GoDaddy has patched a CSRF vulnerability that could have allowed attackers to take over domains registered with GoDaddyFlaw in DNSProof of Concept (PoC)Patch

Flaw in DNS

Saccomanni said that he noticed the flaw in GoDaddy’s DNS management actions. The DNS management actions on GoDaddy website are state-changing POST requests (no CSRF token in request body or headers, and no enforcement of Referer or Content-Type). POST requests that the server accept the entity enclosed in the request as a new subordinate of the web resource identified by the URI. The data POSTed might be, for example, an annotation for existing resources; a message for a bulletin board, newsgroup, mailing list, or comment thread; a block of data that is the result of submitting a web form to a data-handling process; or an item to add to a database. A POST request is used to send data to the server to be processed in some way, like by a CGI script. A POST request is different from a GET request in the following ways:

There’s a block of data sent with the request, in the message body. There are usually extra headers to describe this message body, like Content-Type: and Content-Length:. The request URI is not a resource to retrieve; it’s usually a program to handle the data you’re sending. The HTTP response is normally program output, not a static file. The most common use of POST, by far, is to submit HTML form data to CGI scripts.

POST messages, ironically are meant to provide security to the request. GoDaddy however had no security in place so Saccomanni could easily exploit the vulnerability. Saccomanni said that, “In fact, you could edit nameservers, change auto-renew settings and edit the zone file entirely without any CSRF protection in the request body or headers. ”

Proof of Concept (PoC)

The PoC given by Saccomanni is reproduced below : Nameservers Here is the POST request for saving an edit to nameservers: Auto-Renew {‘request’:’{“isall”:false,”nsobjs”:[{“ns”:”foo.example.com”,”ips”: [],”index”:0,”add”:1,”status”:””}, {“ns”:”bar.example.com”,”ips”: [],”index”:1,”add”:1,”status”:””}]}’} Here is a POST request for changing auto-renew to OFF: DNS Zone File {‘request’:’{“isAutoRenew”:false,”isExtendedAR”:false,”extARYears”:0}’} Here is a POST request to edit DNS records on the classic manager:

Patch

The timeline for the disclosure is {“sInput”:”< PARAMS >< PARAM name=\”domainName\” value=\”[REDACTED]\” >< PARAM name=\”zo 01/17/15 – Initial discovery and attempt to reach GoDaddy security. 01/18/15 – Further attempts to reach GoDaddy security, finally received word there was no timeline for a fix. 01/19/15 – GoDaddy implemented CSRF protection for sensitive account actions. Saccomanni said that he tried to reach out to the GoDaddy security team but could not do so, “(I) tried [email protected] and [email protected] email addresses, also tried calling support. Eventually I reached someone through Twitter from @GoDaddyHelp. I was told there was no timeline for a fix.” However now the vulnerability has been patched.