Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS...
Transcript of Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS...
![Page 1: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/1.jpg)
Breaking cloud isolationHITB, Amsterdam, 30/05/14
research
![Page 2: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/2.jpg)
Short BIO
● bug hunter (Facebook, Google, Nokia, etc)
● security researcher
● CEO and lead security expert of
![Page 3: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/3.jpg)
Clouds
● Between business functions and hardware
● Between application code and environment
![Page 4: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/4.jpg)
Shared hostings
● Grandfather of clouds ;)
● Many technologies that were made here became basis of clouds
![Page 5: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/5.jpg)
The basics: cloud aliases
● Same application with different data - SaaS
● Same hardware with different platform -
PaaS, IaaS
● It’s easy to determine technology point of
next *aaS marketing
![Page 6: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/6.jpg)
The basics: resource sharing
● Filesystems
● Network services
● Execution context at OS
![Page 7: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/7.jpg)
The basics: resource sharing
● Filesystems○ files contents
○ files names <- don’t forget about that: sess_abcdefg
○ file descriptors <- so IMPORTANT
● Network services
● Execution context at OS
![Page 8: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/8.jpg)
File sharing
● Different application instances on the same
filesystem
● Sensitive files○ cross-instances content (application code,
○ temporary, reports and other race conditions
![Page 9: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/9.jpg)
File sharing
● Different application instances on the same
filesystem
● Sensitive files○ authentification such as sessions
○ uploaded files
○ temporary, reports and other race conditions
![Page 10: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/10.jpg)
File sharing
● Different application instances on the same
filesystem
● How to protect:○ different chroot and user for each?
○ only 65535 uids at OS =)
○ control chuid() for forks
![Page 11: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/11.jpg)
● Different application instances on the same
filesystem
● Required LFI/Path traversal bug first at SaaS
● Typically for SaaS, shared hostings fixed
that at late 90th ;)
File sharing
![Page 12: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/12.jpg)
● Important when you open FD before fork or
after - privileges for chuid() programs
● API for all interpreters (Ruby,Python,PHP,...)
● Typical cases:○ descriptor for database connection (already authed)
○ descriptors for log files and journals
File descriptors
![Page 13: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/13.jpg)
● Code prototype:○ fopen()
○ do something, such as fwrite(), flush(), …
○ fclose()
Difficult case from a wild (our practice SaaS security audit)
![Page 14: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/14.jpg)
● Hacker’s look at execution flow:○ fopen()
○ fwrite() something interesting
○ application crash crash (by memory or exec.time)!
○ fclose() - never called
○ garbage collector magic
○ use foreign FD for our purposes
Difficult case from a wild (our practice SaaS security audit)
victim’s HTTP request processing
attacker’s HTTP request processing
Same worker (PID)
Important thing!Theme for another full report
![Page 15: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/15.jpg)
The basics: resource sharing● Filesystems
● Network services○ databases tables (MySQL, Oracle, Postgres, …)
○ noSQL values (memcached, Tarantool, Redis, Couch, MongoDB, ...)
○ custom services (monitoring, billing, management)
● Execution context at OS
![Page 16: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/16.jpg)
● Authentification
○ Privileged ports protection (<1024)
○ Host-based <- SSRF power here
○ Plain/text (login+passwords) <- MITM here
○ Challenge/response (SASL and others)
Network resource sharing
![Page 17: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/17.jpg)
● Spoofing
○ Classic UDP - rare from Internet, common from
intranet (from cloud node) - net.ipv4.<all>.rp
○ TCP Fast Open secret leak at clouds (IP reusing)
● Unprivilege (<1024) local port reusing
● SSRF classics - bypassing host-based auth
Network resource attack ways
![Page 18: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/18.jpg)
● Packet routes betwee INTERFACES!
○ By default at Debian/RHel ;)
○ Use sysctl net.ipv4.<all>.rp to disable
● UDP services at loopback interface are really common
● TFTP - netboot images, gain control at new nodes at
(P|I)aaS (SNMP also, but community str there)
● Memcached (by default 11211 TCP and UDP both)
Classic UDP spoofing nowdays
![Page 19: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/19.jpg)
TCP fast open spoofing at clouds
![Page 20: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/20.jpg)
Local port reusing
● Required RCE first of course● 3rd party privileged application on non-
privileges ports● Crash them then open this port. I think you
can do that! Fuzz it guys, FuZ5!!!● Get some provate data from others
![Page 21: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/21.jpg)
● Cases from a wild○ monitoring
○ management systems
○ privileged daemon for anything
○ different integration daemons
○ different databases - SQL/noSQL
Local port reusing
![Page 22: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/22.jpg)
● From the Internet to Intranet
● Sometimes better than many A01 injections
● Internal API and others - are you forget
about auth there?
● Intranet resources: monitoring/wiki/etc - vlan!
Classic SSRF
![Page 23: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/23.jpg)
● Local port for fastcgi is bad
● Use unix sockets for that
● In other cases applications can comminicate locally by
each others
● For PHP-FPM admin_value provide RCE
https://github.com/ONsec-
Lab/scripts/blob/master/fastcgipacket.rb
FastCGI SSRF features
![Page 24: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/24.jpg)
The basics: resource sharing● Filesystems
● Network services
● Execution context at OS
○ classic race condition at daemon init scripts
○ depletion entropy of urandom ???
![Page 25: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/25.jpg)
● Look at CVE-2013-1048 first - that really cool
● $ install utility has great error - race condition between
create file and set privileges
● Good way:
○ fd = open(...)
○ fchmod(fd,...)
What the problem?
![Page 26: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/26.jpg)
● Just only CONCEPT
● Attacker’s worker read all /dev/random
● Victim’s worker read /dev/urandom consists of hashes
from /dev/random readed before by attacker
● Attacker now know victim’s randoms
● There are many limitation of cource...
/dev/random concept
![Page 27: Breaking cloud isolation€¦ · PaaS, IaaS It’s easy to determine technology point of next *aaS ... files contents files names](https://reader033.fdocuments.us/reader033/viewer/2022053001/5f054e177e708231d4124df2/html5/thumbnails/27.jpg)
The endContacts:
@wallarm, @d0znpp
http://github.com/wallarm
research