaping not allowed.
|
|
@gauravdrago |
|
Ok boss.
|
|
@bgxdoc @gauravdrago 1- Deleted Help Desk You can Take over it Not Sure if there are any cases or not if someone already faced another case he can put it to solve this issue |
|
still possible |
|
@roblox1488 Did you have a specific method that you used that is separate from the above comments? |
you have to wait a while after the subdomain stops being in use, then you can just register it normally like you would |
|
Looks like it is vulnerable in some cases, This person was able to takeover the zendesk portal. |
EdOverflow
removed
the
not vulnerable
|
There are two possibilities when dealing with a closed Zendesk helpcenter as far as I've encountered so far. Possibility 1: The domain the Zendesk domain is pointing towards, is in use. However, the host mapping has not been done correctly, which makes the domain displaying a 'help center closed' notice. This case is not vulnerable, because the Zendesk domain (so the CNAME reference (*.zendesk.com)) is occupied. Possibility 2: The Zendesk domain is not in use and the target's domain name is displaying a 'help center closed' notice. Here, takeover is possible. For succesfull takeover, follow the following steps:
|
Thanks @JvdHout1011 for good write-up. Yes it is still possible to hijack/takeover subdomain through zendesk portal. I takover the subdomain of support.*******.com and i'm receiving their help desk emails on zendesk dashboard. POC : https://drive.google.com/file/d/1h4QomND3n7O5dRCzyGmHQ78qdFcpK51L/view?usp=sharing |
|
Thank you @JvdHout1011 |
|
Update : There's something wrong with the trial period ending just after confirming my email. Happened 5 times in 5 subdomains I was trying to takeover. |
|
@JvdHout1011 I can confirm the takeover still works. @EdOverflow Please update this. Using @JvdHout1011's method, the takeover is still possible. |
|
There is a report already about this take over on H1. I believe it is possible. |
|
@soareswallace I confirm, already took over 10 subdomains the last 3 days, I sent reports to hackerone but most of them are "ineligible" and they said "We do in fact consider bounty payment on a case by case basis for bounty ". |
|
Seems is still vulnerable. |
Hello, I didn't test if it's still vulnerable or not (been 4 months since my last report as shown in the video), I will check hat tomorrow and will keep you updated. (The POC video is mine from my report here : https://hackerone.com/reports/869605 but someone downloaded it and posted it on youtube, so the youtube channel is not mine) |
|
Not sure why this is marked as "Not vulnerable"... As others have reported above, Zendesk is still vulnerable, although the necessary conditions may have changed over time. Let's take Regarding impact:
SignatureIn my experience, there are two necessary conditions for a host to be vulnerable. First, $ target="zendesk.example.org"
$ curl -s 'https://www.zendesk.com/wp-content/themes/zendesk-twentyeleven/lib/domain-check.php' \
-H 'authority: www.zendesk.com' \
-H 'pragma: no-cache' \
-H 'cache-control: no-cache' \
-H 'accept: */*' \
-H 'x-requested-with: XMLHttpRequest' \
-H 'user-agent: REDACTED' \
-H 'content-type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'origin: https://www.zendesk.com' \
-H 'sec-fetch-site: same-origin' \
-H 'sec-fetch-mode: cors' \
-H 'sec-fetch-dest: empty' \
-H 'referer: https://www.zendesk.com/register/' \
-H 'accept-language: en-GB,en-US;q=0.9,en;q=0.8,fr;q=0.7' \
--data-raw "domain=$target" \
--compressedInspect the JSON response. You can safely ignore the value of the Be mindful that Zendesk sits behind Cloudflare, and if you hammer it with such requests, you'll likely get a temporary IP ban from Cloudflare. A subtlety regarding cert provisioningZendesk offers you to provision a TLS cert (using Let's Encrypt) for your custom domain, but this provisioning can fail. Be aware that cert provisioning may fail multiple times at first, for no good reason, really; be patient but persistent: retry a few times. However, one remarkable reason for cert-provisioning failure is when the root domain of your custom domain name features on Let's Encrypt deny list; in that case, provisioning of the cert will fail, but the error message shown in Zendesk's frontend will be indistinguishable from that of a transitory cert-provisioning failure. You simply won't be able to tell that it's due to a problem with Let's Encrypt, unless, perhaps, you ask Zendesk's support nicely. If you cannot obtain a certificate for your custom domain, visiting it will simply redirect you to the associated Zendesk subdomain, which greatly reduces impact of the subdomain takeover :( Tip: disable email notificationsAs soon as you get a foothold and before notifying the target, I recommend disabling all email notifications in the Zendesk settings. Why? Once the target removes the offending CNAME record, you won't be able to access the Zendesk account; as a result, you won't be able to disable email notifications, and you'll keep receiving emails (marketing, etc.) until your free trial expires, which can be annoying. |
EdOverflow
added
vulnerable
just confirmed that its still possible via zendesk see EdOverflow#23 (comment)
and others
As reported here https://support.zendesk.com/hc/en-us/articles/203664356-Changing-the-address-of-your-Help-Center-subdomain-host-mapping- Zendesk subdomain takeover requires making the subdomain an alias of default address. So it shouldn't be possible get a subdomain takeover without getting access to the domain registrar's control panel.
Am I wrong?
The text was updated successfully, but these errors were encountered: