Full Disclosure mailing list archives
Re: SploitCloud: exploiting cloud brokers for fun and profit
From: Jeffrey Walton <noloader () gmail com>
Date: Thu, 10 Nov 2011 12:17:07 -0500
On Wed, Nov 9, 2011 at 2:25 PM, Sam Johnston <samj () samj net> wrote:
Apologies for the HTML — too many inline links. Sam SploitCloud: exploiting cloud brokers for fun and profit<http://samj.net/2011/10/sploitcloud.html>
[SNIP]
*Update:* If you look at the code you'll see the hourly rate is passed to the client as "*cost*" and presumably trusted on return (if not, why is it there?). I haven't seen a price manipulation vulnerability<http://www.symantec.com/connect/articles/common-security-vulnerabilities-e-commerce-systems>in over a decade, but I'm not tinkering with it because I don't fancy being accused of stealing from them or their providers. *Update:* While the consumer API <http://dl.enomaly.com/scbuyerapi> now uses OAuth, the provider API <http://dl.enomaly.com/scprovider> still uses Amazon's vulnerable signatures<http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html>for authentication: #sorts by key.lowercase(). ie A b c Dee e ffFf sorted_keys = sorted(parameters.keys(), key=lambda k: k.lower()) #concatenates key,value pairs. a=1,b=2,C=32 becomes "a1b2C32" data = ’’.join(key + parameters[key] for key in sorted_keys) #Data is now: ecp_usernamespotcloudusernameparamAvalueTimestamp2006-12-08T07:48:03Z digest = hmac.new(’spotcloudpassword’, data, sha).digest() This may have been safe over SSL were it not for the fact that client libraries (including python) typically don't validate the certificate chain by default. http://bugs.python.org/issue1589
"Unfortunately, hostname matching is one of those ideas that seemed better when it was thought up than it actually proved to be in practice. I've had extensive experience with this, and have found it to almost always an application-specific decision..." and "It's more of a missing feature than a security issue in itself..." Jeff
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SploitCloud: exploiting cloud brokers for fun and profit Sam Johnston (Nov 10)
- Re: SploitCloud: exploiting cloud brokers for fun and profit coderman (Nov 10)
- Re: SploitCloud: exploiting cloud brokers for fun and profit Jeffrey Walton (Nov 10)
- Re: SploitCloud: exploiting cloud brokers for fun and profit xD 0x41 (Nov 10)