Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: SploitCloud: exploiting cloud brokers for fun and profit
From: xD 0x41 <secn3t () gmail com>
Date: Fri, 11 Nov 2011 06:22:09 +1100

Lame.
Sorry but, it just is.
Your a lamer dude.
Ill makesure to blog this for you.


On 10 November 2011 06:25, Sam Johnston <samj () samj net> wrote:

Apologies for the HTML — too many inline links.

Sam
SploitCloud: exploiting cloud brokers for fun and profit<http://samj.net/2011/10/sploitcloud.html>
 My friends at Enomaly <http://www.enomaly.com/> have been 
beating<http://twitter.com/#%21/ruv/status/129928434079109121>
up <http://twitter.com/#%21/ruv/status/129929111526318081> on<http://twitter.com/#%21/ruv/status/129934534870446080> 
Amazon
Web Services (AWS) <http://aws.amazon.com/> over the XML signature
element wrapping <http://dl.acm.org/citation.cfm?id=1103026> vulnerability
currently being overhyped<http://www.theregister.co.uk/2011/10/27/cloud_security/>
by<http://www.fiercecio.com/techwatch/story/security-flaw-cloud-architectures-including-amazon-web-services/2011-10-28>
the<http://www.pcworld.com/businesscenter/article/242598/researchers_demo_cloud_security_issue_with_amazon_aws_attack.html>
press<http://www.networkworld.com/news/2011/102611-security-cloud-252406.html>,
which is ironic given their security<http://www.securityfocus.com/archive/1/archive/1/500573/100/0/threaded>
track<http://www.securityfocus.com/archive/1/archive/1/500573/100/0/threaded>
record <http://www.securityfocus.com/archive/1/500989> and unfortunate
given I rather like what Amazon have achieved.

Back in March I reported multiple 
vulnerabilities<https://groups.google.com/group/spotcloudbuyers/browse_thread/thread/1993b3ab1643bfa2>
 in SpotCloud <http://www.spotcloud.com/> (including their having copied Amazon's
vulnerable signatures<http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html>years after 
they were reported
and fixed<http://www.jamesmurty.com/2008/12/31/aws-query-signature-version-2/>)
and I was told I was unethical<https://groups.google.com/group/spotcloudbuyers/msg/237ffac277ea8bbe>and my report 
that they "
*may not validate incoming web and/or API requests and if so, may be
vulnerable to cross-site request forgery in which an attacker could make
unauthorised management requests on behalf of a user*" was "unactionably
vague<https://groups.google.com/group/spotcloudbuyers/browse_thread/thread/526fc1d60bfa6e95>
".

To demonstrate the severity of the outstanding vulnerability go grab
yourself a SpotCloud account<https://spotcloud.appspot.com/buyer/register>,
charge it up <https://spotcloud.appspot.com/buyer/balance/topup> (ignoring
PCI-DSS<http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard>for a second given they're 
collecting credit card numbers via App Engine)
and click the image below. I'll silently create an instance for you using a
hidden IFRAME, but you're welcome to experiment with more destructive
experiments like deleting existing instances and uploading malicious
workloads.


*Update:* If you look at the code you'll see the hourly rate is passed to
the client as "*cost*" and presumably trusted on return (if not, why is
it there?). I haven't seen a price manipulation 
vulnerability<http://www.symantec.com/connect/articles/common-security-vulnerabilities-e-commerce-systems>in over a 
decade, but I'm not tinkering with it because I don't fancy being
accused of stealing from them or their providers.

*Update:* While the consumer API <http://dl.enomaly.com/scbuyerapi> now
uses OAuth, the provider API <http://dl.enomaly.com/scprovider> still
uses Amazon's vulnerable 
signatures<http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html>for authentication:

#sorts by key.lowercase(). ie A b c Dee e ffFf
sorted_keys = sorted(parameters.keys(), key=lambda k: k.lower())

#concatenates key,value pairs. a=1,b=2,C=32 becomes "a1b2C32"
data = ’’.join(key + parameters[key] for key in sorted_keys)

#Data is now: ecp_usernamespotcloudusernameparamAvalueTimestamp2006-12-08T07:48:03Z
digest = hmac.new(’spotcloudpassword’, data, sha).digest()


This may have been safe over SSL were it not for the fact that client
libraries (including python) typically don't validate the certificate chain
by default.

*Update:* Wells Fargo reports "CHECK CRD PURCHASE SPOT CLOUD ETOBICOKE
CD" as "Unusual Activity" in emailed alert… canceling card, requesting
re-issue. Should have used a virtual card. Wonder if Google know their App
Engine poster child<http://googleappengine.blogspot.com/2011/03/enomaly-chooses-google-app-engine-for.html>is using 
it to collect credit card details?

*Update:* It is believed that Private SpotCloud<http://spotcloud.com/Private.50.0.html>and Enomaly
Elastic Computing Platform (ECP)<http://www.enomaly.com/Product-Overview.419.0.html>are also vulnerable to cross-site
request forgery <http://en.wikipedia.org/wiki/Cross-site_request_forgery>,
but without access to the software I have no way to verify.

*Update:* This is how Enomaly deals with security researchers:

<http://4.bp.blogspot.com/-XwLZ56N2Gjg/TrnalAPJ9qI/AAAAAAAAAYU/SY57-4azetI/s1600/spotcloud-suspended.png>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]