Grey bar Blue bar
Share this:

Sun, 9 Aug 2009

BlackHat presentation demo vids: MobileMe

[part 5 in a series of 5 video write-ups from our BlackHat 09 talk, summary here]

Goal

The final installment of our BlackHat video series showcases weaknesses in the password reset feature for Apple's MobileMe service as well as publicizing an XSS vulnerability in the application. At first glance the choice of MobileMe may seem arbitrary, but it was useful for a number of reasons. MobileMe is one of the more popular consumer-focused cloud services and it's a good example of the feature-creep that's a hallmark of cloud systems. By compromising a user's MobileMe account an attacker has access to much more than just the user's mail. With each new feature addition the user is sucked into the service a little more until most of their data is stored within MobileMe, and a compromise of the account becomes serious for the user.

To this end, we were arrived at the point where, if we were a little more malicious, we could read Steve Wozniak's mail, peruse his calendar, follow his physical location on Google Maps and embed JavaScript in his MobileMe account for contuined access.

Background

Apple's MobileMe product (formely .Mac) provides users with a number of subscription-based services for interacting and existing online including push mail, contacts, calendaring, storage, photos and iPhone integration. These are delivered via a web interface and the infrastructure is managed by Apple.

Video 1: Password Reset

Performing authentication on a massive userbase with whom there is zero offline interaction is hard, especially when it comes down to the degraded authentication required by password reset processes. Considering that web interfaces appear to be the dominant channel by which cloud services are managed (we touch on the implications here), a flawed password reset process can mean that attackers gain access to more that simply your mail.

In August last year, TechCrunch published a way to enumerate usernames on MobileMe. We abused this further to target a specific user on MobileMe in order to reset his password. As the video shows, the process only requires a birthdate (which is generally obtainable either through FaceBook, Wikipedia, Amazon wishlists or the like) and a secret question. Again, with enough digging the answer to the secret question is often guessable. In the video above we show a toy example of the password reset working against a SensePoster.

Video 2: XSS in iPhone name

This video demonstrates an XSS vulnerability that we found in the iPhone/MobileMe integration. By inserting JavaScript into the iPhone's name, this was displayed on the "Find My iPhone" page on MobileMe. Some slight trickery was required as the JavaScript was truncated in two points in the page but passed through untouched in three others; by extending the name and embedding the JavaScript past the truncation point we solved this issue.

Apple has since patched this bug.

Video 3: Woz's mail

Finally, we demonstrate the password reset attack against Woz's MobileMe account. We stopped before actually resetting his password, but in his own words he stores mail, calendaring info and other information that is sensitive to him on MobileMe, and the ability to XSS the page would mean that the continued compromise of the account was possible.

Conclusion

The reliance on web interfaces to control cloud services has unintended consequences. With the feature-creep that takes place, more and more of our data is placed in the cloud yet the security controls remain at the level used to protect Hotmail or Amazon bookstore accounts. By piecing together publicly available information, we can generate a profile that is sufficiently complete for a password reset, which points to flaws within the reset process.

Sat, 8 Aug 2009

BlackHat presentation demo vids: Amazon

[part 4 in a series of 5 video write-ups from our BlackHat 09 talk, summary here]

Goal

In the fourth installment of our BlackHat video series, we turned our attention to Amazon's cloud platform and focused on their Elastic Compute Cloud (EC2) service specifically.

Theft of resources is the red-headed step-child of attack classes and doesn't get much attention, but on cloud platforms where resources are shared amongst many users these attacks can have a very real impact. With this in mind, we wanted to show how EC2 was vulnerable to a number of resource theft attacks and the videos below demonstrate three separate attacks against EC2 that permit an attacker to boot up massive numbers of machines, steal computing time/bandwidth from other users and steal paid-for AMIs.

Background

EC2 enables users to boot and run virtual machines that are custom-configured by the user but execute within Amazon's cloud. Each virtual machine or Amazon Machine Instance (AMI) has its own IP, non-persistent storage, CPU and network connection. The service is full-featured and we won't go into all details here, more info is available from the EC2 site. With that said we'll point out three key facts that shaped our testing:
  1. The service is controlled via a web interface so sign-up obviously occurs in a browser. Sign-up requires minimul information, essentially just an email and credit card info.
  2. When booting an AMI, users can either create their own image from scratch or they can choose from a list of pre-built AMIs which are overwhelmingly supplied by other EC2 users.
  3. Amazon provide a facility called DevPay by which users can create AMIs for leasing to other users; when a non-free AMI is run then the user running the instance is charged a fixed rate and the proceeds are split between the creator of the instance and Amazon.

Video 1: AMIBomb

For this video we wanted to consider a DoS on the EC2 from within, by running as many AMIs concurrently as possible.

Since sign-up for the sevice occurred in a browser, it was possible to script this process (using Twill for the most part). The first attack would be to boot hundreds or thousands of instances under one Amazon account, however an upper bound of 20 running machines per account is enforced by Amazon. Our approach was one step removed from this; we created multiple accounts and then ran the 20 machines. Each new account would also create multiple accounts and then run 20 machines. One iteration of the create-accounts-and-boot-AMIs cycle took three minutes; by the ninth iteration the projected number of running instances is ridiculous. It's apparent that this recursive registering of accounts and booting machines means that the number of running machines grows exponentially and this could continue until the system can't handle the machine load.

Our approach was effective because the registration process took no steps to prevent automated sign-up. In testing a single credit card was used to create our accounts which is an immediate anomaly however a malicious attacker would use stolen CC data to ensure that CC checks did not prevent new account registration.

