pentesting virtualization
play

Pentesting Virtualization Claudio Criscione @paradoxengine - PowerPoint PPT Presentation

Sep 26, 2023 •318 likes •781 views

Virtually Pwned Pentesting Virtualization Claudio Criscione @paradoxengine c.criscione@securenetwork.it /me Claudio Criscione The need for security Breaking virtualization means hacking the underlying layer accessing systems

  1. Virtually Pwned Pentesting Virtualization Claudio Criscione @paradoxengine – c.criscione@securenetwork.it

  2. /me Claudio Criscione

  3. The need for security

  4. Breaking virtualization means… …hacking the underlying layer …accessing systems locally …bypassing access and network controls …hitting multiple targets at once Almost everywhere now Small number of different solutions deployed

  5. MyHeaven

  6. The elephant in the room

  7. Escaping the VM • Yes , it can be done • Yes , it is (99% up to now) due to an exploit • Yes , it can be patched • Yes , it will happen again • No , it is not something you can easily audit • No , I won ‟t disclose “ escape from vm ” 0days

  8. The Plan

  10. Tools Of The Trade

  11. VASTO The Virtualization ASsessment TOolkit It is an “ exploit pack ” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 – Featured at The Arsenal… yesterday! Tnx to Luca Carettoni, Paolo Canaletti, drk1wi for helping with modules!

  12. Our demo target Security is one of the few fields where hitting a large target is worth more than hitting a small one.

  13. How do you notice?

  14. Recon Local – are you in a VM? Easy – Check MAC address, processes Not so easy – Hardware access Remote – where‟s the Hypervisor? Network services Fingerprinting

  15. vmware_version Handy SOAP API to call Works on most VMware products […] <RetrieveServiceContent xmlns=\"urn:internalvim25\"> <_this type=\"ServiceInstance\"> ServiceInstance </_this> </RetrieveServiceContent> […]

  16. A multi layered attack

  17. Client Internal Hypervisor Management Support

  18. Client Internal Hypervisor Management Support

  19. Client : The Auto Update feature

  20. clients.xml <ConfigRoot> <clientConnection id="0000"> <authdPort>902</authdPort> <version>3</version> <patchVersion>3.0.0</patchVersion> <apiVersion>3.1.0</apiVersion> <downloadUrl>https://*/client/VMware- viclient.exe</downloadUrl> </clientConnection> </ConfigRoot>

  21. vmware_vilurker The VIlurker module can perform user-assisted code execution provided you can do MITM on a client. Almost no one use trusted certificates. No code signing on updates, but user gets a certificate warning. BONUS INFO: no SSL check on VMware Server 1.x

  22. Client Internal Hypervisor Management Support

  23. Direct Hit

  24. vmware_guest_stealer CVE-2009-3733 This path traversal was discovered by Flick and Morehouse and presented last year. Exploit was released as a perl script and it has been ported to VASTO. It can be used to retrieve any file as the root user, including non-running guests. Works on most outdated VMware Products.

  25. Client Internal Hypervisor Management Support

  26. Components Always Components

  27. vmware_updatemanager_traversal JETTY-1004 VMware Update Manager includes Jetty 6.1.16 Runs on the vCenter (management) Server Jetty 6.1.16 is vulnerable to path traversal (again) Here is the magic string /vci/downloads/health.xml/%3F/../../../../../../../../../$FILE

  28. Ok, we can read files on the vCenter, so what? Follow me!

  29. Introducing vpxd-profiler-* It is a “ debug ” file written by vCenter. Lots of information inside. Let ‟s go for low-hanging fruits for now. More to come  /SessionStats/SessionPool/Session/Id='06B90BC B-A0A4-4B9C-B680- FB72656A1DCB'/Username=„ FakeDomain\Fake User'/SoapSession/Id='AD45B176-63F3-4421- BBF0-FE1603E543F4'/Count/total 1

  30. Ride the session!

  31. vmware_session_rider Using the session is non-trivial: VI client has tight timeouts The module acts as a proxy to access vCenter using the stolen session. Will fake the login to the client and can be easily tweaked to act as a password grabber (unlike VIlurker).

