Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Security Forum 2011: New Technology, Old Mistakes

Hagenberg Security Forum 2011

New Technology, Old Mistakes – Claudio Criscione

Virtualization security is easy…

…[and cloud sec too whilst we’re here]

Should we only care about the hypervisor? No, if we do we’re only looking at a single component of a complex system. There is a high number of technologies used to create an enterprise virtualization technique, and they should all be looked at. We have more problems than just the hypervisor!

Why does everybody think Virtualization security is all about breaking out of the VM?

They’re hard to do… I know of only 1 in the last 5 or 6 years! So, is it really that bad?

In a products youth it’s common to see low hanging fruit… there are also a lot of highly complex attacks that have yet to be explored

After years the low hanging fruit is still there, but more of a “woooops” that got left in.

Evolution of the product moves more towards complex attacks and away from the low hanging fruit.

Taking this theory and examining VMware as an example you get to see a lot of low hanging fruit, and lots of woops!

Tools of the trade

As a child you don’t try to understand a technology, you break it into parts… this is the same thing we want to do. Attack!

After looking for tools, and finding nothing, VASTO was born!

Virtualization ASsessment TOolkit

VASTO is an exploit pack for Metasploit. Beta 0.5 out now (or later today) from vasto.nibblesec.org

Commonly discovered issues that will be discussed .:

  • Secure Updates
  • Insecure Content Download
  • XSS
  • Path Traversal
  • Weak SSL implementations
  • Insecure Log Files

Secure Updates

There are solutions available to secure this… it’s an already solved issues!

However, not for everyone.

E.G VMWare vSphere Client Update Feature performs a GET /client/clients.xml from the server

This XML file contains patch version information, and the download URL to get a new copy of the client!

So, with a MITM attack, you can change the XML file contents! Do you see the problem. Of course SSL is used, but nobody uses a REAL certificate. Everybody uses self-signed certs… and everybody knows what happens then!

Do you want to continue working, or do you want to go home? Just click continue…

Game Over!

VMware have patched this issue, but it took more than 18 months to get patched! This is too long…

Content Download

Private cloud services allow companies to download ready-made compliances. The method used to download the appliance however, is usually flawed and can be MITM’d to inject content into the appliance in transit.

Demo of Apiquo client MITM and appliance replacement.

When the Apiquo client requests a VM, the MITM can replace the contents as no further checks are made on the validity of the contents delivered.


When managing your VM solutions through a web-interface, the security of that infrastructure is of paramount importance.

Web-interfaced run the world!

Demo of vCenter XSS (still unpatched)

All you need to control the infrastructure, is a single XSS

Secure Connections

vCenter is the central hub of an ESX based enterprise solution. If you can MITM the connection between the vCenter and the ESX servers it would be bad… so SSL is used!

Starting from version 4 it checks the cert… before that, it didn’t even check.

After that a pop-up is ALWAYS present, even if the cert if good! Way to condition your admins… and the 1st pop-up only has a close button. The second (all blue, no big red X) lets you say Yes/No… at least.

Oh and the password is sent unhashed within the SSL connection too.

Bad UI implementations are part of the problem!

Path Traversal

Flaw exists in Jetty 6.1.16 (vCenter just includes that version)

As it’s a Windows machine… it’s not easy to exploit.

Still, on VMware there’s a nice log file gift that gives you valid  sessionID’s of users on the web-interface (world readable). This  needs a little bit of coding to exploit. Lucky enough VASTO includes a session_rider module.

Demo of VASTO Autopwn

Automates the exploitation and session riding using the discovered sessionID’s

Lots more attacks… but no time today! It’s not just VMware.

All these bugs are years old, but they’re not going away.

All virtualization and cloud services today are rushed to market. Security is an afterthought.

Now they start to care… but they have years to make up for!

The Hypervisor is fine and secure, but everything around it isn’t

“The limits of your language, are the limits of your world”


Comments are closed.

%d bloggers like this: