Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: security forum

Security Forum Hagenberg 2012 – CFP

The Security Forum is a yearly meeting held at Hagenberg University (this year it takes place on the 18th-19th April). Alongside presentations on the 18th, there are also a number of workshops being held the day after.

Earlier this year I had the pleasure of attending my first Security Forum event at Hagenberg University. As my girlfriend went to Hagenberg it’s one of the first places I got to really spend any time when coming to Austria, so I guess it’ll always have a special place in my heart. It wasn’t until after my Girlfriend graduated that I learnt about the Security Forum, and I’ve been trying to get to visit ever since.

The highlight (for me anyway) of last years event, was Claudio Criscone’s presentation on virtualization security. It was certainly eye-opening how badly some of these systems were configured and what you can do with an exposed admin interface. It’s a hard act to follow, but I hope for some equally good presentations at the 2012 edition.

With that in mind, the Call For Papers is now open (PDF –> EN DE) so get your papers in…

If you’re thinking of attending the conference, please let me know… always good to meet new people and see old friends!

Security Forum 2011: New Technology, Old Mistakes

Hagenberg Security Forum 2011

New Technology, Old Mistakes – Claudio Criscione

Virtualization security is easy…

…[and cloud sec too whilst we’re here]

Should we only care about the hypervisor? No, if we do we’re only looking at a single component of a complex system. There is a high number of technologies used to create an enterprise virtualization technique, and they should all be looked at. We have more problems than just the hypervisor!

Why does everybody think Virtualization security is all about breaking out of the VM?

They’re hard to do… I know of only 1 in the last 5 or 6 years! So, is it really that bad?

In a products youth it’s common to see low hanging fruit… there are also a lot of highly complex attacks that have yet to be explored

After years the low hanging fruit is still there, but more of a “woooops” that got left in.

Evolution of the product moves more towards complex attacks and away from the low hanging fruit.

Taking this theory and examining VMware as an example you get to see a lot of low hanging fruit, and lots of woops!

Tools of the trade

As a child you don’t try to understand a technology, you break it into parts… this is the same thing we want to do. Attack!

After looking for tools, and finding nothing, VASTO was born!

Virtualization ASsessment TOolkit

VASTO is an exploit pack for Metasploit. Beta 0.5 out now (or later today) from vasto.nibblesec.org

Commonly discovered issues that will be discussed .:

  • Secure Updates
  • Insecure Content Download
  • XSS
  • Path Traversal
  • Weak SSL implementations
  • Insecure Log Files

Secure Updates

There are solutions available to secure this… it’s an already solved issues!

However, not for everyone.

E.G VMWare vSphere Client Update Feature performs a GET /client/clients.xml from the server

This XML file contains patch version information, and the download URL to get a new copy of the client!

So, with a MITM attack, you can change the XML file contents! Do you see the problem. Of course SSL is used, but nobody uses a REAL certificate. Everybody uses self-signed certs… and everybody knows what happens then!

Do you want to continue working, or do you want to go home? Just click continue…

Game Over!

VMware have patched this issue, but it took more than 18 months to get patched! This is too long…

Content Download

Private cloud services allow companies to download ready-made compliances. The method used to download the appliance however, is usually flawed and can be MITM’d to inject content into the appliance in transit.

Demo of Apiquo client MITM and appliance replacement.

When the Apiquo client requests a VM, the MITM can replace the contents as no further checks are made on the validity of the contents delivered.


When managing your VM solutions through a web-interface, the security of that infrastructure is of paramount importance.

Web-interfaced run the world!

Demo of vCenter XSS (still unpatched)

All you need to control the infrastructure, is a single XSS

Secure Connections

vCenter is the central hub of an ESX based enterprise solution. If you can MITM the connection between the vCenter and the ESX servers it would be bad… so SSL is used!

Starting from version 4 it checks the cert… before that, it didn’t even check.

After that a pop-up is ALWAYS present, even if the cert if good! Way to condition your admins… and the 1st pop-up only has a close button. The second (all blue, no big red X) lets you say Yes/No… at least.

Oh and the password is sent unhashed within the SSL connection too.

Bad UI implementations are part of the problem!

Path Traversal

Flaw exists in Jetty 6.1.16 (vCenter just includes that version)

As it’s a Windows machine… it’s not easy to exploit.

Still, on VMware there’s a nice log file gift that gives you valid  sessionID’s of users on the web-interface (world readable). This  needs a little bit of coding to exploit. Lucky enough VASTO includes a session_rider module.

Demo of VASTO Autopwn

Automates the exploitation and session riding using the discovered sessionID’s

Lots more attacks… but no time today! It’s not just VMware.

All these bugs are years old, but they’re not going away.

All virtualization and cloud services today are rushed to market. Security is an afterthought.

Now they start to care… but they have years to make up for!

The Hypervisor is fine and secure, but everything around it isn’t

“The limits of your language, are the limits of your world”


Security Forum (Hagenberg)

I guess every cloud has a silver lining… unless it’s a cloud service provider obviously! So, despite having to cancel my planned trip to Japan due to the unfortunate happenings over there at the moment, I do get to attend this years Security Forum at Hagenberg University of Applied Sciences.

The Security Forum is a yearly meeting held at Hagenberg University (this year it takes place on the 6th-7th April). Alongside presentations on the 6th, there are also a number of workshops being held on the 7th.

Although I’ve always wanted to attend the Security Forum events, I’ve never really had the chance due to other overlapping commitments . It’ll be nice to meet up with some Austrian security professionals and talk shop for once… not to mention the need to get a t-sirt with the cool HK logo on it 😀

Taking a look through the schedule, there are a couple of very interesting talks I’d like to catch at the event .:

I’ll try to do some “speed blogging” from the event if the situation allows… but my German isn’t up to scratch when it comes to blogging in 2 languages! We’ll have to see how it goes 😉 Still it will be good to meet up with Claudio again and talk over a beer!

If you’re attending the conference, please let me know!