[Confidence0902] The Glass Cage - Virtualization Security

The Glass Cage Virtualization security Claudio Criscione

Nibble Security Claudio Criscione

What is this speech about? Breaking out of the cage vendors are trying to put on your mind!

Virtualization in 3 Minutes Hypervisor Host Operating System Hardware

Design in the virtualization era DNS Server Mail Server Firewall Web Server

Il peccato originale – la sicurezza della virt è uguale a quella fisica The Original Sin The Original Sin

It is very practical to think about the cloud It is not really there! What you have is more systems

If it bleeds...

Hypervisors are running on top of “standard” OS Linux, Windows 2008, Nemesis And they are running services as well!

VMSA-0008-0002.1 Patches Virtual Center: running tomcat 5.5.17 VMSA-0008-0015 Patches remote buffer overflow in openwsman CVE-2007-1321 Heap Overflow in Xen NE2000 network driver Hyper-V SMBv2 anyone?

More than just Hypervisors

There's a whole ecosystem around virtualization Management software Storage managers Patchers Conversion software All of them can be hacked! SN-2009-02 - ToutVirtual VirtualIQ Pro Multiple Vulnerabilities

Client insicuri Client security

The attack surface is quite large SSL Web Services Rendering engines Integration & Plugins Auto-update functionalities

MITM Against Clients? Why not! With or without null byte

/client/clients.xml Requested every time VI client connects to a host <ConfigRoot> <clientConnection id="0000"> <authdPort>902</authdPort> <version>3</version> <patchVersion>3.0.0</patchVersion> <apiVersion>3.1.0</apiVersion> <downloadUrl>https://*/client/VMware- viclient.exe</downloadUrl> </clientConnection> </ConfigRoot>

What if we change that XML? By MitM or Post-exploitation on the host Demo time

Just woke up? Here's what's going on VI Client looks for clients.xml We do some MiTM We use Burp because it rocks and it's easy Change the clients.xml P0wned

Administrative Interface Security Glass windows in the castle

Some of them are even hidden...

...and some of them are broken.

XEN Center Web Multiple vulnerabilities in the default installation RCE, File inclusion, XSS SN-2009-01 – Alberto Trivero & Claudio Criscione

People were actually using it, over the internet But now it's gone...

VMware Studio A virtual appliance to build other virtual appliances Path traversal leading to unauthenticated arbitrary file upload to any directory SN-2009-03 by Claudio criscione

Virtualization ASsessment TOolkit A toolkit for virtualization penetration testing Currently under development @ Secure Network Metasploit based

Still in early Alpha stage Stable modules: Fingerprinting Brute Forcer VMware Studio Exploiter Let's see them (if we have time!)

Everyone has got some... Ubuntu just launched its Cloud infrastructure It leverages Eucalyptus And we have (at least) an XSS in Eucalytpus

VM hopping VM Hopping

You already knew about that, or at least thought about that It already happened multiple times, e.g. CloudBurst on VMware CVE-2007-1320 on XEN Overflow in Cirrus VGA: see a pattern?

Virtual Appliances Virtual Appliances

Sistemi di monitoraggio Monitoring

Virtual Appliances + Monitoring = Nice Example Astaro virtual firewall

One pre-auth request to the HTTP interface will result in Astaro doing a DNS query We won't get the results, but it's a nice one-way covert channel for any blind attack (tnx ikki) What's most important, no IDS in the network will detect any anomaly. It's all in-memory

Templates

So what

Virtualization Management Review Virtualization Architecture Review And now you know VASTO is coming

What about management issues?

VMSprawl VM Sprawl

Segregation of duties Segregation of duties

Thank you! Claudio Criscione c.criscione@securenetwork.it @paradoxengine

http://vasto.nibblesec.org	4394
http://blog.nibblesec.org	429
http://feeds2.feedburner.com	40
http://translate.googleusercontent.com	27
http://www.slideshare.net	11
http://feeds.feedburner.com	5
http://webcache.googleusercontent.com	4
http://flavors.me	2
http://www.linkedin.com	2
https://translate.googleusercontent.com	1
http://www.lmodules.com	1

[Confidence0902] The Glass Cage - Virtualization Security

by Claudio Criscione

Accessibility

Categories

Upload Details

Usage Rights

11 Embeds 4,916

Statistics

[Confidence0902] The Glass Cage - Virtualization Security Presentation Transcript