10K Site Affected? Subdomain Takeover via lemlist [patched]

KreSec
3 min readAug 25, 2023

--

List of domain connect to CNAME custom.lemlist.com
Image 1. Reverse Cname

Before going into further discussion, why does subdomain takeover happen?
In general, when a developer wants to connect his subdomain/rootdomain, he has to play with CNAME. Each service has a different cname, each service has also implemented security measures to prevent subdomain takeover, but the developers are not paying enough attention. the mistake was simple, the developer no longer used that subdomain (then deleted the domain on the service side) but forgot they didn’t delete the CNAME trace on the server side either. So the attacker only needs to attach the subdomain to the service without the need to add a CNAME on the Server/Hosting side. Already starting to understand huh?

Image 2. How subdomain takeover works

Short story of why I discovered that vulnerability:
I’ve been looking into Metabase vulnerabilities in shodan but haven’t had any luck always finding non-vulnerable ones :)
Seeing that one site was pretty good, I did a subdomain enumeration & recon with httpx for fun, so I found a subdomain with the title “[Custom domain check]”

root@pondev:~# subfinder -d redacted.com -recursive | httpx -sc -title
http://activation.redacted.com [302] []
https://trail.redacted.com [200] [Custom domain check]
https://redacted.com [200] [Redacted | Redacted made simple]
https://referrals.redacted.com [302] [Object moved]
https://enroll.redacted.com [200] [Redacted — Claim your membership]

This is what it looks like when I access it, and remembering about the Subdomain Takeover I immediately use the dig command to find out what service to use. (Image 3.)

Image 2. dig & default page
Image 3. Default page & cname

Then I found this article https://www.lemlist.com/blog/custom-tracking-domain with keyword “Lemist Custom Domain”.
Then from the 10k list of subdomains I checked with httpx -sc -fr -silent I was confused why all the status codes were 200 OK, because in general the vulnerable subdomain takeover was 404. I tried adding subdomains but always got the response “already used in another team”

cat list | httpx -sc -fr -silent
http://trail.redacted1.com [200] [Custom domain check]
https://trail.redacted2.com [200] [Custom domain check]
https://trail.redacted3.com [200] [Custom domain check]
http://trail.redacted4.com [200] [Custom domain check]
http://trail.redacted5.net [200] [Custom domain check]
https://trail.redacted6.com [200] [Custom domain check]
https://trail.redacted7.com [200] [Custom domain check]
http://trail.redacted8.io [200] [Custom domain check]
https://trail.redacted9.com [200] [Custom domain check]
http://trail.redacted10.com [302,301,200] [Mercusuar — Situs Not Found] [https://mercusuar.uzone.id]
Image 4. Cant custom domain

But after I looked again at the results, there was a difference in the protocol (http & https). I re-customized the subdomain whose protocol was “http” and yeah it worked.

Image 4. Successful custom domain
Image 5. Successful Takeover

Thanks

Thank you very much for those of you who want to clap, share, discuss this post.
You can also help subscribe to my YouTube channel & my community
https://www.youtube.com/@kresec
https://www.youtube.com/@tegalsec1121

--

--