Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AVTOKYO2018 - Revealing hidden data behind cloud front

291 views

Published on

Amazon CloudFront is a content delivery network (CDN) service. It provides several configurations so that it can deliver contents to clients with high transfer speeds, or ease to access. However, misconfigurations may cause a security issue.
We found a curious host which was accessible only via CloudFront during our penetration test project. Also we identified someone stored sensitive information such as FTP hostname and credentials on the host. This session shows the issue and further research to specify the cause of the issue and attempt to find some more curious hosts.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

AVTOKYO2018 - Revealing hidden data behind cloud front

  1. 1. AVTOKYO 2018 Mitsuyoshi Ozaki Mitsuaki (Mitch) Shiraishi Satomi Komine Security and Risk Consulting, SecureWorks Japan November 3, 2018 Revealing hidden data behind CloudFront (CloudFrontを眺めていたらやばそうなデータを見つけてしまった)
  2. 2. 2 1st author Utility (App sec / Net sec / Mobile sec / Red Team...) Mitsuyoshi Ozaki (Ozzy) Who are we? Security consultants from Secureworks co-researcher Red Team Tech Lead Mitsuaki (Mitch) Shiraishi co-researcher App sec / Admin Satomi Komine (Satomi)
  3. 3. 3 • Overview • Introduction • Finding hidden data • Further research • Discussion • Conclusion Agenda
  4. 4. 4 • We identified a curious host during penetration test • The host was accessible only via CloudFront • Someone stored sensitive information such as FTP hostname and credentials • We attempted to specify the cause of the issue and to find some more hosts Overview
  5. 5. 5 • Identified a HTTP open proxy during a penetration test • What is open proxy • A proxy server relays request from one host on the internet to another host on the internet • How to check 1. Set the target host as a proxy and access the testing server 2. If we get a certain response, the target host is vulnerable Introduction Target host (open proxy)User web server 1 2
  6. 6. 6 • We identified a curious host: • It worked as an open proxy • Changes its behavior up to destination hosts • Returns normal response from one host • Returns an error from another host • While investigation we specified that: • It was placed in CloudFront • If the destination host is also in CloudFront, the target host works as a proxy • Otherwise we got an error Introduction
  7. 7. 7 • What is CloudFront • CDN (Content Delivery Network) provided by AWS • Edge location is placed in front of the origin server • If the cache is available, edge location returns the cache to the user • If not available, edge location requests origin server for the content Introduction edge location Origin server User Cache content
  8. 8. 8 Introduction edge location Website A (CloudFront) Website B (CloudFront) Website C (External network) 1 2 3 User How CloudFront works: Route 1: accessible Route 2: accessible Using first edge location as a proxy, then access the second one Route 3: not accessible edge location * According to AWS, this is an intended behavior (not a bug)
  9. 9. 9 • Then we attempted to access URLs with popular domain name • Curious domain running with one popular domain name Finding hidden data ...S3? Omitted
  10. 10. 10 • Some filenames in S3 index XML • Hacked hosts and FTP credentials on a file Finding hidden data Omitted
  11. 11. 11 • An online name was displayed. Site owner? Finding hidden data Omitted
  12. 12. 12 • Searched in SNS • Identified a security researcher Finding hidden data Omitted
  13. 13. 13 • He hides his research results behind the CloudFront • However, a popular domain name is set to specify the data location • As the result, we could identify such hidden data Finding hidden data
  14. 14. 14 Now we have questions: • What caused the issue? • How to fix it? • How about other domains? Further research
  15. 15. 15 • Reviewed configurations regarding domain name in CloudFront and S3 • Alternative Domain Names (CNAMEs) can be set to CloudFront edge Further research - What caused the issue?
  16. 16. 16 Let’s start experiment! We built the following environment: Then, tried accessing “ozzy-research01.com” Further research - What caused the issue? edge location (Proxy) Origin server (S3) User edge location (CNAMEs: ozzy-research01.com) test.txt
  17. 17. 17 • Set “ozzy-research01.com” to CNAMEs * We does NOT own this domain * CloudFront does NOT check if the domain exists or the user actually owns it. * Only if the domain already be assigned to other edge, we get a validation error. Further research - What caused the issue?
  18. 18. 18 • Built S3 bucket, placed a test file (test.txt) • Bound it to the CloudFront edge Further research - What caused the issue?
  19. 19. 19 • “ozzy-research01.com” is not registered in DNS • However accessible via CloudFront edge Further research - What caused the issue?
  20. 20. 20 • What caused the issue? • CloudFront distributes and caches contents specified using CNAMEs • Indirectly, CloudFront does not validate CNAMEs properly Further research - What caused the issue?
  21. 21. 21 We recommend to remove 3 stuffs to specify the content Further research - How to fix it? edge location (Proxy) Origin server (S3) User edge location (CNAMEs: ozzy-research01.com) content CNAMEs 1. Remove the content from S3 bucket 2. Remove CNAMEs from CloudFront (continued to the next page) Cache
  22. 22. 22 Even if the contents and CNAMEs are removed, cache may remain until TTL (time to live) is expired, so... 3. Invalidate cache using “Invalidations” function * setting a small TTL (e.g. 30 sec) may be a mitigation, but it may reduce the performance. Further research - How to fix it?
  23. 23. 23 • How to fix it? • Remove the original contents • Remove CNAMEs settings • Invalidate cache Further research - How to fix it?
  24. 24. 24 Let’s start experiment! • Access more domains using the same method • Target: The Moz Top 500 domains Further research - How about other domains? edge location (Proxy) popular domains User https://moz.com/top500
  25. 25. 25 Summary of results: • “200 OK” from 6 hosts • Identified curious contents on 2 hosts • Unfortunately most of domains returned 403 error Further research - How about other domains? Status Code Count 200 OK 6 301 Moved Permanently 26 302 Found 3 403 Forbidden 460 404 Not Found 1 502 Bad Gateway 1 503 Service Unavailable 3
  26. 26. 26 One example: http://youtube.com/ • Showed Apache / Tomcat default page and version information Further research - How about other domains?
  27. 27. 27 • Sensitive information may be stored on other domains • Other CDN services may have similar behavior • This can be a theme for further researches Discussion
  28. 28. 28 For penetration testers / Red Team testers: • OSINT research • Build a C2 server - domain fronting • C2 server with reputable domain name • May bypass reputation check • Build a phishing site - domain hijacking • Phishing site with reputable domain name Discussion – how to utilize the issue edge server (reputable domain) Origin C2 server User edge for C2 server (reputable domain in CNAMEs)
  29. 29. 29 For CloudFront users / Blue Team: Quite difficult... • Check if your domain already be assigned as the CNAMEs • submit configuration to check • if you get an error, the domain already be assigned and may be misused. • Remove unintended contents if available • Check a side effect of each configuration Discussion – how to utilize the issue
  30. 30. 30 We showed: • Misconfiguration in the CloudFront may cause sensitive data exposure. • Other domains or other CDN services may expose data as well • How to utilize the issue at the viewpoint of attacker side and defense side • Making a security research is a lot of fun  Conclusion
  31. 31. この文書について この文書の著作権はSecureworks Japan株式会社に帰属します。 許可無く一部または全体の複製・転載・編集等を行うことや、許可されていない第三者への開示等の行為全てを禁止します。 本文中使用されている企業名、製品名、商標などはそれを保持する企業・団体に帰属します。 © Copyright 2018 Secureworks Inc. Thank you!

×