2. Story Line
• Background
• Which path to take
• Available attack space
• What’s available
• Review
• A new path
3. The Cloud – a quick history lesson
• Memo sent from J.C.R. Licklider to his colleagues in 1963 titled:
“MEMORANDUM FOR: Members and Affiliates of the Intergalactic
Computer Network”
– Set foundations for the concepts we find in the Internet and Cloud
computing
• Popek and Goldberg were talking about in 1974 - "Formal
Requirements for Virtualisable Third Generation Architectures"
– Defined virtualisation requirements : Equivalence, Resource Control,
Efficiency
1998
VMware
founded
1999
Salesforce
online
2002
Amazon
Web
Service
available
2003
Public
release of
Xen
2006
Amazon
EC2 born
2008
Microsoft
Hyper-V
4. What does it mean
• To the oldies (those that remember the 60’s and
70’s): Isn’t this just time-share computing?
• To the youth (those who don’t know what
assembler is and can’t remember, BBS’s, Monkey
Island or Elite): Everything is shared everywhere
and accessible anywhere. Why didn’t it always
work this way?
• To the hacker: Thankfully I now only have to
attack one platform.....perhaps
5. Cloud perspectives
• Cloud in 4D
Cloud Clients: Web
Browsers, Mobile
applications, Thin
clients
SaaS: CRM, Email,
Virtual desktops, Games
PaaS: Databases, Web servers
IaaS: Virtual Machines, Servers, Storage, Networks
6. Hacking at the periphery
• Socially-based cloud services: Facebook, Twitter,
iCloud, Dropbox, Skydrive, Etc.
• The now infamous Mat Honan hack, loss of his
digital life
– Accounts daisy-chained
– No two-factor authentication
– No backup’s
Out of scope for this talk. Traditional spear-phishing
methods can be utilised
7. Focus of this talk: IaaS
• SaaS: Leave it to the web security guys
• PaaS: Could be interesting but focuses more
on services
• IaaS:
– Combines technologies
– Attack surface is large
– Brings the most control
– Break out can lead to complete control of an
infrastructure
8. IaaS
• So things should be easy now we have focus
right?
– Wrong
• The IaaS world is filling with vendors*:
– Hyper-V (Microsoft)
– Virtual Box (Oracle)
– Xen (Cambridge computer lab, open src)
– VMware (EMC)
* Remind anyone of the OS world before *nix, MS and Apple took control?
9. Constraint 1
• What is ‘bare-metal’?
• Two principle categories for hypervisor technologies (as
defined by R.Goldberg)
– Type 1: Hypervisors that run directly on the hosts hardware
– Type 2: Hypervisors that run on top of a conventional
operating system
• It becomes a question of how the guest operating
system accesses the underlying hardware
10. Why does this matter?
• When considering exploitation it pays to go after
bare-metal systems
– Technology is still immature with regards to security
• Exploits utilising buffer overflows, none-sanitised
instruction breakouts and system crashes (PSOD) are still rife
– Landscape still heterogeneous (look at EMC’s recent
acquisitions in the cloud space)
11. Constraint 2
• As with Microsoft, it pays to go after the big
player as the rewards will be greater
– As of approx. one year ago Taneja Group recently
identified VMware as the vendor market leader in this
space
• Gartner substantiates
did I just mention that here?
13. VMware / IaaS
• We have a candidate:
– VMware
• It’s global coverage shows it’s still the market leader (2012)
• It offers a ‘bare metal’ installation
• It’s involvement in the Vblock* initiative allows for full, often
enterprise level, infrastructure exploitation
• It’s a Redhat hack so we can reuse existing exploitation knowledge
* Vblock is a virtualization platform from the Virtual Computing Environment
which is an initiative between EMC, VMware and Cisco to provide a fully
virtualised infrastructure
14. VM Penetration-Testing
• Previously hackers only had to look at
exploiting the physical layer
• Now they have to gear up to also take on the
virtual infrastructure
15. Ex Security
• The dimensionality of the security layer just
got elevated
Target scoping
Information
gathering
Target Discovery
Enumerating
Target
Vulnerability
mapping
Social
Engineering
Target
Exploitation
Privilege
Escalation
Maintaining
Access
Documentation
and Reporting
Physical Layer
Virtualisation
Layer
16. Outside looking in
1. You’re external to the system with no guest account
access
• Adopt normal attack methods, port scanning, vulnerability
identification, exploitation
• The system will always look like a normal server from the
external perspective
– An exception to this can be insecurely mapped ports (e.g.
unprotected v-sphere)
• Aim for low hanging fruit. Guest access is all you need
2. You have an account on a system but is it virtualized?
• This scenario covers an internal corporate breach. As security
experts we shouldn’t forget about attacks from the inside,
contractors, disgruntled employees
18. Hypervisor identification
• VMware Backdoor:
– Never fully disabled and can reveal a lot of system level information
• movw $0x5658, %dx; = VMware I/O port
• Mov values pased to cx: 01h (Processor speed), 0AH (Vmware version) etc.
• Linux:
– If you can install anything under the exploited account:
• Imvirt (doesn’t require root)
– Coverage: Virtual box, VMware, OpenVZ, Physical, QEMU, UML, Xen, Iguest, ArAnyM, LXC
– If you happen to have root: Virt-what (requires root)
• Coverage: KVM, Xen, QEMU, VirtualBox, Systemz, LPAR, z/VM, VMware, Hyper-V
• Windows:
– Stand alone GUI application by Elias Bachaalany
• Still relevant despite being coded in 2005
• Coverage: Virtual PC, VMware (for us this is enough)
• Other tricks:
– Dmidecode/SMBios structures, SIDT instruction identification (Red Pill)
– Mac OS X: Not tested, but SIDT tricks should still hold true
19. Past, Present and State-of-the-Art
• Blue Pill / SubVirt
• VMChat
• Cloudburst
• Metasploit weaponised
• Steal a VM
• VMDK Has Left the Building
• Suspended state: pass the hash
• Adaptive VM aware malware
20. Blue Pill / SubVirt
• Created by Joanna Rutkowska and released
publically in 2006
– The concept was to create an ultra-thin hyper-v
which installs on-the-fly and can then operate
undetected by the host OS
– Offering a way to subvert the entire OS system
and hide it’s existence
• Ref:
http://theinvisiblethings.blogspot.ch/2006/06/introduc
ing-blue-pill.html
21. VMChat etc.
• Ed Skoudis and Tom Liston back in 2006 created break out
applications (vmchat, vmftp, vmcat etc.) that bridged VM’s shared
memory models (ComChannel) enabling chat between the systems
as well a number of other functionalities.
• Unfortunately their work is governed under DHS therefore no
working version is available for demonstration at this moment
• Ref: “On the Cutting Edge: Thwarting Virtual Machine Detection”
22. Cloudburst
• Originally presented in 2009 at Black Hat, Las
Vegas, by Kostya Kortchinsky from Immunity
• Essential elements:
– Exploited ESX 3D support
– Addressed an x,y display glyph which was never
bounds checked
– Allowed for a reliable host -> guest breakout
– Bundled with Canvas for a nice price tag
23. Cloudburst 2
• Piotr Bania made improvements on the
original and was kind enough to release the
source code
• MS XP SP3 -> virtualised MS XP SP3 (VMware
workstation 6.5.1 build 126130) host to guest
breakout whereby the exploit can access/run
any file on the host
24. Metasploit weaponised
• VASTO 0.4 from Claudio Criscione now provides out of
the box modules for hypervisor technologies
– vmware_guest_stealer
– vmware_session_rider
– xen_login
– eucalyptus_poison
– vmware_autopwner
– Etc.
• Failing Metasploit installation, run the modules
manually via Ruby
25. Steal a VM
• ESXi 3.0
– vmware_guest_stealer
• Exploits the vulnerability CVE-2009-3733 discovered by
Morehouse & Flick
• Directory traversal attack against the host hypervisor
• Allows complete acquisition of other hosted VM’s into
the guest/attacker client
• ESXi 5.0 has been silently patched
26. VMDK Has Left the Building
• Work coming from the guys at ERNW GmbH :
– Matthias Luft, Daniel Mende, Enno Rey, Pascal Turbing
– Attacks the virtual machine configuration file (which is
of course stored in plain text)
– Guest -> Host data extraction via *.vmdk configuration
file modification by exploiting ‘# Extent description
RW setting’
• Demo’d complete retrieval of backed up host /etc folder
• Demo’d ability to mount the physical hard drive of the ESX
host
• Valid of ESXi version 5.0 hypervisor
27. Suspended state: pass the hash
• Mark Baggett instructor for SANS has presented a ‘pass
the hash’ attack method against a VM’s image file
• Methodology:
– Covert the VM image file (snap shot or suspended state) to
a memory dump file (vmss2core)
– Obtain OS version and use in combination with Volatility to
dump the hashes (via the virtual memory offsets) using the
registry entries:
• REGISTERYMACHINESYSTEM
• SystemRootSystem32ConfigSAM
– Then use lsadump/samdump to start cracking the
passwords
29. Adaptive VM aware malware
• Crisis or Morcut is a rootkit that has the ability
to adaptively weaponise for multiple targets:
– Windows, Mac OSX, VM’s
30. Appraisal
• The ‘cloud’ hypervisor world is upon us
• User demands for convenience and business promises
of lower costs for maintenance are speeding the
adoption of a virtualised world
• VMware Backdoor access isn’t secured
• Vmdk exploitations are now gaining traction
• VSphere SOAP calls are vulnerable
• VMware Backdoor network always available to help
• VMotion network transmits the memory image in clear
text
31. Optimism
• VMware’s silent patching and quick release cycles are improving the
security situation
• Enterprise patching for public clouds should be ensured by the
vendor and governed contractually
• Security is getting focus
• VMware profiling allows golden secure guest OS images to be
created and distributed
• VMware Update allows for synchronised and manageable control of
the virtualised environment
32. Pessimism
• Virtualised bridging between the guest and host will always offer a juicy
attack vector
– Paravirtualised drivers
– Regular drivers
• Shared hardware resources will never be able to ensure secure sandboxing
• Asset segregation can never be secured to the same degree as physical
systems
• Derek Soeder is always lurking
– CVE-2012-1515: Backdoor ROM overwrite privilege escalation vulnerability,
March 2012
– CVE-2012-1517: Unprivileged code execution from the guest machine, May
2012
– CVE-2012-1516: Uninitialized memory, potential VM breakout, May 2012
33. Pessimism
• Did I mention patch cycles?
