Zone Transfer on OWASP.org and OWASP.com

While doing some testing on Fierce, a friend of mine noticed something interesting on the owasp.org and owasp.com nameservers. Both servers were configured to allow the zone to be transfered remotely. FAIL! To be fair, this isn’t going to give us a remote root shell easily. It just looks bad to preach security and not actually secure our own stuff. Come on guys, fix the nameservers for the sake of the community!

Who was pentesting this stuff??? Definatly, wasn’t me…

Here are the details:

zone transfer on :

  • owasp.org
  • owasp.com

nameservers:

  • ns1.secure.net
  • ns2.secure.net


$ dig owasp.org axfr @ns2.secure.net


; <> DiG 9.5.0-P2 <> owasp.org axfr @ns2.secure.net
;; global options: printcmd
owasp.org. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. 2007080366 86400 7200 2592000 86400
owasp.org. 86400 IN A 216.48.3.18
owasp.org. 86400 IN NS ns1.secure.net.
owasp.org. 86400 IN NS ns2.secure.net.
owasp.org. 86400 IN MX 20 ALT2.ASPMX.L.GOOGLE.COM.
owasp.org. 86400 IN MX 30 ASPMX2.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 30 ASPMX3.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 30 ASPMX4.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 30 ASPMX5.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 10 ASPMX.L.GOOGLE.COM.
owasp.org. 86400 IN MX 20 ALT1.ASPMX.L.GOOGLE.COM.
owasp.org. 86400 IN TXT "v=spf1 include:aspmx.googlemail.com ~all"
*.owasp.org. 86400 IN CNAME owasp.org.
ads.owasp.org. 86400 IN A 216.48.3.26
austin.owasp.org. 86400 IN CNAME owasp.org.
calendar.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
docs.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
es.owasp.org. 86400 IN A 216.48.3.18
forums.owasp.org. 86400 IN A 216.48.3.19
google6912a08c3a8cdf0b.owasp.org. 86400 IN CNAME GOOGLE.COM.
jobs.owasp.org. 86400 IN CNAME owasp.org.
lists.owasp.org. 86400 IN A 216.48.3.22
lists.owasp.org. 86400 IN MX 10 ml1lists.owasp.org.
localhost.owasp.org. 86400 IN A 127.0.0.1
mail.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
ml1lists.owasp.org. 86400 IN A 216.48.3.30
registration.owasp.org. 86400 IN CNAME owasp.org.
stage.owasp.org. 86400 IN A 216.48.3.20
voip.owasp.org. 86400 IN A 216.48.3.22
http://www.owasp.org. 86400 IN CNAME owasp.org.
owasp.org. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. 2007080366 86400 7200 2592000 86400
;; Query time: 227 msec
;; SERVER: 192.220.125.10#53(192.220.125.10)
;; WHEN: Fri Oct 16 18:48:47 2009
;; XFR size: 31 records (messages 1, bytes 801)


$ dig owasp.org axfr @ns1.secure.net


; <> DiG 9.5.0-P2 <> owasp.org axfr @ns1.secure.net
;; global options: printcmd
owasp.org. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. 2007080366 86400 7200 2592000 86400
owasp.org. 86400 IN A 216.48.3.18
owasp.org. 86400 IN NS ns1.secure.net.
owasp.org. 86400 IN NS ns2.secure.net.
owasp.org. 86400 IN MX 30 ASPMX5.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 10 ASPMX.L.GOOGLE.COM.
owasp.org. 86400 IN MX 20 ALT1.ASPMX.L.GOOGLE.COM.
owasp.org. 86400 IN MX 20 ALT2.ASPMX.L.GOOGLE.COM.
owasp.org. 86400 IN MX 30 ASPMX2.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 30 ASPMX3.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 30 ASPMX4.GOOGLEMAIL.COM.
owasp.org. 86400 IN TXT "v=spf1 include:aspmx.googlemail.com ~all"
*.owasp.org. 86400 IN CNAME owasp.org.
ads.owasp.org. 86400 IN A 216.48.3.26
austin.owasp.org. 86400 IN CNAME owasp.org.
calendar.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
docs.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
es.owasp.org. 86400 IN A 216.48.3.18
forums.owasp.org. 86400 IN A 216.48.3.19
google6912a08c3a8cdf0b.owasp.org. 86400 IN CNAME GOOGLE.COM.
jobs.owasp.org. 86400 IN CNAME owasp.org.
lists.owasp.org. 86400 IN A 216.48.3.22
lists.owasp.org. 86400 IN MX 10 ml1lists.owasp.org.
localhost.owasp.org. 86400 IN A 127.0.0.1
mail.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
ml1lists.owasp.org. 86400 IN A 216.48.3.30
registration.owasp.org. 86400 IN CNAME owasp.org.
stage.owasp.org. 86400 IN A 216.48.3.20
voip.owasp.org. 86400 IN A 216.48.3.22
http://www.owasp.org. 86400 IN CNAME owasp.org.
owasp.org. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. 2007080366 86400 7200 2592000 86400
;; Query time: 127 msec
;; SERVER: 192.220.124.10#53(192.220.124.10)
;; WHEN: Fri Oct 16 18:49:57 2009
;; XFR size: 31 records (messages 1, bytes 801)


$ dig owasp.com axfr @ns1.secure.net


; <> DiG 9.5.0-P2 <> owasp.com axfr @ns1.secure.net
;; global options: printcmd
owasp.com. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. 2007080301 86400 7200 2592000 86400
owasp.com. 86400 IN A 216.48.3.18
owasp.com. 86400 IN NS ns1.secure.net.
owasp.com. 86400 IN NS ns2.secure.net.
owasp.com. 86400 IN MX 10 216.48.3.22.owasp.com.
localhost.owasp.com. 86400 IN A 127.0.0.1
http://www.owasp.com. 86400 IN CNAME owasp.com.
owasp.com. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. 2007080301 86400 7200 2592000 86400
;; Query time: 112 msec
;; SERVER: 192.220.124.10#53(192.220.124.10)
;; WHEN: Fri Oct 16 18:52:53 2009
;; XFR size: 8 records (messages 1, bytes 244)

$ dig owasp.com axfr @ns2.secure.net


; <> DiG 9.5.0-P2 <> owasp.com axfr @ns2.secure.net
;; global options: printcmd
owasp.com. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. 2007080301 86400 7200 2592000 86400
owasp.com. 86400 IN A 216.48.3.18
owasp.com. 86400 IN NS ns1.secure.net.
owasp.com. 86400 IN NS ns2.secure.net.
owasp.com. 86400 IN MX 10 216.48.3.22.owasp.com.
localhost.owasp.com. 86400 IN A 127.0.0.1
http://www.owasp.com. 86400 IN CNAME owasp.com.
owasp.com. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. 2007080301 86400 7200 2592000 86400
;; Query time: 94 msec
;; SERVER: 192.220.125.10#53(192.220.125.10)
;; WHEN: Fri Oct 16 18:52:58 2009
;; XFR size: 8 records (messages 1, bytes 244)

Advertisements

3 Responses to Zone Transfer on OWASP.org and OWASP.com

  1. the dude says:

    it’s not their nameserver, it’s hosted, sfw

  2. This isn’t a problem for OWASP – there’s nothing in the DNS that’s private. Read about the risk here… https://lists.owasp.org/pipermail/owasp-leaders/2010-April/002985.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: