the glass cage virtualization security - secure network · the glass cage virtualization security...
TRANSCRIPT
![Page 1: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/1.jpg)
The Glass CageVirtualization security
Claudio Criscione
![Page 2: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/2.jpg)
ClaudioCriscione
Nibble Security
![Page 3: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/3.jpg)
What is this speech about?
Breaking out of the cage vendors are trying to put on your mind!
![Page 4: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/4.jpg)
Virtualization in 3 Minutes
Hardware
Hypervisor
Host Operating System
![Page 5: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/5.jpg)
Design in the virtualization era
Mail Server
Web Server
DNS Server
Firewall
![Page 6: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/6.jpg)
The Original Sin
Il peccato originale – la sicurezza della virt è uguale a quella fisica
The Original SinThe Original Sin
![Page 7: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/7.jpg)
It is very practical to think about the cloud
It is not really there!
What you have is more systems
![Page 8: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/8.jpg)
If it bleeds...
![Page 9: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/9.jpg)
Hypervisors are running on top of “standard” OS
Linux, Windows 2008, Nemesis
And they are running services as well!
![Page 10: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/10.jpg)
VMSA-0008-0002.1 Patches Virtual Center: running tomcat 5.5.17
VMSA-0008-0015Patches remote buffer overflow in openwsman
CVE-2007-1321Heap Overflow in Xen NE2000 network driver
Hyper-VSMBv2 anyone?
![Page 11: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/11.jpg)
More than just Hypervisors
![Page 12: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/12.jpg)
There's a whole ecosystem around virtualization
Management softwareStorage managers
PatchersConversion software
All of them can be hacked!
SN-2009-02 - ToutVirtual VirtualIQ Pro Multiple Vulnerabilities
![Page 13: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/13.jpg)
Client insicuri
Client security
![Page 14: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/14.jpg)
The attack surface is quite large
SSLWeb Services
Rendering enginesIntegration & Plugins
Auto-update functionalities
![Page 15: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/15.jpg)
MITM Against Clients?Why not!
With or without null byte
![Page 16: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/16.jpg)
/client/clients.xml
Requested every time VI client connects to a host
<ConfigRoot> <clientConnection id="0000"> <authdPort>902</authdPort> <version>3</version> <patchVersion>3.0.0</patchVersion> <apiVersion>3.1.0</apiVersion> <downloadUrl>https://*/client/VMware-viclient.exe</downloadUrl> </clientConnection></ConfigRoot>
![Page 17: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/17.jpg)
What if we change that XML?
By MitMor
Post-exploitation on the host
Demo time
![Page 18: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/18.jpg)
Just woke up?Here's what's going on
VI Client looks for clients.xmlWe do some MiTM
We use Burp because it rocks and it's easy
Change the clients.xmlP0wned
![Page 19: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/19.jpg)
AdministrativeInterfaceSecurity
Glass windows in the castle
![Page 20: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/20.jpg)
Some of them are even hidden...
![Page 21: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/21.jpg)
![Page 22: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/22.jpg)
...and some of them are broken.
![Page 23: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/23.jpg)
XEN Center Web
Multiple vulnerabilities in the default installation
RCE, File inclusion, XSS
SN-2009-01 – Alberto Trivero & Claudio Criscione
![Page 24: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/24.jpg)
People were actually using it, over the internet
But now it's gone...
![Page 25: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/25.jpg)
![Page 26: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/26.jpg)
VMware Studio
A virtual appliance to build other virtual appliances
Path traversal leading to unauthenticated arbitrary file upload to any directory
SN-2009-03 by Claudio criscione
![Page 27: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/27.jpg)
Virtualization ASsessment TOolkit
A toolkit for virtualization penetration testing
Currently under development @ Secure Network
Metasploit based
![Page 28: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/28.jpg)
Still in early Alpha stage
Stable modules:FingerprintingBrute Forcer
VMware Studio Exploiter
Let's see them (if we have time!)
![Page 29: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/29.jpg)
Everyone has got some...
Ubuntu just launched its Cloud infrastructureIt leverages Eucalyptus
And we have (at least) an XSS in Eucalytpus
![Page 30: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/30.jpg)
VM hopping
VM Hopping
![Page 31: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/31.jpg)
You already knew about that, or at least thought about that
It already happened multiple times, e.g.
CloudBurst on VMwareCVE-2007-1320 on XEN Overflow in Cirrus VGA: see a pattern?
![Page 32: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/32.jpg)
Virtual Appliances
Virtual Appliances
![Page 33: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/33.jpg)
Sistemi di monitoraggio
Monitoring
![Page 34: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/34.jpg)
Virtual Appliances + Monitoring = Nice Example
Astaro virtual firewall
![Page 35: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/35.jpg)
One pre-auth request to the HTTP interface will result in Astaro doing a DNS query
We won't get the results, but it's a nice one-way covert channel for any blind attack (tnx ikki)
What's most important, no IDS in the network will detect any anomaly. It's all in-memory
![Page 36: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/36.jpg)
Templates
![Page 37: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/37.jpg)
So what
![Page 38: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/38.jpg)
Virtualization Management Review
Virtualization Architecture Review
And now you know VASTO is coming
![Page 39: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/39.jpg)
What about management issues?
![Page 40: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/40.jpg)
VMSprawl
VM Sprawl
![Page 41: The Glass Cage Virtualization security - Secure Network · The Glass Cage Virtualization security Claudio Criscione. Claudio Criscione Nibble Security. What is this speech about?](https://reader034.vdocument.in/reader034/viewer/2022042300/5ecb12e4c78cbc769f459382/html5/thumbnails/41.jpg)
Segregation of duties
Segregation of duties