Mailgun misconfiguration leads to email snooping and postmaster@-access on email.mg.gitlab.com
G
GitLab
Submitted None
Team Summary
Official summary from GitLab
@fransrosen Identified a vulnerability in our Mailgun configuration that allowed mail to several of our subdomains to be leaked. @fransrosen included enough information in the report so that we were able to immediately correct the issue and report the problem to Mailgun. Thanks @fransrosen for one of the more interesting vulnerability reports we've seen!
Actions:
Reported by
fransrosen
Vulnerability Details
Technical details and impact analysis
Hi,
Previously a blog post went out about Uber's Sendgrid issues: http://blog.pentestnepal.tech/post/149985438982/reading-ubers-internal-emails-uber-bug-bounty
Also, a report from @uranium238 went out due to a similar issue with Slack (that I know uses Mailgun): https://hackerone.com/reports/163938
Now, by reasons I do not know, this actually has some issues still unpatched by Mailgun, which in combination with a misconfiguration, currently exposes at least `email.mg.gitlab.com`.
The problem lies in this issue:
1. You add the domain `mg.gitlab.com` to Mailgun
2. Mailgun asks you to add a MX record to `mg.gitlab.com`
3. You add that, then Mailgun also tells you that to get tracking you need to add a CNAME from `email.mg.gitlab.com` to mailgun.org as well.
4. What is missing here, is for you to actually add `email.mg.gitlab.com` to your account as a separate domain by itself. By not doing this, anyone can add this domain to their account.
5. You probably later on remove the MX from `mg.gitlab.com` again, but the CNAME is still there for `email.mg.gitlab.com`
The problem with missing out on #4 above is how DNS CNAMEs works. If you have a CNAME pointing to another domain, this CNAME will actually inherit the MX-records from the other domain. This basically means that your `email.mg.gitlab.com` is now listed with MX-records from Mailgun:
```
$ host email.mg.gitlab.com
email.mg.gitlab.com is an alias for mailgun.org.
mailgun.org has address 173.203.37.113
mailgun.org mail is handled by 10 mxb.mailgun.org.
mailgun.org mail is handled by 10 mxa.mailgun.org.
```
Due to this, I can claim this domain as mine in Mailgun:
{F127024}
And due to this, I can now create a mailing list called `[email protected]` with Access-level: `everyone`:
{F127025}
I'll add my own email as a recipient:
{F127026}
I'll now try and see if I can receive emails to `[email protected]`:
{F127027}
The logs of Mailgun will show me the routing:
{F127028}
And my inbox now have the emails sent to `[email protected]`:
{F127029}
Since postmaster can be used to issue certificates for these domains, and since no one but you should have access to the whitelisted SSL-issuing aliases (ref: https://wiki.mozilla.org/CA:Problematic_Practices#Email_Address_Prefixes_for_DV_Certs)
I recommend that you:
1. Add the both domains `email.mg.gitlab.com` to your Mailgun account. **I have removed it again so you can take it back, remember that anyone can right now claim it themselves.**.
2. Keep in mind that all domains pointing to Mailgun (MX/CNAME) needs to be claimed by you, even the sub sub domains of the ones already in Mailgun. So make sure that no other domains pointing to Mailgun are missing inside your Mailgun account.
Regards,
Frans
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Privilege Escalation