Zendesk no more possible? about can-i-take-over-xyz HOT 31 CLOSED

There are two possibilities when dealing with a closed Zendesk helpcenter as far as I've encountered so far.

Possibility 1: The domain the Zendesk domain is pointing towards, is in use. However, the host mapping has not been done correctly, which makes the domain displaying a 'help center closed' notice. This case is not vulnerable, because the Zendesk domain (so the CNAME reference (*.zendesk.com)) is occupied.

Possibility 2: The Zendesk domain is not in use and the target's domain name is displaying a 'help center closed' notice. Here, takeover is possible.

For succesfull takeover, follow the following steps:

1. Go to zendesk.com and register for a free trial. When being asked what name you want the zendesk domain to have (foo.zendesk.com). If it is available for takeover, it will display a green checkmark.
2. After registering, go to Settings > Account > Host mapping. Fill in the domain this Zendesk domain is pointing to.
3. Enable SSL on the domain to stop the redirect when you browse to your target's domain (if SSL is not enabled, when browsing to the vulnerable domain (foo.vulnerable.com), Zendesk will redirect to your Zendesk subdomain).
4. Start up a guide and enable unsafe content in Admin settings.
5. In an article, add an extra line of source code (f.e. <script>alert("stored XSS for PoC")</script>)
6. ???
7. Profit.

from can-i-take-over-xyz.

Zendesk is still Vulnerable .. All Just check all the site subdomains if any subdomain is add to zendesk account and the other added too ( Only one will be the cname and the other one will redirect you to The finger print that give you the error )

Example if I add my subdomain ( support.example.com ) to my zendesk account with mine cname and add my other subdomain ( help.example.com ) to the same cname ..

my first subdomain support.example.com will show me my Zendesk Site But When I go to help.example.com I will find my self redirect to the finger print error

So you can takeover a Subdomain already Exist ?
Sure you can't !

Only if the company have an Only subdomain listed in Zendesk and the subdomain redirect you to finger print error So Sure you can Takeover!

from can-i-take-over-xyz.

If the Name of domain not taken you can take over it You need to Enable Ssl Certificate in security settings and Enable Host Maping option in account settings and it will work

from can-i-take-over-xyz.

@roblox1488 Did you have a specific method that you used that is separate from the above comments?

you have to wait a while after the subdomain stops being in use, then you can just register it normally like you would

from can-i-take-over-xyz.

Seems is still vulnerable.
https://www.youtube.com/watch?v=sBTVWKeh7xY

Hello, I didn't test if it's still vulnerable or not (been 4 months since my last report as shown in the video), I will check hat tomorrow and will keep you updated.

(The POC video is mine from my report here : https://hackerone.com/reports/869605 but someone downloaded it and posted it on youtube, so the youtube channel is not mine)

from can-i-take-over-xyz.

Not sure why this is marked as "Not vulnerable"... As others have reported above, Zendesk is still vulnerable, although the necessary conditions may have changed over time. Let's take zendesk.example.com as an example in what follows.

Regarding impact:

• Such a subdomain takeover is a phisher's wet dream. I've even seen cases in which emails sent to [email protected] automatically created a ticket in Zendesk; not bad for phishing users asking for help.
• You can achieve stored XSS in the context of the subdomain, which may have implications for other subdomains of the target (e.g. if they have sensitive cookies improperly scoped to a common parent domain).

Signature

In my experience, there are two necessary conditions for a host to be vulnerable. First, zendesk.example.com must have a CNAME record targeting some zendesk.com subdomain corresponding to a Help Center. Second, zendesk.example.com must be available as custom domain name on the platform. You can check that programmatically by sending a request of the following form (which the Zendesk frontend sends to the backend when you sign up for a free trial):

