Source URL: https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/
Source: Hacker News
Title: We Spent $20 to Achieve RCE and Accidentally Became the Admins of .MOBI
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: The text reveals a significant security vulnerability associated with WHOIS clients and the possession of the domain dotmobiregistry.net, which can be exploited to undermine TLS/SSL certificate issuance processes. The discovery points to critical flaws in legacy internet infrastructure and the potential for misuse by attackers, including nation-states, highlighting urgent implications for information security and governance.
Detailed Description:
– The authors of the text, involved in security research, stumbled upon a major weakness in the WHOIS protocol while conducting experiments in a relaxed setting, leading to catastrophic implications for internet security.
– They acquired the expired domain dotmobiregistry.net, which was previously a legitimate WHOIS server, and reestablished it. This allowed them to control responses to WHOIS queries.
Key Points:
– **Legacy Infrastructure Issues:**
– The WHOIS protocol’s lack of robust updates and reliance on outdated servers presents vulnerabilities, as organizations may still refer to old authorities without verification.
– **Exploitable Vulnerabilities:**
– They identified legacy WHOIS clients that are still hardcoded to old WHOIS server addresses, making them susceptible to attacks exploiting malformed responses.
– The ease of deploying a compromised WHOIS server enabled them to capture a significant amount of traffic from various entities, including government and military organizations.
– **TLS/SSL Certificate Authority Risks:**
– An alarming discovery was that multiple Certificate Authorities (CAs) were relying on WHOIS responses for domain ownership verification. By controlling the WHOIS server, they could inject their email as the administrative contact for any domain, leading to possible fraudulent issuance of TLS/SSL certificates.
– **Real-World Implications:**
– The researchers reported receiving millions of queries from various domains, revealing how widespread the issue is and the consequences it may hold for sensitive data and communications security.
– **Potential for Misuse:**
– Access to unauthorized WHOIS responses could allow malicious actors to further exploit vulnerabilities in the systems querying the WHOIS server, and the researchers highlighted the seriousness of remote code execution (RCE) vulnerabilities that could stem from this.
– They raised concerns about the implications this could have for national security due to the involvement of governmental and military IT systems querying their rogue WHOIS server.
– **Call to Action:**
– The research culminated in a reflection on the need for revisiting and securing the foundational components of Internet infrastructure, reinforcing the need for improved governance, controls, and awareness regarding legacy systems.
This scenario illustrates a stark reminder of how easily confidence in trust frameworks can be undermined and emphasizes the importance of proactive security measures, particularly in the domain of information security related to legacy systems and protocols.