AWS EC2 CNAME Subdomain Takeover Detection

漏洞信息

漏洞名称: AWS EC2 CNAME Subdomain Takeover Detection

漏洞类型: 未授权访问

漏洞等级: 中危

漏洞描述: 该漏洞涉及AWS EC2服务的CNAME子域名接管问题。AWS EC2是亚马逊提供的弹性计算云服务,广泛用于企业级云计算解决方案,支持用户租用虚拟计算资源来运行应用程序。当子域名显式CNAME指向AWS EC2的公共DNS主机名(如ec2-xx-xx-xx-xx.compute.amazonaws.com),且目标未声明或处于非活动状态时,攻击者可能利用此漏洞进行子域名接管。漏洞的根源在于未正确验证子域名的所有权或状态,导致攻击者可以注册或控制指向未使用EC2实例的子域名。这种漏洞可能导致攻击者通过子域名进行钓鱼攻击、恶意软件分发或中间人攻击,严重威胁用户数据安全和服务的可用性。由于漏洞利用不需要认证,且可以自动化执行,因此对依赖AWS EC2服务的企业和用户构成了显著的安全风险。

产品厂商: Amazon

产品名称: AWS EC2

来源: https://github.com/projectdiscovery/nuclei-templates/blob/df3fb294716b623ab56717c433c8f7dbcbe814f3/http%2Ftakeovers%2FAWS_EC2_CNAME_Takeover.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

id: aws-ec2-cname-takeover

info:
  name: AWS EC2 CNAME Subdomain Takeover Detection
  author: DDFRANKLIN
  severity: medium
  description: |
    Detects subdomains that explicitly CNAME to AWS EC2 public DNS hostnames
    (e.g., ec2-xx-xx-xx-xx.compute.amazonaws.com), and where the target appears
    unclaimed or inactive — a potential subdomain takeover scenario.
  reference:
    - https://docs.projectdiscovery.io
    - https://github.com/EdOverflow/can-i-take-over-xyz
  tags: takeover,aws,ec2,cname,subdomain

dns:
  - name: "{{FQDN}}"
    type: CNAME
    class: inet
    retries: 3
    matchers:
      - type: regex
        part: answer
        regex:
          - "ec2-[0-9a-z-]+\\.compute(-[0-9a-z-]+)?\\.amazonaws\\.com"

    extractors:
      - type: regex
        part: answer
        regex:
          - "(ec2-[0-9a-z-]+\\.compute(-[0-9a-z-]+)?\\.amazonaws\\.com)"

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 3
    matchers-condition: or
    matchers:
      - type: word
        words:
          - "Sorry, we couldn't find that page"
          - "404 Not Found"
          - "No such host is known"
          - "This request could not be fulfilled"
        condition: or

      - type: status
        status:
          - 404
          - 400

      - type: regex
        regex:
          - "The server at .* is taking too long to respond"
          - "Name or service not known"
          - "Connection refused"

    extractors:
      - type: regex
        regex:
          - "ec2-[0-9a-z-]+\\.compute(-[0-9a-z-]+)?\\.amazonaws\\.com"

Github Poc
#projectdiscovery/nuclei-templates:github issues #未授权访问
AWS EC2 CNAME Subdomain Takeover Detection
http://example.com/2025/07/18/github_4165115024/
作者
lianccc
发布于
2025年7月18日
许可协议