Re: SploitCloud: exploiting cloud brokers for fun and profit

[xD 0x41 <secn3t () gmail com>]

Lame.
Sorry but, it just is.
Your a lamer dude.
Ill makesure to blog this for you.


On 10 November 2011 06:25, Sam Johnston <samj () samj net> wrote:

> Apologies for the HTML — too many inline links.
>
> Sam
> SploitCloud: exploiting cloud brokers for fun and profit<http://samj.net/2011/10/sploitcloud.html>
>  My friends at Enomaly <http://www.enomaly.com/> have been 
> beating<http://twitter.com/#%21/ruv/status/129928434079109121>
> up <http://twitter.com/#%21/ruv/status/129929111526318081> on<http://twitter.com/#%21/ruv/status/129934534870446080> 
> Amazon
> Web Services (AWS) <http://aws.amazon.com/> over the XML signature
> element wrapping <http://dl.acm.org/citation.cfm?id=1103026> vulnerability
> currently being overhyped<http://www.theregister.co.uk/2011/10/27/cloud_security/>
> by<http://www.fiercecio.com/techwatch/story/security-flaw-cloud-architectures-including-amazon-web-services/2011-10-28>
> the<http://www.pcworld.com/businesscenter/article/242598/researchers_demo_cloud_security_issue_with_amazon_aws_attack.html>
> press<http://www.networkworld.com/news/2011/102611-security-cloud-252406.html>,
> which is ironic given their security<http://www.securityfocus.com/archive/1/archive/1/500573/100/0/threaded>
> track<http://www.securityfocus.com/archive/1/archive/1/500573/100/0/threaded>
> record <http://www.securityfocus.com/archive/1/500989> and unfortunate
> given I rather like what Amazon have achieved.
>
> Back in March I reported multiple 
> vulnerabilities<https://groups.google.com/group/spotcloudbuyers/browse_thread/thread/1993b3ab1643bfa2>
>  in SpotCloud <http://www.spotcloud.com/> (including their having copied Amazon's
> vulnerable signatures<http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html>years after 
> they were reported
> and fixed<http://www.jamesmurty.com/2008/12/31/aws-query-signature-version-2/>)
> and I was told I was unethical<https://groups.google.com/group/spotcloudbuyers/msg/237ffac277ea8bbe>and my report 
> that they "
> *may not validate incoming web and/or API requests and if so, may be
> vulnerable to cross-site request forgery in which an attacker could make
> unauthorised management requests on behalf of a user*" was "unactionably
> vague<https://groups.google.com/group/spotcloudbuyers/browse_thread/thread/526fc1d60bfa6e95>
> ".
>
> To demonstrate the severity of the outstanding vulnerability go grab
> yourself a SpotCloud account<https://spotcloud.appspot.com/buyer/register>,
> charge it up <https://spotcloud.appspot.com/buyer/balance/topup> (ignoring
> PCI-DSS<http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard>for a second given they're 
> collecting credit card numbers via App Engine)
> and click the image below. I'll silently create an instance for you using a
> hidden IFRAME, but you're welcome to experiment with more destructive
> experiments like deleting existing instances and uploading malicious
> workloads.
>
>
> *Update:* If you look at the code you'll see the hourly rate is passed to
> the client as "*cost*" and presumably trusted on return (if not, why is
> it there?). I haven't seen a price manipulation 
> vulnerability<http://www.symantec.com/connect/articles/common-security-vulnerabilities-e-commerce-systems>in over a 
> decade, but I'm not tinkering with it because I don't fancy being
> accused of stealing from them or their providers.
>
> *Update:* While the consumer API <http://dl.enomaly.com/scbuyerapi> now
> uses OAuth, the provider API <http://dl.enomaly.com/scprovider> still
> uses Amazon's vulnerable 
> signatures<http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html>for authentication:
>
> #sorts by key.lowercase(). ie A b c Dee e ffFf
> sorted_keys = sorted(parameters.keys(), key=lambda k: k.lower())
>
> #concatenates key,value pairs. a=1,b=2,C=32 becomes "a1b2C32"
> data = ’’.join(key + parameters[key] for key in sorted_keys)
>
> #Data is now: ecp_usernamespotcloudusernameparamAvalueTimestamp2006-12-08T07:48:03Z
> digest = hmac.new(’spotcloudpassword’, data, sha).digest()
>
>
> This may have been safe over SSL were it not for the fact that client
> libraries (including python) typically don't validate the certificate chain
> by default.
>
> *Update:* Wells Fargo reports "CHECK CRD PURCHASE SPOT CLOUD ETOBICOKE
> CD" as "Unusual Activity" in emailed alert… canceling card, requesting
> re-issue. Should have used a virtual card. Wonder if Google know their App
> Engine poster child<http://googleappengine.blogspot.com/2011/03/enomaly-chooses-google-app-engine-for.html>is using 
> it to collect credit card details?
>
> *Update:* It is believed that Private SpotCloud<http://spotcloud.com/Private.50.0.html>and Enomaly
> Elastic Computing Platform (ECP)<http://www.enomaly.com/Product-Overview.419.0.html>are also vulnerable to cross-site
> request forgery <http://en.wikipedia.org/wiki/Cross-site_request_forgery>,
> but without access to the software I have no way to verify.
>
> *Update:* This is how Enomaly deals with security researchers:
>
> <http://4.bp.blogspot.com/-XwLZ56N2Gjg/TrnalAPJ9qI/AAAAAAAAAYU/SY57-4azetI/s1600/spotcloud-suspended.png>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/