The Glass CageVirtualization security

Claudio Criscione

ClaudioCriscione

Nibble Security

What is this speech about?

Breaking out of the cage vendors are trying to put on your mind!

Virtualization in 3 Minutes

Hardware

Hypervisor

Host Operating System

Design in the virtualization era

Mail Server

Web Server

DNS Server

Firewall

The Original Sin

Il peccato originale – la sicurezza della virt è uguale a quella fisica

The Original SinThe Original Sin

It is very practical to think about the cloud

It is not really there!

What you have is more systems

If it bleeds...

Hypervisors are running on top of “standard” OS

Linux, Windows 2008, Nemesis

And they are running services as well!

VMSA-0008-0002.1 Patches Virtual Center: running tomcat 5.5.17

VMSA-0008-0015Patches remote buffer overflow in openwsman

CVE-2007-1321Heap Overflow in Xen NE2000 network driver

Hyper-VSMBv2 anyone?

More than just Hypervisors

There's a whole ecosystem around virtualization

Management softwareStorage managers

PatchersConversion software

All of them can be hacked!

SN-2009-02 - ToutVirtual VirtualIQ Pro Multiple Vulnerabilities

Client insicuri

Client security

The attack surface is quite large

SSLWeb Services

Rendering enginesIntegration & Plugins

Auto-update functionalities

MITM Against Clients?Why not!

With or without null byte

/client/clients.xml

Requested every time VI client connects to a host

<ConfigRoot> <clientConnection id="0000"> <authdPort>902</authdPort> <version>3</version> <patchVersion>3.0.0</patchVersion> <apiVersion>3.1.0</apiVersion> <downloadUrl>https://*/client/VMware-viclient.exe</downloadUrl> </clientConnection></ConfigRoot>

What if we change that XML?

By MitMor

Post-exploitation on the host

Demo time

Just woke up?Here's what's going on

VI Client looks for clients.xmlWe do some MiTM

We use Burp because it rocks and it's easy

Change the clients.xmlP0wned

AdministrativeInterfaceSecurity

Glass windows in the castle

Some of them are even hidden...

...and some of them are broken.

XEN Center Web

Multiple vulnerabilities in the default installation

RCE, File inclusion, XSS

SN-2009-01 – Alberto Trivero & Claudio Criscione

People were actually using it, over the internet

But now it's gone...

VMware Studio

A virtual appliance to build other virtual appliances

Path traversal leading to unauthenticated arbitrary file upload to any directory

SN-2009-03 by Claudio criscione

Virtualization ASsessment TOolkit

A toolkit for virtualization penetration testing

Currently under development @ Secure Network

Metasploit based

Still in early Alpha stage

Stable modules:FingerprintingBrute Forcer

VMware Studio Exploiter

Let's see them (if we have time!)

Everyone has got some...

Ubuntu just launched its Cloud infrastructureIt leverages Eucalyptus

And we have (at least) an XSS in Eucalytpus

VM hopping

VM Hopping

You already knew about that, or at least thought about that

It already happened multiple times, e.g.

CloudBurst on VMwareCVE-2007-1320 on XEN Overflow in Cirrus VGA: see a pattern?

Virtual Appliances

Virtual Appliances

Sistemi di monitoraggio

Monitoring

Virtual Appliances + Monitoring = Nice Example

Astaro virtual firewall

One pre-auth request to the HTTP interface will result in Astaro doing a DNS query

We won't get the results, but it's a nice one-way covert channel for any blind attack (tnx ikki)

What's most important, no IDS in the network will detect any anomaly. It's all in-memory

Templates

So what

Virtualization Management Review

Virtualization Architecture Review

And now you know VASTO is coming

What about management issues?

VMSprawl

VM Sprawl

Segregation of duties

Segregation of duties

Thank you!

Claudio Criscionec.criscione@securenetwork.it

@paradoxengine