[Confidence0902] The Glass Cage - Virtualization Security

8,617 views

Published on

The Glass Cage, the presentation I gave at Confidence 2009-02 about virtualization security, detailing various attack patterns to virtualization infrastructures.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
8,617
On SlideShare
0
From Embeds
0
Number of Embeds
6,656
Actions
Shares
0
Downloads
70
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

[Confidence0902] The Glass Cage - Virtualization Security

  1. 1. The Glass Cage Virtualization security Claudio Criscione
  2. 2. Claudio Criscione Nibble Security
  3. 3. What is this speech about? Breaking out of the cage vendors are trying to put on your mind!
  4. 4. Virtualization in 3 Minutes Hardware Hypervisor Host Operating System
  5. 5. Design in the virtualization era Mail Server Web Server DNS Server Firewall
  6. 6. The Original Sin Il peccato originale – la sicurezza della virt è uguale a quella fisica The Original Sin The Original Sin
  7. 7. It is very practical to think about the cloud It is not really there! What you have is more systems
  8. 8. If it bleeds...
  9. 9. Hypervisors are running on top of “standard” OS Linux, Windows 2008, Nemesis And they are running services as well!
  10. 10. VMSA-0008-0002.1 Patches Virtual Center: running tomcat 5.5.17 VMSA-0008-0015 Patches remote buffer overflow in openwsman CVE-2007-1321 Heap Overflow in Xen NE2000 network driver Hyper-V SMBv2 anyone?
  11. 11. More than just Hypervisors
  12. 12. There's a whole ecosystem around virtualization Management software Storage managers Patchers Conversion software All of them can be hacked! SN-2009-02 - ToutVirtual VirtualIQ Pro Multiple Vulnerabilities
  13. 13. Client insicuri Client security
  14. 14. The attack surface is quite large SSL Web Services Rendering engines Integration & Plugins Auto-update functionalities
  15. 15. MITM Against Clients? Why not! With or without null byte
  16. 16. /client/clients.xml Requested every time VI client connects to a host <ConfigRoot> <clientConnection id="0000"> <authdPort>902</authdPort> <version>3</version> <patchVersion>3.0.0</patchVersion> <apiVersion>3.1.0</apiVersion> <downloadUrl>https://*/client/VMware- viclient.exe</downloadUrl> </clientConnection> </ConfigRoot>
  17. 17. What if we change that XML? By MitM or Post-exploitation on the host Demo time
  18. 18. Just woke up? Here's what's going on VI Client looks for clients.xml We do some MiTM We use Burp because it rocks and it's easy Change the clients.xml P0wned
  19. 19. Administrative Interface Security Glass windows in the castle
  20. 20. Some of them are even hidden...
  21. 21. ...and some of them are broken.
  22. 22. XEN Center Web Multiple vulnerabilities in the default installation RCE, File inclusion, XSS SN-2009-01 – Alberto Trivero & Claudio Criscione
  23. 23. People were actually using it, over the internet But now it's gone...
  24. 24. VMware Studio A virtual appliance to build other virtual appliances Path traversal leading to unauthenticated arbitrary file upload to any directory SN-2009-03 by Claudio criscione
  25. 25. Virtualization ASsessment TOolkit A toolkit for virtualization penetration testing Currently under development @ Secure Network Metasploit based
  26. 26. Still in early Alpha stage Stable modules: Fingerprinting Brute Forcer VMware Studio Exploiter Let's see them (if we have time!)
  27. 27. Everyone has got some... Ubuntu just launched its Cloud infrastructure It leverages Eucalyptus And we have (at least) an XSS in Eucalytpus
  28. 28. VM hopping VM Hopping
  29. 29. You already knew about that, or at least thought about that It already happened multiple times, e.g. CloudBurst on VMware CVE-2007-1320 on XEN Overflow in Cirrus VGA: see a pattern?
  30. 30. Virtual Appliances Virtual Appliances
  31. 31. Sistemi di monitoraggio Monitoring
  32. 32. Virtual Appliances + Monitoring = Nice Example Astaro virtual firewall
  33. 33. One pre-auth request to the HTTP interface will result in Astaro doing a DNS query We won't get the results, but it's a nice one-way covert channel for any blind attack (tnx ikki) What's most important, no IDS in the network will detect any anomaly. It's all in-memory
  34. 34. Templates
  35. 35. So what
  36. 36. Virtualization Management Review Virtualization Architecture Review And now you know VASTO is coming
  37. 37. What about management issues?
  38. 38. VMSprawl VM Sprawl
  39. 39. Segregation of duties Segregation of duties
  40. 40. Thank you! Claudio Criscione c.criscione@securenetwork.it @paradoxengine

×