![Page 2: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/2.jpg)
/me
Claudio Criscione
![Page 3: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/3.jpg)
The need for security
![Page 4: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/4.jpg)
Breaking virtualization means…
…hacking the underlying layer
…accessing systems locally
…bypassing access and network controls
…hitting multiple targets at once
Almost everywhere now
Small number of different solutions deployed
![Page 5: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/5.jpg)
MyHeaven
![Page 6: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/6.jpg)
The elephant in the room
![Page 7: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/7.jpg)
Escaping the VM
• Yes, it can be done
• Yes, it is (99% up to now) due to an exploit
• Yes, it can be patched
• Yes, it will happen again
• No, it is not something you can easily audit
• No, I won‟t disclose “escape from vm” 0days
![Page 8: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/8.jpg)
The Plan
![Page 9: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/9.jpg)
![Page 10: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/10.jpg)
ToolsOfTheTrade
![Page 11: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/11.jpg)
VASTO
The Virtualization ASsessment TOolkit
It is an “exploit pack” for Metasploit focusing on virtualization and cloud security.
Announcing Beta 0.3 – Featured at The Arsenal…yesterday!
Tnx to Luca Carettoni, Paolo Canaletti, drk1wi forhelping with modules!
![Page 12: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/12.jpg)
Our demo target
Security is one of the few fieldswhere hitting a large target is worth more
than hitting a small one.
![Page 13: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/13.jpg)
How do you notice?
![Page 14: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/14.jpg)
Recon
Local – are you in a VM?
Easy – Check MAC address, processes
Not so easy – Hardware access
Remote – where‟s the Hypervisor?
Network services
Fingerprinting
![Page 15: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/15.jpg)
vmware_version
Handy SOAP API to call
Works on most VMware products
[…]
<RetrieveServiceContent xmlns=\"urn:internalvim25\"> <_this type=\"ServiceInstance\">
ServiceInstance</_this>
</RetrieveServiceContent>
[…]
![Page 16: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/16.jpg)
A multi layered attack
![Page 17: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/17.jpg)
Client
Hypervisor
SupportManagement
Internal
![Page 18: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/18.jpg)
Client
Hypervisor
SupportManagement
Internal
![Page 19: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/19.jpg)
Client : The Auto Update feature
![Page 20: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/20.jpg)
clients.xml
<ConfigRoot>
<clientConnection id="0000">
<authdPort>902</authdPort>
<version>3</version>
<patchVersion>3.0.0</patchVersion>
<apiVersion>3.1.0</apiVersion>
<downloadUrl>https://*/client/VMware-
viclient.exe</downloadUrl>
</clientConnection>
</ConfigRoot>
![Page 21: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/21.jpg)
vmware_vilurker
The VIlurker module can perform user-assistedcode execution provided you can do MITM on a client.
Almost no one use trusted certificates.
No code signing on updates, but user gets a certificate warning.
BONUS INFO: no SSL check on VMware Server 1.x
![Page 22: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/22.jpg)
Client
Hypervisor
SupportManagement
Internal
![Page 23: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/23.jpg)
Direct Hit
![Page 24: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/24.jpg)
vmware_guest_stealer
CVE-2009-3733
This path traversal was discovered by Flick and Morehouse and presented last year. Exploit wasreleased as a perl script and it has been portedto VASTO.
It can be used to retrieve any file as the root user, including non-running guests. Works on mostoutdated VMware Products.
![Page 25: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/25.jpg)
Client
Hypervisor
SupportManagement
Internal
![Page 26: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/26.jpg)
ComponentsAlways
Components
![Page 27: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/27.jpg)
vmware_updatemanager_traversal
JETTY-1004
VMware Update Manager includes Jetty 6.1.16
Runs on the vCenter (management) Server
Jetty 6.1.16 is vulnerable to path traversal (again)
Here is the magic string
/vci/downloads/health.xml/%3F/../../../../../../../../../$FILE
![Page 28: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/28.jpg)
Ok, we can read files on the vCenter, so what?
Follow me!
![Page 29: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/29.jpg)
Introducing vpxd-profiler-*
It is a “debug” file written by vCenter.