  32. Client Internal Hypervisor Management Support

  33. The Interface is FUN Web-based & Complex XSS URL Forwarding BONUS: Shutdown has not been changed, can shutdown local Tomcat on VMware

  34. vmware_webaccess_portscan CVE-2010-0686 “URL Forwarding ” means performing POST requests on remote hosts. Can be used to exploit IP-based trusts and reach internal networks. Not just portscan!

  35. Management is not just interface vCenter connects to ESX server via SSL [SOAP] Certificates are usually not trusted, but stored. MITM  Connection Broken On reconnection, the vCenter will check for the certificate CN Spoof the CN  Admin gets usual warning Admin agrees  password sniffed

  36. vmware_login If nothing works, you can always bruteforce! Will do standard metasploit bruteforcing No lockout on standard accounts (unless joined on AD) means a lot of bruteforcing fun

  37. Client Internal Hypervisor Management Support

  38. What‟s different? Multiple local EOP in Virtual Machines Will eventually include these as modules as well Discovered by great researchers Low level attacks, close to the CPU or OS What else?

  39. Our new Attack surface Paravirtualization and support tools

  40. vmware_sfcb_exec CVE-2010-2667 A vulnerability in Virtual Appliance Management Infrastructure resulting in code exec as root Requires authentication OR can be exploited locally without any authentication.

  41. The attack <?xml version="1.0" encoding="UTF-8"?> <CIM CIMVERSION="2.0" DTDVERSION= "2.0“> <MESSAGE ID="13" PROTOCOLVERSION= "1.0“> <SIMPLEREQ><METHODCALL NAME="SetServerName “> <LOCALCLASSPATH> <LOCALNAMESPACEPATH> <NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/> </LOCALNAMESPACEPATH> <CLASSNAME NAME="VAMI_NetworkSetting"/> </LOCALCLASSPATH> <PARAMVALUE NAME="HostName" PARAMTYPE="string “> <VALUE>121;$(echo${IFS}ls${IFS}-l)>/tmp/echo</VALUE> </PARAMVALUE> </METHODCALL> </SIMPLEREQ></MESSAGE></CIM> Kudos to Marsh Ray and others for this Twitter-Powered payload ;-)

  42. So, can we attack virtualization?

  43. Summing up You can attack the admin client, sniffing the password or owning the administrator You can attack the hypervisor and its core modules (by path traversal) You can hijack other user ‟s sessions You can attack the administration web interface You can attack supporting services on the virtual machine

  44. Questions

  45. Pre-made questions to get you started Q: Do these attacks actually work IRL? A: Yes, there ‟s a definite patching issue here Q: What about XEN? A: Similar issues but… next talk! Q: They say I have to surrender and be virtualized A: Not a question. However virtualization can be very good for security!

  46. Thank you Claudio Criscione @paradoxengine c.criscione@securenetwork.it vasto.nibblesec.org – vasto.securenetwork.it

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Virtualization Virtualization Memory virtualization Process feels like it has its own

Virtualization Virtualization Memory virtualization Process feels like it has its own

4/25/08 Virtualization Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Storage virtualization Logical view of disks connected to a machine External

441 views • 8 slides
Virtualization What is Virtualization? Virtualization is the simulation of the software and/

Virtualization What is Virtualization? Virtualization is the simulation of the software and/

Virtualization What is Virtualization? Virtualization is the simulation of the software and/ or hardware upon which other software runs. This simulated environment is called a virtual machine --Wikipedia 2 Computer Systems Arch.

1.26k views • 26 slides
AMD Pacifica Virtualization Technology AMD Unveils Virtualization Platform AMD Pacifica

AMD Pacifica Virtualization Technology AMD Unveils Virtualization Platform AMD Pacifica

AMD Pacifica Virtualization Technology AMD Unveils Virtualization Platform AMD Pacifica Tutorial 2 Virtual Machine Approaches Carve a Server into Many Virtual Machines Hosted Hypervisor-based Virtualization Virtualization App App

539 views • 18 slides
Virtualization and SDN Applications 2 Virtualization Network Virtualization Sharing

Virtualization and SDN Applications 2 Virtualization Network Virtualization Sharing

4/1/2013 Virtualization and SDN Applications 2 Virtualization Network Virtualization Sharing physical hardware or software resources by Share physical network resources to form multiple multiple users and/or use cases diverse virtual

