Pentesting Virtualization Claudio Criscione @paradoxengine - - PowerPoint PPT Presentation

pentesting virtualization
SMART_READER_LITE
LIVE PREVIEW

Pentesting Virtualization Claudio Criscione @paradoxengine - - PowerPoint PPT Presentation

Sep 26, 2023 318 likes •782 views

Virtually Pwned Pentesting Virtualization Claudio Criscione @paradoxengine c.criscione@securenetwork.it /me Claudio Criscione The need for security Breaking virtualization means hacking the underlying layer accessing systems

slide-1
SLIDE 1

Virtually Pwned Pentesting Virtualization

Claudio Criscione @paradoxengine – c.criscione@securenetwork.it

slide-2
SLIDE 2

/me

Claudio Criscione

slide-3
SLIDE 3

The need for security

slide-4
SLIDE 4

Breaking virtualization means…

…hacking the underlying layer …accessing systems locally …bypassing access and network controls …hitting multiple targets at once Almost everywhere now Small number of different solutions deployed

slide-5
SLIDE 5

MyHeaven

slide-6
SLIDE 6

The elephant in the room

slide-7
SLIDE 7

Escaping the VM

  • Yes, it can be done
  • Yes, it is (99% up to now) due to an exploit
  • Yes, it can be patched
  • Yes, it will happen again
  • No, it is not something you can easily audit
  • No, I won‟t disclose “escape from vm” 0days
slide-8
SLIDE 8

The Plan

slide-9
SLIDE 9
slide-10
SLIDE 10

Tools Of The Trade

slide-11
SLIDE 11

VASTO

The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 – Featured at The Arsenal… yesterday! Tnx to Luca Carettoni, Paolo Canaletti, drk1wi for helping with modules!

slide-12
SLIDE 12

Our demo target

Security is one of the few fields where hitting a large target is worth more than hitting a small one.

slide-13
SLIDE 13

How do you notice?

slide-14
SLIDE 14

Recon

Local – are you in a VM?

Easy – Check MAC address, processes Not so easy – Hardware access

Remote – where‟s the Hypervisor?

Network services Fingerprinting

slide-15
SLIDE 15

vmware_version

Handy SOAP API to call Works on most VMware products […]

<RetrieveServiceContent xmlns=\"urn:internalvim25\"> <_this type=\"ServiceInstance\"> ServiceInstance </_this> </RetrieveServiceContent>

[…]

slide-16
SLIDE 16

A multi layered attack

slide-17
SLIDE 17

Client Hypervisor Support Management Internal

slide-18
SLIDE 18

Client Hypervisor Support Management Internal

slide-19
SLIDE 19

Client : The Auto Update feature

slide-20
SLIDE 20

clients.xml

<ConfigRoot> <clientConnection id="0000"> <authdPort>902</authdPort> <version>3</version> <patchVersion>3.0.0</patchVersion> <apiVersion>3.1.0</apiVersion> <downloadUrl>https://*/client/VMware- viclient.exe</downloadUrl> </clientConnection> </ConfigRoot>

slide-21
SLIDE 21

vmware_vilurker

The VIlurker module can perform user-assisted code execution provided you can do MITM on a client. Almost no one use trusted certificates. No code signing on updates, but user gets a certificate warning.

BONUS INFO: no SSL check on VMware Server 1.x

slide-22
SLIDE 22

Client Hypervisor Support Management Internal

slide-23
SLIDE 23

Direct Hit

slide-24
SLIDE 24

vmware_guest_stealer

CVE-2009-3733 This path traversal was discovered by Flick and Morehouse and presented last year. Exploit was released as a perl script and it has been ported to VASTO. It can be used to retrieve any file as the root user, including non-running guests. Works on most

  • utdated VMware Products.
slide-25
SLIDE 25

Client Hypervisor Support Management Internal

slide-26
SLIDE 26

Components Always Components

slide-27
SLIDE 27

vmware_updatemanager_traversal

JETTY-1004 VMware Update Manager includes Jetty 6.1.16 Runs on the vCenter (management) Server Jetty 6.1.16 is vulnerable to path traversal (again) Here is the magic string

