AWS EC2 CNAME Subdomain Takeover Detection

漏洞信息

漏洞名称: AWS EC2 CNAME Subdomain Takeover Detection

漏洞类型: 未授权访问

漏洞等级: 中危

漏洞描述: AWS EC2是亚马逊提供的一种弹性云计算服务,允许用户在云中运行虚拟服务器。这种服务广泛应用于企业级应用、网站托管和数据处理等多种场景,因其灵活性和可扩展性而受到广泛欢迎。该漏洞涉及AWS EC2公共DNS主机名的CNAME记录配置问题,具体表现为子域名显式CNAME指向AWS EC2公共DNS主机名(如ec2-xx-xx-xx-xx.compute.amazonaws.com),且目标显示为未声明或未激活状态,这可能导致子域名被恶意接管。漏洞的技术根源在于DNS配置不当,使得攻击者可以通过注册相应的AWS EC2实例来接管未正确配置的子域名。这种漏洞的利用可能导致信息泄露、服务中断或被用于钓鱼攻击等恶意活动。值得注意的是,利用此漏洞通常不需要认证,且可以自动化执行,增加了其潜在的危险性。

产品厂商: Amazon

产品名称: AWS EC2

来源: https://github.com/projectdiscovery/nuclei-templates/blob/9b1cbc70467036f8870dca19c4d62565656c2362/http%2Ftakeovers%2Faws-ec2-cname-takeover.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

id: aws-ec2-cname-takeover

info:
  name: AWS EC2 CNAME Subdomain Takeover Detection
  author: DDFRANKLIN
  severity: medium
  description: |
    Detects subdomains that explicitly CNAME to AWS EC2 public DNS hostnames
    (e.g., ec2-xx-xx-xx-xx.compute.amazonaws.com), and where the target appears
    unclaimed or inactive — a potential subdomain takeover scenario.
  reference:
    - https://github.com/EdOverflow/can-i-take-over-xyz
    - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html
    - https://blog.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/
  metadata:
    verified: true
    max-request: 2
  tags: takeover,aws,ec2,cname,subdomain,dns

dns:
  - name: "{{FQDN}}"
    type: CNAME
    class: inet
    retries: 3
    matchers:
      - type: regex
        part: answer
        regex:
          - "ec2-[0-9a-z-]+\\.compute(-[0-9a-z-]+)?\\.amazonaws\\.com"

    extractors:
      - type: regex
        part: answer
        regex:
          - "(ec2-[0-9a-z-]+\\.compute(-[0-9a-z-]+)?\\.amazonaws\\.com)"

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 3
    matchers-condition: or
    matchers:
      - type: word
        words:
          - "Sorry, we couldn't find that page"
          - "404 Not Found"
          - "No such host is known"
          - "This request could not be fulfilled"
        condition: or

      - type: status
        status:
          - 404
          - 400

      - type: regex
        regex:
          - "The server at .* is taking too long to respond"
          - "Name or service not known"
          - "Connection refused"

    extractors:
      - type: regex
        regex:
          - "ec2-[0-9a-z-]+\\.compute(-[0-9a-z-]+)?\\.amazonaws\\.com"

Github Poc
#projectdiscovery/nuclei-templates:github issues #未授权访问
AWS EC2 CNAME Subdomain Takeover Detection
http://example.com/2025/07/19/github_3469467279/
作者
lianccc
发布于
2025年7月19日
许可协议