Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

[Confidence0902] The Glass Cage - Virtualization Security



The Glass Cage, the presentation I gave at Confidence 2009-02 about virtualization security, detailing various attack patterns to virtualization infrastructures.

The Glass Cage, the presentation I gave at Confidence 2009-02 about virtualization security, detailing various attack patterns to virtualization infrastructures.



Total Views
Views on SlideShare
Embed Views



16 Embeds 6,007

http://vasto.nibblesec.org 5205
http://blog.nibblesec.org 670
http://feeds2.feedburner.com 51
http://translate.googleusercontent.com 27
http://www.slideshare.net 11
http://web.archive.org 10
http://webcache.googleusercontent.com 8
http://feeds.feedburner.com 7
https://web.archive.org 4
http://server1.kproxy.com 3
http://www.linkedin.com 3
https://www.linkedin.com 3
http://flavors.me 2
http://www.newsblur.com 1
https://translate.googleusercontent.com 1
http://www.lmodules.com 1



Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

[Confidence0902] The Glass Cage - Virtualization Security [Confidence0902] The Glass Cage - Virtualization Security Presentation Transcript

  • The Glass Cage Virtualization security Claudio Criscione
  • Nibble Security Claudio Criscione
  • What is this speech about? Breaking out of the cage vendors are trying to put on your mind! View slide
  • Virtualization in 3 Minutes Hypervisor Host Operating System Hardware View slide
  • Design in the virtualization era DNS Server Mail Server Firewall Web Server
  • Il peccato originale – la sicurezza della virt è uguale a quella fisica The Original Sin The Original Sin
  • It is very practical to think about the cloud It is not really there! What you have is more systems
  • If it bleeds...
  • Hypervisors are running on top of “standard” OS Linux, Windows 2008, Nemesis And they are running services as well!
  • VMSA-0008-0002.1 Patches Virtual Center: running tomcat 5.5.17 VMSA-0008-0015 Patches remote buffer overflow in openwsman CVE-2007-1321 Heap Overflow in Xen NE2000 network driver Hyper-V SMBv2 anyone?
  • More than just Hypervisors
  • There's a whole ecosystem around virtualization Management software Storage managers Patchers Conversion software All of them can be hacked! SN-2009-02 - ToutVirtual VirtualIQ Pro Multiple Vulnerabilities
  • Client insicuri Client security
  • The attack surface is quite large SSL Web Services Rendering engines Integration & Plugins Auto-update functionalities
  • MITM Against Clients? Why not! With or without null byte
  • /client/clients.xml Requested every time VI client connects to a host <ConfigRoot> <clientConnection id="0000"> <authdPort>902</authdPort> <version>3</version> <patchVersion>3.0.0</patchVersion> <apiVersion>3.1.0</apiVersion> <downloadUrl>https://*/client/VMware- viclient.exe</downloadUrl> </clientConnection> </ConfigRoot>
  • What if we change that XML? By MitM or Post-exploitation on the host Demo time
  • Just woke up? Here's what's going on VI Client looks for clients.xml We do some MiTM We use Burp because it rocks and it's easy Change the clients.xml P0wned
  • Administrative Interface Security Glass windows in the castle
  • Some of them are even hidden...
  • ...and some of them are broken.
  • XEN Center Web Multiple vulnerabilities in the default installation RCE, File inclusion, XSS SN-2009-01 – Alberto Trivero & Claudio Criscione
  • People were actually using it, over the internet But now it's gone...
  • VMware Studio A virtual appliance to build other virtual appliances Path traversal leading to unauthenticated arbitrary file upload to any directory SN-2009-03 by Claudio criscione
  • Virtualization ASsessment TOolkit A toolkit for virtualization penetration testing Currently under development @ Secure Network Metasploit based
  • Still in early Alpha stage Stable modules: Fingerprinting Brute Forcer VMware Studio Exploiter Let's see them (if we have time!)
  • Everyone has got some... Ubuntu just launched its Cloud infrastructure It leverages Eucalyptus And we have (at least) an XSS in Eucalytpus
  • VM hopping VM Hopping
  • You already knew about that, or at least thought about that It already happened multiple times, e.g. CloudBurst on VMware CVE-2007-1320 on XEN Overflow in Cirrus VGA: see a pattern?
  • Virtual Appliances Virtual Appliances
  • Sistemi di monitoraggio Monitoring
  • Virtual Appliances + Monitoring = Nice Example Astaro virtual firewall
  • One pre-auth request to the HTTP interface will result in Astaro doing a DNS query We won't get the results, but it's a nice one-way covert channel for any blind attack (tnx ikki) What's most important, no IDS in the network will detect any anomaly. It's all in-memory
  • Templates
  • So what
  • Virtualization Management Review Virtualization Architecture Review And now you know VASTO is coming
  • What about management issues?
  • VMSprawl VM Sprawl
  • Segregation of duties Segregation of duties
  • Thank you! Claudio Criscione c.criscione@securenetwork.it @paradoxengine