The Glass Cage, the presentation I gave at Confidence 2009-02 about virtualization security, detailing various attack patterns to virtualization infrastructures.

1. The Glass Cage
Virtualization security
Claudio Criscione

2. Claudio
Criscione
Nibble Security

3. What is this speech about?
Breaking out of the cage
vendors are trying to put
on your mind!

4. Virtualization in 3 Minutes
Hardware
Hypervisor
Host Operating System

5. Design in the virtualization era
Mail Server
Web Server
DNS Server
Firewall

6. The Original Sin
Il peccato originale – la sicurezza
della virt è uguale a quella fisica
The Original Sin
The Original Sin

7. It is very practical to think about the cloud
It is not really there!
What you have is more systems

8. If it bleeds...

9. Hypervisors are running on top of “standard” OS
Linux, Windows 2008, Nemesis
And they are running services as well!

10. VMSA-0008-0002.1
Patches Virtual Center: running tomcat 5.5.17
VMSA-0008-0015
Patches remote buffer overflow in openwsman
CVE-2007-1321
Heap Overflow in Xen NE2000 network driver
Hyper-V
SMBv2 anyone?

11. More than just Hypervisors

12. There's a whole ecosystem around virtualization
Management software
Storage managers
Patchers
Conversion software
All of them can be hacked!
SN-2009-02 - ToutVirtual VirtualIQ Pro
Multiple Vulnerabilities

13. Client insicuri
Client security

14. The attack surface is quite large
SSL
Web Services
Rendering engines
Integration & Plugins
Auto-update functionalities

15. MITM Against Clients?
Why not!
With or without null byte

16. /client/clients.xml
Requested every time VI client connects to a host
<ConfigRoot>
<clientConnection id="0000">
<authdPort>902</authdPort>
<version>3</version>
<patchVersion>3.0.0</patchVersion>
<apiVersion>3.1.0</apiVersion>
<downloadUrl>https://*/client/VMware-
viclient.exe</downloadUrl>
</clientConnection>
</ConfigRoot>

17. What if we change that XML?
By MitM
or
Post-exploitation on the host
Demo time

18. Just woke up?
Here's what's going on
VI Client looks for clients.xml
We do some MiTM
We use Burp because it rocks and it's easy
Change the clients.xml
P0wned

19. Administrative
Interface
Security
Glass windows
in the castle

20. Some of them are even hidden...

22. ...and some of them are broken.

23. XEN Center Web
Multiple vulnerabilities in the default installation
RCE, File inclusion, XSS
SN-2009-01 – Alberto Trivero & Claudio Criscione

24. People were actually using it, over the internet
But now it's gone...

26. VMware Studio
A virtual appliance to build other virtual appliances
Path traversal leading to unauthenticated arbitrary
file upload to any directory
SN-2009-03 by Claudio criscione

27. Virtualization ASsessment TOolkit
A toolkit for virtualization penetration testing
Currently under development @ Secure Network
Metasploit based

28. Still in early Alpha stage
Stable modules:
Fingerprinting
Brute Forcer
VMware Studio Exploiter
Let's see them (if we have time!)

29. Everyone has got some...
Ubuntu just launched its Cloud infrastructure
It leverages Eucalyptus
And we have (at least) an XSS in Eucalytpus

30. VM hopping
VM Hopping

31. You already knew about that, or at least
thought about that
It already happened multiple times, e.g.
CloudBurst on VMware
CVE-2007-1320 on XEN
Overflow in Cirrus VGA: see a pattern?

32. Virtual Appliances
Virtual Appliances

33. Sistemi di monitoraggio
Monitoring

34. Virtual Appliances + Monitoring = Nice Example
Astaro virtual firewall

35. One pre-auth request to the HTTP interface will
result in Astaro doing a DNS query
We won't get the results, but it's a nice one-way
covert channel for any blind attack (tnx ikki)
What's most important, no IDS in the network will
detect any anomaly. It's all in-memory

36. Templates

37. So what

38. Virtualization Management Review
Virtualization Architecture Review
And now you know VASTO is coming

39. What about management issues?

40. VMSprawl
VM Sprawl

41. Segregation of duties
Segregation of duties

42. Thank you!
Claudio Criscione
c.criscione@securenetwork.it
@paradoxengine