Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: SploitCloud: exploiting cloud brokers for fun and profit
From: xD 0x41 <secn3t () gmail com>
Date: Fri, 11 Nov 2011 06:22:09 +1100

Sorry but, it just is.
Your a lamer dude.
Ill makesure to blog this for you.

On 10 November 2011 06:25, Sam Johnston <samj () samj net> wrote:

Apologies for the HTML — too many inline links.

SploitCloud: exploiting cloud brokers for fun and profit<http://samj.net/2011/10/sploitcloud.html>
 My friends at Enomaly <http://www.enomaly.com/> have been 
up <http://twitter.com/#%21/ruv/status/129929111526318081> on<http://twitter.com/#%21/ruv/status/129934534870446080> 
Web Services (AWS) <http://aws.amazon.com/> over the XML signature
element wrapping <http://dl.acm.org/citation.cfm?id=1103026> vulnerability
currently being overhyped<http://www.theregister.co.uk/2011/10/27/cloud_security/>
which is ironic given their security<http://www.securityfocus.com/archive/1/archive/1/500573/100/0/threaded>
record <http://www.securityfocus.com/archive/1/500989> and unfortunate
given I rather like what Amazon have achieved.

Back in March I reported multiple 
 in SpotCloud <http://www.spotcloud.com/> (including their having copied Amazon's
vulnerable signatures<http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html>years after 
they were reported
and fixed<http://www.jamesmurty.com/2008/12/31/aws-query-signature-version-2/>)
and I was told I was unethical<https://groups.google.com/group/spotcloudbuyers/msg/237ffac277ea8bbe>and my report 
that they "
*may not validate incoming web and/or API requests and if so, may be
vulnerable to cross-site request forgery in which an attacker could make
unauthorised management requests on behalf of a user*" was "unactionably

To demonstrate the severity of the outstanding vulnerability go grab
yourself a SpotCloud account<https://spotcloud.appspot.com/buyer/register>,
charge it up <https://spotcloud.appspot.com/buyer/balance/topup> (ignoring
PCI-DSS<http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard>for a second given they're 
collecting credit card numbers via App Engine)
and click the image below. I'll silently create an instance for you using a
hidden IFRAME, but you're welcome to experiment with more destructive
experiments like deleting existing instances and uploading malicious

*Update:* If you look at the code you'll see the hourly rate is passed to
the client as "*cost*" and presumably trusted on return (if not, why is
it there?). I haven't seen a price manipulation 
vulnerability<http://www.symantec.com/connect/articles/common-security-vulnerabilities-e-commerce-systems>in over a 
decade, but I'm not tinkering with it because I don't fancy being
accused of stealing from them or their providers.

*Update:* While the consumer API <http://dl.enomaly.com/scbuyerapi> now
uses OAuth, the provider API <http://dl.enomaly.com/scprovider> still
uses Amazon's vulnerable 
signatures<http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html>for authentication:

#sorts by key.lowercase(). ie A b c Dee e ffFf
sorted_keys = sorted(parameters.keys(), key=lambda k: k.lower())

#concatenates key,value pairs. a=1,b=2,C=32 becomes "a1b2C32"
data = ’’.join(key + parameters[key] for key in sorted_keys)

#Data is now: ecp_usernamespotcloudusernameparamAvalueTimestamp2006-12-08T07:48:03Z
digest = hmac.new(’spotcloudpassword’, data, sha).digest()

This may have been safe over SSL were it not for the fact that client
libraries (including python) typically don't validate the certificate chain
by default.

CD" as "Unusual Activity" in emailed alert… canceling card, requesting
re-issue. Should have used a virtual card. Wonder if Google know their App
Engine poster child<http://googleappengine.blogspot.com/2011/03/enomaly-chooses-google-app-engine-for.html>is using 
it to collect credit card details?

*Update:* It is believed that Private SpotCloud<http://spotcloud.com/Private.50.0.html>and Enomaly
Elastic Computing Platform (ECP)<http://www.enomaly.com/Product-Overview.419.0.html>are also vulnerable to cross-site
request forgery <http://en.wikipedia.org/wiki/Cross-site_request_forgery>,
but without access to the software I have no way to verify.

*Update:* This is how Enomaly deals with security researchers:


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]