Researchers from watchTowr Labs have published the results of an experiment with the capture of an outdated WHOIS service of the registrar of the ".MOBI" domain zone. The reason for the study was that the registrar changed the WHOIS service address, moving it from the domain whois.dotmobiregistry.net to the new host whois.nic.mobi. At the same time, the dotmobiregistry.net domain ceased to be used and in December 2023 it was released and became available for registration.
The researchers spent $20 and bought the domain, after which they launched their own fake WHOIS service whois.dotmobiregistry.net on their server. What was surprising was that many systems did not switch to the new host whois.nic.mobi and continued to use the old name. From August 30 to September 4 of this year, 2.5 million requests for the old name were recorded, sent from more than 135 thousand unique systems.
Among the senders of requests were postal servers government and military organizations that checked the domains appearing in emails via WHOIS, security companies and security platforms (VirusTotal, Group-IB), as well as certification authorities, domain verification services, SEO services, and domain registrars (e.g., domain.com, godaddy.com, who.is, whois.ru, smallseo.tools, seocheki.net, centralops.net, name.com, urlscan.io, and webchart.org).
The ability to send any data in response to a request to the old WHOIS service of the ".MOBI" domain zone was used to develop several types of attacks on requesters. The first version of the attack was based on the assumption that if someone continues to send requests to a long-replaced service, then they are probably doing so using outdated tools containing vulnerabilities.
For example, in 2015, the vulnerability CVE-2015-5243 was discovered in phpWHOIS, which allows for the execution of attacker code when parsing specially formatted data returned by the WHOIS server. Another example is the vulnerability CVE-2021-2021 discovered in 32749 in the Fail2Ban package, which allows for the execution of external code when incorrect data is returned by the WHOIS service used in the process of generating a blocking warning (Fail2Ban determined the host administrator's email via WHOIS and specified it when running the mail command without properly escaping special characters).
The second attack is based on the fact that some certification authorities provide the ability to verify domain ownership via an email specified in the domain registrar's database, accessible via the WHOIS protocol. It turned out that several certification authorities that support this verification method continue to use the old WHOIS server for the ".MOBI" domain zone.
Thus, having gained control over the name whois.dotmobiregistry.net, attackers can retrieve their data, perform verification, and obtain TLS certificate for any domain in the .MOBI zone." For example, during the experiment, the researchers requested a TLS certificate for the microsoft.mobi domain from the GlobalSign registrar, and the email "whois@watchTowr.com" returned by the fictitious WHOIS service was displayed in the interface as available for sending a domain ownership verification code.
Source: opennet.ru