$ target="zendesk.example.org"
$ curl -s 'https://www.zendesk.com/wp-content/themes/zendesk-twentyeleven/lib/domain-check.php' \
      -H 'authority: www.zendesk.com' \
      -H 'pragma: no-cache' \
      -H 'cache-control: no-cache' \
      -H 'accept: */*' \
      -H 'x-requested-with: XMLHttpRequest' \
      -H 'user-agent: REDACTED' \
      -H 'content-type: application/x-www-form-urlencoded; charset=UTF-8' \
      -H 'origin: https://www.zendesk.com' \
      -H 'sec-fetch-site: same-origin' \
      -H 'sec-fetch-mode: cors' \
      -H 'sec-fetch-dest: empty' \
      -H 'referer: https://www.zendesk.com/register/' \
      -H 'accept-language: en-GB,en-US;q=0.9,en;q=0.8,fr;q=0.7' \
      --data-raw "domain=$target" \
      --compressed

Inspect the JSON response. You can safely ignore the value of the available field, which I have found to be misleading. What truly matters is the presence of a suggestion field in the response; if that field is present, the custom domain name is unavailable; otherwise, the custom domain name is available.

Be mindful that Zendesk sits behind Cloudflare, and if you hammer it with such requests, you'll likely get a temporary IP ban from Cloudflare.

A subtlety regarding cert provisioning

Zendesk offers you to provision a TLS cert (using Let's Encrypt) for your custom domain, but this provisioning can fail. Be aware that cert provisioning may fail multiple times at first, for no good reason, really; be patient but persistent: retry a few times.

However, one remarkable reason for cert-provisioning failure is when the root domain of your custom domain name features on Let's Encrypt deny list; in that case, provisioning of the cert will fail, but the error message shown in Zendesk's frontend will be indistinguishable from that of a transitory cert-provisioning failure. You simply won't be able to tell that it's due to a problem with Let's Encrypt, unless, perhaps, you ask Zendesk's support nicely.

If you cannot obtain a certificate for your custom domain, visiting it will simply redirect you to the associated Zendesk subdomain, which greatly reduces impact of the subdomain takeover :(

Tip: disable email notifications

As soon as you get a foothold and before notifying the target, I recommend disabling all email notifications in the Zendesk settings. Why? Once the target removes the offending CNAME record, you won't be able to access the Zendesk account; as a result, you won't be able to disable email notifications, and you'll keep receiving emails (marketing, etc.) until your free trial expires, which can be annoying.

from can-i-take-over-xyz.

I just got a successful takeover today.

Simply located a domain which was redirect to a Zendesk page saying "This help center has been deleted".

Found the CName. Registered that on ZenDesk as my account. Now it's pointing to mine. Setup an SSL cert so that it stops redirecting to my ZenDesk, and instead it actually hosts it on the real subdomain.

Need to figure out a way to get stored XSS via zendesk admin so that I can improve on the impact...

from can-i-take-over-xyz.

Double dipping there? Get a bounty from ZenDesk and the company?

@Cillian-Collins See if you can use the ZenDesk name to also generate emails from that domain, you can leverage that email to pivot into internal slack/jira instances.

Read:
https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c

If it works, I totally accept tips to my PayPal account. 🤣

from can-i-take-over-xyz.

@bgxdoc @gauravdrago
Not Sure About The Free Trial and Premium . To Solve This Zendesk has Three cases when you see helpdesk is close :

1- Deleted Help Desk You can Take over it
2- inactive you can't Take over it until 90 days passed
3- sometimes compaines used only chat widget from zendesk without help center it will respond with the same message but You can't take over

Not Sure if there are any cases or not if someone already faced another case he can put it to solve this issue

from can-i-take-over-xyz.

Thank you @JvdHout1011
I can confirm the takeover still working, i tookover a subdomain through zendesk portal few minutes ago.
POC here :
https://prnt.sc/s80l2i
https://prntscr.com/s80mhi

from can-i-take-over-xyz.

@soareswallace I confirm, already took over 10 subdomains the last 3 days, I sent reports to hackerone but most of them are "ineligible" and they said "We do in fact consider bounty payment on a case by case basis for bounty ".

from can-i-take-over-xyz.