– Customer question on community blog:
• Question: “Does VMware have a scheduled patch
cycle? When do they release patches, monthly,
quarterly, or on a "as needed" basis?”
• Answer: “There is no such Patch Release cycle as
Microsoft has for its operating systems in VMware. You
can check continuously in Update Manager for any
recent patch release and can apply them according to
the advisory released from VMware.”
34. Pessimism
• Trend of Security Advisories from VMware
– The rate of security advisories for VMware in 2012
demonstrates issues still exist
0
1
2
3
4
5
6
VMware Security Advisories 2012
Number of Advisories
35. Future
• QubesOS
– Virtualisation issues identified early on
– Invisible Things Labs has been leading the way in
this field for research
• Places data responsibility into the hands of the security
architect
• Segregates information into security domains
supported by network permission and accessibility
• Champions the notion of light weight disposable virtual
machines whose purpose will be to host only a single
application
36. Future
• QubesOS
– Rutkowska’s take on secure sandboxing methods:
“I think that Apple iOS is a good example of such a “safe” OS
– it automatically puts each application into its own sandbox,
essentially not relaying on the user to make any security
decisions. However, the isolation that each such sandbox
provides is far from being secure, as various practical attacks
have proven, and which is mostly a result of exposing too fat
APIs to each sandbox, as I understand. In Qubes OS, it's the
user that is responsible for making all the security decisions
– how to partition her digital life into security domains, what
network and other permissions each domain might have”
37. Current PoC Research
Parasite
• Parasite
– A new form of malware
– Exists as a self-contained agent that stays with it’s
host
– Manipulates it’s carriers environment to ensure
migration
– Explores the virtual target space
38. Parasite: Mode of operation
Exploit the
system
Identify
environment
Reconnaissance
Test constraints
Trigger
Migration
Reconnaissance
39. Parasite Lab
• Host: VMware ESXi 5.0.0 build 623860
• Clients: Linux BT R3 32bit, Windows XP,
Windows 8
• 1 Cluster, 6 VM’s all existing on the same VLAN
segment
• vMotion configured to ‘moderate’ threshold
setting
40. PoC objectives
• Demonstrate capabilities and present a case for a potential new threat
• Force automatic migration by triggering vMotion
– Simulate high load on the guest OS
• Produce a high number of files and directories forcing VMware DB limit to overload
(circa 31,000)
• Explore clustered hosts of the virtualised infrastructure
• DoS attack caused due to constant migratory VM, overloading the hypervisor (due to a
poorly defined vMotion threshold configuration)
• Sniff network traffic of various nodes e.g. VM migrations
• Perform reconnaissance analysis
42. Precaution from Woz
• A quote from someone it might be worth
listening to:
"I really worry about everything going to the cloud"
"I think it's going to be horrendous. I think there are
going to be a lot of horrible problems in the next five
years.”
-- Steve Wozniak
43. Final word
• Hackers: We have a fertile new playground with a
lot of tech to explore
• Youth: Use the cloud but know the risks
• Old/Experienced: The time-share idea is
becoming a reality
A new piece of malware may be lurking
44. Thanks for listening
And for those still paying attention, the smart people at Vupen have released
the following PoC: Citrix Xen Intel CPU 64-Bit Mode Sysret PV Guest to Host
Escape (CVE-2012-0217)
Editor's Notes
Cloud Clients: Socially facing cloud services
Software as a service (SaaS): Web browser thin client
Platform as a service (PaaS): API’s provided
Infrastructure as a service (IaaS):
Mat Honan link: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/
Out of scope because the hack is not about system and multiple infrastructure exploitation. It focuses more on the side of the cube.
Goldberg, Robert P. (February 1973) (PDF). Architectural Principles for Virtual Computer Systems. Harvard University. pp. 22–26. http://www.dtic.mil/cgi-bin/GetTRDoc?AD=AD772809&Location=U2&doc=GetTRDoc.pdf. Retrieved 2010-04-12.