[Full-disclosure] NIC Chile CGI Script Zone Transfers

["Rodrigo Gutierrez" <rodrigo@xxxxxxxxxxxxxx>]

>  
> 

NIC Chile CGI Script Zone Transfers.



Autor: Rodrigo Gutierrez <rodrigo at intellicomp.cl>

Affected: All ".cl" domains which use NIC's Chile Secondary NS.

Vendor url: http://www.nic.cl

Rate: Critical (*)



Background.

NIC Chile is a part of the University of Chile and is in charge of handling 
all the registrations for the ".cl"(CHILE) tld.


Description

One of NIC Chile's websites host a cgi script which allow you to grep the zone
files in their secondary name server. (*) Even though I wouldn't have rate this 
vulnerability as Critical, I noticed that government (gob.cl) and Chile's 
central
bank (bcentral.cl) within others use NIC Chile's secondary name server. in 
other 
words you are able to get a copy of the zone file for gob.cl ... ouch!.


Impact

If you are an attacker, looking for names such as vpn, mysql, firewall, oracle 
and 
so on can help identify specific targets and internal network addresses without 
a 
large detectable footprint.   By trace routing the addresses in the zone files 
you
can make a pretty good guess of the topology of the networks as well to where 
to 
strike first ;).


Exploit

http://secundario.nic.cl/cgi-bin/zone-grep?domain_without_the_dot_cl

The example bellow will show you the zone file for the foobar.cl domain.

#------------ CUT HERE -------------

http://secundario.nic.cl/cgi-bin/zone-grep?foobar

#------------ CUT HERE ------------- 


Workaround.

Figure it out!.


Comments

1.- Our friends at NIC Chile should be more careful about which scripts to host 
on their
web servers, or at least protect them.

2.- The government people should really buy themselves a secondary dns server 
instead of 
depending in servers with unknown configurations.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/