/vci/downloads/health.xml/%3F/../../../../../../../../../$FILE

slide-28
SLIDE 28

Ok, we can read files on the vCenter, so what? Follow me!

slide-29
SLIDE 29

Introducing vpxd-profiler-*

It is a “debug” file written by vCenter. Lots of information inside. Let‟s go for low-hanging fruits for now. More to come  /SessionStats/SessionPool/Session/Id='06B90BC B-A0A4-4B9C-B680- FB72656A1DCB'/Username=„FakeDomain\Fake User'/SoapSession/Id='AD45B176-63F3-4421- BBF0-FE1603E543F4'/Count/total 1

slide-30
SLIDE 30

Ride the session!

slide-31
SLIDE 31

vmware_session_rider

Using the session is non-trivial: VI client has tight timeouts The module acts as a proxy to access vCenter using the stolen session. Will fake the login to the client and can be easily tweaked to act as a password grabber (unlike VIlurker).

slide-32
SLIDE 32

Client Hypervisor Support Management Internal

slide-33
SLIDE 33

The Interface is FUN Web-based & Complex XSS URL Forwarding BONUS: Shutdown has not been changed, can shutdown local Tomcat on VMware

slide-34
SLIDE 34

vmware_webaccess_portscan

CVE-2010-0686 “URL Forwarding” means performing POST requests on remote hosts. Can be used to exploit IP-based trusts and reach internal networks. Not just portscan!

slide-35
SLIDE 35

Management is not just interface

vCenter connects to ESX server via SSL [SOAP] Certificates are usually not trusted, but stored. MITM Connection Broken On reconnection, the vCenter will check for the certificate CN Spoof the CN  Admin gets usual warning Admin agrees  password sniffed

slide-36
SLIDE 36

vmware_login

If nothing works, you can always bruteforce! Will do standard metasploit bruteforcing No lockout on standard accounts (unless joined

  • n AD) means a lot of bruteforcing fun
slide-37
SLIDE 37

Client Hypervisor Support Management Internal

slide-38
SLIDE 38

What‟s different?

Multiple local EOP in Virtual Machines Will eventually include these as modules as well Discovered by great researchers Low level attacks, close to the CPU or OS What else?

slide-39
SLIDE 39

Our new Attack surface

Paravirtualization and support tools

slide-40
SLIDE 40

vmware_sfcb_exec

CVE-2010-2667 A vulnerability in Virtual Appliance Management Infrastructure resulting in code exec as root Requires authentication OR can be exploited locally without any authentication.

slide-41
SLIDE 41

The attack

<?xml version="1.0" encoding="UTF-8"?> <CIM CIMVERSION="2.0" DTDVERSION="2.0“> <MESSAGE ID="13" PROTOCOLVERSION="1.0“> <SIMPLEREQ><METHODCALL NAME="SetServerName“> <LOCALCLASSPATH> <LOCALNAMESPACEPATH> <NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/> </LOCALNAMESPACEPATH> <CLASSNAME NAME="VAMI_NetworkSetting"/> </LOCALCLASSPATH> <PARAMVALUE NAME="HostName" PARAMTYPE="string“> <VALUE>121;$(echo${IFS}ls${IFS}-l)>/tmp/echo</VALUE> </PARAMVALUE> </METHODCALL> </SIMPLEREQ></MESSAGE></CIM> Kudos to Marsh Ray and others for this Twitter-Powered payload ;-)

slide-42
SLIDE 42

So, can we attack virtualization?

slide-43
SLIDE 43

Summing up

You can attack the admin client, sniffing the password or owning the administrator You can attack the hypervisor and its core modules (by path traversal) You can hijack other user‟s sessions You can attack the administration web interface You can attack supporting services on the virtual machine

slide-44
SLIDE 44

Questions

slide-45
SLIDE 45

Pre-made questions to get you started

Q: Do these attacks actually work IRL? A: Yes, there‟s a definite patching issue here Q: What about XEN? A: Similar issues but… next talk! Q: They say I have to surrender and be virtualized A: Not a question. However virtualization can be very good for security!

slide-46
SLIDE 46

Thank you

Claudio Criscione

@paradoxengine c.criscione@securenetwork.it vasto.nibblesec.org – vasto.securenetwork.it