Purchasing the former WHOIS server domain for .mobi top-level doman (TLD) could have allowed countless fraudulent TLS/SSL certificates to be issued to attackers, watchTowr Labs revealed in a blog post Wednesday.
Instead of an attacker, it was watchTowr researchers who purchased the expired whois[.]dotmobiregistry[.]net domain for $20 after the owners of the .mobi WHOIS server migrated to whois[.]nic[.]mobi at some point before December 2023.
Within days, the researchers received about 2.5 million WHOIS queries from more than 135,000 unique systems to their rogue server, indicating that many organizations have failed to update their tooling to recognize the new, correct .mobi WHOIS server.
A malicious actor could have leveraged their access to the outdated domain for various nefarious purposes, including by leveraging vulnerabilities to achieve remote code execution (RCE) via malicious WHOIS records.
However, the most startling discovery was that several certificate authorities that support WHOIS-based ownership verification had also missed the memo about the migration of .mobi server to the new domain, potentially giving watchTowr — or an attacker — the ability to issue themselves countless fraudulent TLS/SLL certificates declaring themselves the owner of any .mobi domain.
watchTowr worked with the United Kingdom’s National Cyber Security Centre (NCSC) and the ShadowServer Foundation to ensure the queries to the old domain were redirected to the legitimate WHOIS server going forward. The research revealed widespread problems with implementation of WHOIS protocol and how abandoned web infrastructure could be hijacked to cause large-scale damage.
Governments, cybersecurity companies, certificate authorities queried outdated WHOIS server
The scope of the problem demonstrated by watchTowr’s purchase of the legacy .mobi WHOIS domain was revealed not only by the volume of queries they received, but also by the types of organizations from which the outdated domain received communications.
The researchers noted numerous .gov (government) and .mil (military) domains communicating with their rogue server, as well as cybersecurity companies, universities (.edu domains), domain registrars and TLS/SSL certificate authorities. Many of the requests came from mail servers, presumably requesting information about .mobi domains from which they had received an email.
watchTowr set up their server to respond to these queries with a benign response that included ASCII art of the watchTowr logo and fake WHOIS details naming watchTowr as the owner of every queried domain.
At attacker, however, could have leveraged these communications to conduct attacks through malicious responses to the WHOIS queries. For example, they could have exploited an older critical bug in the phpWHOIS library, tracked as CVE-2015-5243, which makes it possible to execute arbitrary PHP code through a crafted WHOIS record.
Perhaps more concerningly, that fact that multiple TLS/SSL certificate authorities query the outdated WHOIS server to determine domain ownership meant that an attacker could request certificates for any .mobi domain and obtain a valid certificate as the supposed owners of that domain.
Therefore, an attacker could impersonate a large company by obtaining a certificate for a domain such as microsoft[.]mobi or google[.]mobi. To demonstrate the feasibility of this scenario, the researchers attempted to obtain a certificate for microsoft[.]mobi from certificate authority GlobalSign and successfully received a verification email from GlobalSign. However, the researchers did not complete the verification, so no fraudulent certificate was ever issued in reality.
One of the roots of the problem caused by the migration of the .mobi WHOIS server is the fact that many organizations hard-code the server addresses for TLDs in their WHOIS tooling rather than constantly referencing the updated list published by the Internet Assigned Numbers Authority (IANA), which is the only reliable source for knowing where these servers are located.
The watchTowr research is an especially dangerous example of the problem posed by abandoned web infrastructure. Another example of this problem was the hijacking of the polyfill.io domain, which was included in the popular Polyfill JS open-source project and later purchased by a malicious actor to spread malware through sites that used Polyfill JS.
“We released this blog post to initially share our process around making the unexploitable exploitable and highlight the state of legacy infrastructure and increasing problems associated with abandoned domains — but inadvertently, we have shone a spotlight on the continuing trivial loopholes in one of the Internet’s most vital encryption processes and structures — TLS/SSL Certificate Authorities,” the watchTowr researchers concluded. “Our research has demonstrated that trust placed in this process by governments and authorities worldwide should be considered misplaced at this stage, in our opinion.”