Seems is still vulnerable.
https://www.youtube.com/watch?v=sBTVWKeh7xY

from can-i-take-over-xyz.

This takeover is possible when a Zendesk account has been deleted, but still remains available in the host domains DNS record.

When you dig the record you will see the CNAME, this corresponds to the name of the Zendesk account you need to (re)create. Once you've done so you'll now have claimed Zendesk on this host domain.

This is a much less valuable takeover than other scenarios as you aren't hosting content on the domain like you are in other takeovers (removing XSS/CORS possibilities) and you're instead hosting a new support (zendesk) instance . It's useful for red teaming and social engineering, but I wouldn't expect the bounty payments to be as much as in other scenarios where you can demonstrate more relevant risk.

from can-i-take-over-xyz.

My experience with a zendesk takeover attempt this morning.

from can-i-take-over-xyz.

Thank-you @JesseClarkND, I was also familiar with this one through a recent attempt. I've made a change to the repo in line with your proofs and will now close this issue (see: #51).

Appreciate your efforts!

from can-i-take-over-xyz.

i tried taking over an expired zendesk subdomain and it worked but after i active the hep center in zendesk setting menu, it should appear on the subdomain but it is still redirecting to the previous error. Anybody can tell me, if it takes time to get published on the main subdomain after activation.

upate: i have only trial account, is that why zendesk is not showing it on the subdomain?

Update: it worked.

from can-i-take-over-xyz.

@bgxdoc If you could describe your steps to achieve it so that it worked, that would be awesome.

from can-i-take-over-xyz.

i tried taking over an expired zendesk subdomain and it worked but after i active the hep center in zendesk setting menu, it should appear on the subdomain but it is still redirecting to the previous error. Anybody can tell me, if it takes time to get published on the main subdomain after activation.

upate: i have only trial account, is that why zendesk is not showing it on the subdomain?

Update: it worked.

how it worked what you changed

from can-i-take-over-xyz.

@gauravdrago:
on above comment, @YosefMahmoud has already described the solution. It's the same thing i did to make it work.

" If the Name of domain not taken you can take over it You need to Enable Ssl Certificate in security settings and Enable Host Maping option in account settings and it will work. "

from can-i-take-over-xyz.

from can-i-take-over-xyz.

@gauravdrago
I believe Zendesk has Free Trial option, use that. Incase you have used the trial account before then simply create a new account and then use free trial.

from can-i-take-over-xyz.

from can-i-take-over-xyz.

@gauravdrago
It worked for me back then. but why not now, I don't know, i guess they might have disabled it for trial accounts.
I will look into this once i get free time from my work.

from can-i-take-over-xyz.

from can-i-take-over-xyz.

still possible

from can-i-take-over-xyz.

@roblox1488 Did you have a specific method that you used that is separate from the above comments?

from can-i-take-over-xyz.

Looks like it is vulnerable in some cases, This person was able to takeover the zendesk portal.

https://hackerone.com/reports/759454

from can-i-take-over-xyz.

There are two possibilities when dealing with a closed Zendesk helpcenter as far as I've encountered so far.

..............

Thanks @JvdHout1011 for good write-up. Yes it is still possible to hijack/takeover subdomain through zendesk portal. I takover the subdomain of support.*******.com and i'm receiving their help desk emails on zendesk dashboard.

POC : https://drive.google.com/file/d/1h4QomND3n7O5dRCzyGmHQ78qdFcpK51L/view?usp=sharing

from can-i-take-over-xyz.

Update : There's something wrong with the trial period ending just after confirming my email. Happened 5 times in 5 subdomains I was trying to takeover.
Is it cause i was using the same ip? (will try from another ip)
Anyone confirm this issue please?

from can-i-take-over-xyz.

@JvdHout1011 I can confirm the takeover still works.

@EdOverflow Please update this. Using @JvdHout1011's method, the takeover is still possible.

from can-i-take-over-xyz.

There is a report already about this take over on H1. I believe it is possible.

https://hackerone.com/reports/810807

from can-i-take-over-xyz.