Lots of information inside. Let‟s go for low-hangingfruits for now. More to come
/SessionStats/SessionPool/Session/Id='06B90BCB-A0A4-4B9C-B680-FB72656A1DCB'/Username=„FakeDomain\FakeUser'/SoapSession/Id='AD45B176-63F3-4421-BBF0-FE1603E543F4'/Count/total 1
![Page 30: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/30.jpg)
Ride the session!
![Page 31: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/31.jpg)
vmware_session_rider
Using the session is non-trivial: VI client has tight timeouts
The module acts as a proxy to access vCenterusing the stolen session.
Will fake the login to the client and can be easilytweaked to act as a password grabber (unlikeVIlurker).
![Page 32: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/32.jpg)
Client
Hypervisor
SupportManagement
Internal
![Page 33: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/33.jpg)
The Interface is FUN
Web-based & Complex
XSS
URL Forwarding
BONUS: Shutdownhas not been changed, can shutdown localTomcat on VMware
![Page 34: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/34.jpg)
vmware_webaccess_portscan
CVE-2010-0686
“URL Forwarding” means performing POST requests on remote hosts.
Can be used to exploit IP-based trusts and reachinternal networks.
Not just portscan!
![Page 35: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/35.jpg)
Management is not just interface
vCenter connects to ESX server via SSL [SOAP]
Certificates are usually not trusted, but stored.
MITM Connection Broken
On reconnection, the vCenter will check for the certificate CN
Spoof the CN Admin gets usual warning
Admin agrees password sniffed
![Page 36: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/36.jpg)
vmware_login
If nothing works, you can always bruteforce!
Will do standard metasploit bruteforcing
No lockout on standard accounts (unless joinedon AD) means a lot of bruteforcing fun
![Page 37: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/37.jpg)
Client
Hypervisor
SupportManagement
Internal
![Page 38: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/38.jpg)
What‟s different?
Multiple local EOP in Virtual Machines
Will eventually include these as modules as well
Discovered by great researchers
Low level attacks, close to the CPU or OS
What else?
![Page 39: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/39.jpg)
Our new Attack surface
Paravirtualization and support tools
![Page 40: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/40.jpg)
vmware_sfcb_exec
CVE-2010-2667
A vulnerability in Virtual Appliance Management Infrastructure resulting in code exec as root
Requires authentication OR can be exploitedlocally without any authentication.
![Page 41: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/41.jpg)
The attack
<?xml version="1.0" encoding="UTF-8"?><CIM CIMVERSION="2.0" DTDVERSION="2.0“><MESSAGE ID="13" PROTOCOLVERSION="1.0“><SIMPLEREQ><METHODCALL NAME="SetServerName“><LOCALCLASSPATH> <LOCALNAMESPACEPATH>
<NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/> </LOCALNAMESPACEPATH><CLASSNAME NAME="VAMI_NetworkSetting"/></LOCALCLASSPATH>
<PARAMVALUE NAME="HostName" PARAMTYPE="string“><VALUE>121;$(echo${IFS}ls${IFS}-l)>/tmp/echo</VALUE>
</PARAMVALUE></METHODCALL></SIMPLEREQ></MESSAGE></CIM>
Kudos to Marsh Ray and others for this Twitter-Powered payload ;-)
![Page 42: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/42.jpg)
So, can we attack virtualization?
![Page 43: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/43.jpg)
Summing up
You can attack the admin client, sniffing the password or owning the administrator
You can attack the hypervisor and its coremodules (by path traversal)
You can hijack other user‟s sessions
You can attack the administration web interface
You can attack supporting services on the virtualmachine
![Page 44: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/44.jpg)
Questions
![Page 45: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/45.jpg)
Pre-made questions to get you started
Q: Do these attacks actually work IRL?
A: Yes, there‟s a definite patching issue here
Q: What about XEN?
A: Similar issues but… next talk!
Q: They say I have to surrender and be virtualized
A: Not a question. However virtualization can bevery good for security!
![Page 46: Virtually Pwned...VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization and cloud security. Announcing Beta 0.3 –Featured](https://reader036.vdocument.in/reader036/viewer/2022081616/5fe6ce540edb7525477ac7d5/html5/thumbnails/46.jpg)
Thank you
Claudio Criscione
@paradoxengine
vasto.nibblesec.org – vasto.securenetwork.it