511 views • 5 slides
4/22/2009 Virtualization Memory virtualization Process feels like it has its own address

4/22/2009 Virtualization Memory virtualization Process feels like it has its own address

4/22/2009 Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Distributed Systems Storage virtualization Logical view of disks connected to a machine

407 views • 3 slides
Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare

Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare

Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare metal. Dedicated virtualization machine. Higher performance. Typical for servers. Type 2 Virtualization Hypervisor sits on

571 views • 17 slides
Virtualization and Containerization What is Virtualization? What is Containerization? What does

Virtualization and Containerization What is Virtualization? What is Containerization? What does

Virtualization and Containerization What is Virtualization? What is Containerization? What does this do for us? Virtual Machines: Terminology Types of Hypervisors VirtualBox and VMWare

2.8k views • 30 slides
Virtualization Technology Zhiming Shen Virtualization: rejuvenation 1960s: first track of

Virtualization Technology Zhiming Shen Virtualization: rejuvenation 1960s: first track of

Virtualization Technology Zhiming Shen Virtualization: rejuvenation 1960s: first track of virtualization Time and resource sharing on expensive mainframes IBM VM/370 Late 1970s and early 1980s: became unpopular Cheap

924 views • 34 slides
Hardware / Virtualization / Architectures Foundations of the cloud Implementing Virtualization

Hardware / Virtualization / Architectures Foundations of the cloud Implementing Virtualization

Hardware / Virtualization / Architectures Foundations of the cloud Implementing Virtualization Technologies Cloud Computing relies heavily on the concept of virtualization In fact not possible without it. But they are separate

835 views • 32 slides
Linux Virtualization Kir Kolyshkin &lt;kir@openvz.org&gt; OpenVZ project manager What is

Linux Virtualization Kir Kolyshkin &lt;kir@openvz.org&gt; OpenVZ project manager What is

Linux Virtualization Kir Kolyshkin &lt;kir@openvz.org&gt; OpenVZ project manager What is virtualization? Virtualization is a technique for deploying technologies. Virtualization creates a level of indirection or an abstraction layer between a

388 views • 27 slides
IO Virtualization Kedar &amp; Ozzie Overview Benefits Challenges Full Virtualization

IO Virtualization Kedar &amp; Ozzie Overview Benefits Challenges Full Virtualization

IO Virtualization Kedar &amp; Ozzie Overview Benefits Challenges Full Virtualization Paravirtualization Front-ends, Back-ends Pass through mode Virtualization : Review Create a Virtual machine that can emulate

327 views • 20 slides
Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years

Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years

Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years This talk is based on private research Before that experience as windows/linux/network admin, a little as web developer and so on...

1.06k views • 49 slides
Introduction to Virtual Machines Carl Waldspurger (SB SM 89 PhD 95) VMware R&amp;D Overview

Introduction to Virtual Machines Carl Waldspurger (SB SM 89 PhD 95) VMware R&amp;D Overview

Introduction to Virtual Machines Carl Waldspurger (SB SM 89 PhD 95) VMware R&amp;D Overview Virtualization and VMs Processor Virtualization Memory Virtualization I/O Virtualization I/O Virtualization Types of Virtualization

574 views • 33 slides
KVM MMU Virtualization Xiao Guangrong &lt;xiaoguangrong@cn.fujitsu.com&gt; Index What is MMU

KVM MMU Virtualization Xiao Guangrong &lt;xiaoguangrong@cn.fujitsu.com&gt; Index What is MMU

KVM MMU Virtualization Xiao Guangrong &lt;xiaoguangrong@cn.fujitsu.com&gt; Index What is MMU Virtualization? How to implement MMU Virtualization? How to optimize MMU Virtualization? What will I do? 2 What is MMU Virtualization

621 views • 28 slides
Distributed Systems Virtualization Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise

Distributed Systems Virtualization Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise

Distributed Systems Virtualization Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License. Virtualization Memory virtualization

471 views • 15 slides
A Fault Tolerant Virtualization Server Based on Xen Jrgen Gro Virtualization Kernel

A Fault Tolerant Virtualization Server Based on Xen Jrgen Gro Virtualization Kernel

