lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 9 Nov 2011 20:25:50 +0100
From: Sam Johnston <samj@...j.net>
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: SploitCloud: exploiting cloud brokers for fun and
	profit

Apologies for the HTML — too many inline links.

Sam
SploitCloud: exploiting cloud brokers for fun and
profit<http://samj.net/2011/10/sploitcloud.html>
 My friends at Enomaly <http://www.enomaly.com/> have been
beating<http://twitter.com/#%21/ruv/status/129928434079109121>
up <http://twitter.com/#%21/ruv/status/129929111526318081>
on<http://twitter.com/#%21/ruv/status/129934534870446080> Amazon
Web Services (AWS) <http://aws.amazon.com/> over the XML signature element
wrapping <http://dl.acm.org/citation.cfm?id=1103026> vulnerability
currently being
overhyped<http://www.theregister.co.uk/2011/10/27/cloud_security/>
by<http://www.fiercecio.com/techwatch/story/security-flaw-cloud-architectures-including-amazon-web-services/2011-10-28>
the<http://www.pcworld.com/businesscenter/article/242598/researchers_demo_cloud_security_issue_with_amazon_aws_attack.html>
press<http://www.networkworld.com/news/2011/102611-security-cloud-252406.html>,
which is ironic given their
security<http://www.securityfocus.com/archive/1/archive/1/500573/100/0/threaded>
track<http://www.securityfocus.com/archive/1/archive/1/500573/100/0/threaded>
record <http://www.securityfocus.com/archive/1/500989> and unfortunate
given I rather like what Amazon have achieved.

Back in March I reported multiple
vulnerabilities<https://groups.google.com/group/spotcloudbuyers/browse_thread/thread/1993b3ab1643bfa2>
 in SpotCloud <http://www.spotcloud.com/> (including their having
copied Amazon's
vulnerable signatures<http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html>years
after they were reported
and fixed<http://www.jamesmurty.com/2008/12/31/aws-query-signature-version-2/>)
and I was told I was
unethical<https://groups.google.com/group/spotcloudbuyers/msg/237ffac277ea8bbe>and
my report that they "
*may not validate incoming web and/or API requests and if so, may be
vulnerable to cross-site request forgery in which an attacker could make
unauthorised management requests on behalf of a user*" was "unactionably
vague<https://groups.google.com/group/spotcloudbuyers/browse_thread/thread/526fc1d60bfa6e95>
".

To demonstrate the severity of the outstanding vulnerability go grab
yourself a SpotCloud account <https://spotcloud.appspot.com/buyer/register>,
charge it up <https://spotcloud.appspot.com/buyer/balance/topup> (ignoring
PCI-DSS<http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard>for
a second given they're collecting credit card numbers via App Engine)
and click the image below. I'll silently create an instance for you using a
hidden IFRAME, but you're welcome to experiment with more destructive
experiments like deleting existing instances and uploading malicious
workloads.


*Update:* If you look at the code you'll see the hourly rate is passed to
the client as "*cost*" and presumably trusted on return (if not, why is it
there?). I haven't seen a price manipulation
vulnerability<http://www.symantec.com/connect/articles/common-security-vulnerabilities-e-commerce-systems>in
over a decade, but I'm not tinkering with it because I don't fancy
being
accused of stealing from them or their providers.

*Update:* While the consumer API <http://dl.enomaly.com/scbuyerapi> now
uses OAuth, the provider API <http://dl.enomaly.com/scprovider> still
uses Amazon's
vulnerable signatures<http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html>for
authentication:

#sorts by key.lowercase(). ie A b c Dee e ffFf
sorted_keys = sorted(parameters.keys(), key=lambda k: k.lower())

#concatenates key,value pairs. a=1,b=2,C=32 becomes "a1b2C32"
data = ’’.join(key + parameters[key] for key in sorted_keys)

#Data is now: ecp_usernamespotcloudusernameparamAvalueTimestamp2006-12-08T07:48:03Z
digest = hmac.new(’spotcloudpassword’, data, sha).digest()


This may have been safe over SSL were it not for the fact that client
libraries (including python) typically don't validate the certificate chain
by default.

*Update:* Wells Fargo reports "CHECK CRD PURCHASE SPOT CLOUD ETOBICOKE
CD" as "Unusual Activity" in emailed alert… canceling card, requesting
re-issue. Should have used a virtual card. Wonder if Google know their App
Engine poster child<http://googleappengine.blogspot.com/2011/03/enomaly-chooses-google-app-engine-for.html>is
using it to collect credit card details?

*Update:* It is believed that Private
SpotCloud<http://spotcloud.com/Private.50.0.html>and Enomaly
Elastic Computing Platform
(ECP)<http://www.enomaly.com/Product-Overview.419.0.html>are also
vulnerable to cross-site
request forgery <http://en.wikipedia.org/wiki/Cross-site_request_forgery>,
but without access to the software I have no way to verify.

*Update:* This is how Enomaly deals with security researchers:

<http://4.bp.blogspot.com/-XwLZ56N2Gjg/TrnalAPJ9qI/AAAAAAAAAYU/SY57-4azetI/s1600/spotcloud-suspended.png>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