Vulnerable Service: niceboard.co

[dalpan]

Service name

app.niceboard.co is a service provided by Niceboard that enables clients to use custom domains via CNAME records pointing to app.niceboard.co or A record 173.255.233.147

When the associated Niceboard project is deleted or not configured properly, the subdomain becomes unclaimed, resulting in a 301 redirect to https://100teletravail.fr/ or SSL certificate warnings. This state renders the subdomain vulnerable to takeover.

Proof

Setup a CNAME pointing to app.niceboard.co
A record 173.255.233.147
Example:

vulnerable.example.com. 300 IN      CNAME   app.niceboard.co.
app.niceboard.co.       60      IN      A       173.255.233.147

Check for Vulnerability
Access the subdomain (https://vulnerable.example.com/) and observe a response like (SSL certificate warnings):

cURL ignore SSL certificate warnings command (redirect to https://100teletravail.fr/)

Takeover the Subdomain

Go to setting General -> Domain.
Add the custom domain (vulnerable.example.com) in the Niceboard dashboard.

Domain configuration takes about one hour and your browser may display an SSL error during this time

if the domain is connected, you will receive an email message like this

open the subdomain in the browser, the page we created will appear (taken over)

Documentation

https://help.niceboard.co/article/4-how-to-connect-domain