A Fault Tolerant Virtualization Server Based on Xen Jrgen Gro Virtualization Kernel Developer SUSE Linux GmbH, jgross@suse.com Status Quo Standard Xen Virtualization Server dom0 HVM pv Net- Block- xenstore qemu backend backend

421 views • 23 slides
Utah Medicaids Electronic Health Record (EHR)/Health Information Technology (HIT) Program

Utah Medicaids Electronic Health Record (EHR)/Health Information Technology (HIT) Program

Utah Medicaids Electronic Health Record (EHR)/Health Information Technology (HIT) Program Uses DIRECT Utmcaidhit@chiedirect.net Utah established this account to be able to receive DIRECT messages from providers The Utah Health

213 views • 5 slides
NOW Handout Page 1 1 KB Direct Mapped Cache, 32B blocks Review: Set Associative Cache For a 2

NOW Handout Page 1 1 KB Direct Mapped Cache, 32B blocks Review: Set Associative Cache For a 2

Review: Who Cares About the Memory Hierarchy? Processor Only Thus Far in Course: EECS 252 Graduate Computer CPU cost/performance, ISA, Pipelined Execution Proc 1000 Architecture CPU 60%/yr. CPU-DRAM Gap Moores Law

277 views • 8 slides
The 3DST (3D projection Scintillator Tracker) Clark McGrew Stony Brook Univ. for the DUNE 3DST

The 3DST (3D projection Scintillator Tracker) Clark McGrew Stony Brook Univ. for the DUNE 3DST

Physics Opportunities at the Near Detector 2 The 3DST (3D projection Scintillator Tracker) Clark McGrew Stony Brook Univ. for the DUNE 3DST Group Yuri Kudenko Scintjllatjng perspectjve, 2017 12/03/18 McGrew - PONDD 1 Some 3DST Goals

728 views • 25 slides
FSU DEPARTMENT OF COMPUTER SCIENCE Humb oldt-Universit at zu Berlin Flo rida State

FSU DEPARTMENT OF COMPUTER SCIENCE Humb oldt-Universit at zu Berlin Flo rida State

F ast Instruction Cache Analysis via Static Cache Simulation F rank Mueller David Whalley FSU DEPARTMENT OF COMPUTER SCIENCE Humb oldt-Universit at zu Berlin Flo rida State Universit y F achb ereich Info rmatik

450 views • 19 slides
HIP-WG meeting, IETF62 Using HI P with Legacy Applications

HIP-WG meeting, IETF62 Using HI P with Legacy Applications

HIP-WG meeting, IETF62 Using HI P with Legacy Applications (draft-henderson-hip-applications-00.txt) March 9, 2005 Tom Henderson 1 HIP working group Draft scope Intended to replace the Appendix A of the base specification Should

124 views • 9 slides
Analysis on Shower Fractal Dimension &amp; GRPC Digitizer Manqi RUAN Laboratoire

Analysis on Shower Fractal Dimension &amp; GRPC Digitizer Manqi RUAN Laboratoire

Analysis on Shower Fractal Dimension &amp; GRPC Digitizer Manqi RUAN Laboratoire Leprince-Ringuet (LLR) Ecole polytechnique 91128, Palaiseau 29/03/2011 CALICE Meeting @ CERN 1 Shower fractal dimension Nature: Shower particle, to interact

1.46k views • 46 slides
Quick hit tactics to boost your lead gen Daniel Burstein, Director of Editorial Content, MECLABS

Quick hit tactics to boost your lead gen Daniel Burstein, Director of Editorial Content, MECLABS

Lead Gen Apprentice: Quick hit tactics to boost your lead gen Daniel Burstein, Director of Editorial Content, MECLABS Bob Alvin, Chief Executive Officer and Chairman, NetLine Corporation Bryan Brown, Director, Product Strategy, Silverpop Jon

1.05k views • 63 slides
Cache Coherence Nima Honarmand Fall 2015 :: CSE 610 Parallel Computer Architectures Cache

Cache Coherence Nima Honarmand Fall 2015 :: CSE 610 Parallel Computer Architectures Cache

Fall 2015 :: CSE 610 Parallel Computer Architectures Cache Coherence Nima Honarmand Fall 2015 :: CSE 610 Parallel Computer Architectures Cache Coherence: Problem (Review) Problem arises when There are multiple physical copies of

1.1k views • 74 slides

More recommend