Video 2: AMI Registration Race

As has been mentioned, users can choose AMIs from a list of machines that is mostly user-generated (out of 2700 odd machines, 47 were built by Amazon and the remainder by other users.) It is easy to add a machine to this list; simply create a new AMI and in its properties mark it as 'public'.

Our idea was to create a malicious AMI and add it to the public listing, with the goal being to show that users will run AMIs without any consideration for who built it or whether nasties were included. We quickly created an AMI, uploaded it and... nothing. No one ran the image and it seemed that people weren't so easily fooled.

Digging a little deeper, however, revealed that when our image was created, it was dumped on the second last page of the AMI listings and so users would have to surf through more than 50 pages of images before coming across our AMI. If Google has taught us anything, it's that ranking counts and so we needed to boost our machine up the AMI listing.

It turns out that the AMI listing is ordered by the AMI ID, which is a random id string that is generated when the AMI is created. Our process was then slightly modified as follows: we scripted the AMI registration process so that it was trivial to register an image. We then looped the registration script to create and register an AMI, and tested to see whether the randomly assigned AMI ID was low enough such that our AMI was listed on the first page.

Our first attempt took about 4000 iterations and landed us a top 5 spot in under 12 hours. A subsequent attempt took less than 4 hours to land a top 5 spot.

This was great, but our image was unattractively named 'qscanImage' runing on the 'Other Linux' platform, which didn't say much about it.

It turned out that we had a great degree of freedom in naming images. Images were stored in Amazon S3 buckets and the buckets had globally unique names. We tried buckets with names such as 'fedora', 'fedora_core' and 'redhat', but all these were taken, however with a small degree of evilness the bucket 'fedora_core_11' was available and so registered. The registration race was repeated with the better named machine, and after a little while we landed the AMI on the front page as shown in the screnshot below:

What's funny is that the machine was the highest listed 'Fedora' AMI, so a user who was specifically looking for a Fedora image would come across our evil image first.

In reality our image did not have anything malicious except a call-home line in '/etc/rc.local' that would 'wget' a file on our webserver, to show the image had been booted. The screenshot below shows the logline from our webserver which proved the image had been booted; this occurred in a little under four hours after the instance had been made public.

Video 3: AMI Stealing

Our final Amazon video shows how it is possible to remove ancestry information from AMIs. When a paid-for machine is created, Amazon stores information about the owner of the machine in its manifest (which is an XML document) in order to pay the creator of the image. Our attack works as follows:

  1. Purchase a paid-for image
  2. Use Amazon's tools to create a bundle from the running AMI
  3. Download the manifest for the bundle
  4. Modify the manifest by removing the associated product code and owner information
  5. Resign the manifest using Amazon's tools
  6. Upload the manifest
  7. Register a new AMI using the bundle that was copied from the paid-for AMI, along with the edited manifest
  8. Stop using the original paid-for AMI
Using this attack, it is possible to pay once for an AMI, create a copy and never pay the creator again.

Conclusion

In this set of three videos, we showed attacks against the Amazon EC2 platform that do not target specific weaknesses in technologies; rather the processes by which complex actions took place were abused to our benefit. In doing so, we managed to sketch a scenario by which a local DoS might be effected against EC2, successfully showed how easy it was to have users run untrusted AMIs and lastly described a method by which non-free AMIs may be stripped of owner information, thereby foregoing income to the AMI creator and allowing the attacker to continue using the paid-for AMI without cost.

BlackHat presentation demo vids: SalesForce Sifto

[part 3 in a series of 5 video write-ups from our BlackHat 09 talk, summary here]

Goal

Our third video write-up covers abuse of cloud services. By signing up for free accounts, it is possible to gain access to small amounts of free resources, specifically processing time and bandwidth. However these resources are tightly controlled to maintain fairness across the many thousands of users who share the same platform.

We aim to circumvent some of these controls in order to access more resources than should be allowed, and we demonstrate this on the Force.com platform which supports the ability for a developer to upload and execute custom code. Our proof-of-concept was to port Nikto into a Force.com application, and we named it Sifto.

Background

SalesForce's primary offering is a web-based CRM solution which they manage, and they also provide developers with the ability to write custom applications that run on the Force.com platform. They are a major player in the cloud universe with almost 60 000 customers, revenue over $1 billion and are a member of the S&P 500 index.

In order to write applications on Force.com, a developer account is required (this is freely available). Applications are coded in the Apex language, a Java-like language for business logic, and is proprietary to the Force.com platform. This platform supports datastore operations through built-in language constructs and the API enables a developer to make HTTP callouts, tie Apex code to WS endpoints within Force.com, send emails as well as tie Apex code to an email endpoint within Force.com. The datastore is useful for maintaining state between multiple iterations of the event loop (described shortly) as well as providing a way to send emails for free via update triggers (emails sent from within Apex count against the daily limit).

With all this in mind, we focused on creating event loops the were initiated by a single user action, to show how significant free computing resources were available if one is prepared to put in the legwork of learning new languages and platforms.

Video 1

  1. The first part of the video runs through the setup required within the Force.com account to create the Sifto application. This included the custom Apex, custom objects, datastore trigger that sent an email, email endpoint that received the trigger and invoked our Apex and showed that the target was not added to the "Allowed endpoints". (The last point might require more explanation: while Apex code can make HTTP requests, the platform only permits HTTP requests to previously allowed sites. An administrator can allow a given site by navigating the Force.com administration interface and adding it, but this requires a manual process for each new Sifto target so we needed to automate this process.)
  2. Part two of the video runs through the initialisation of a Sifto scan against a new target. The attacker shows us his wrapper script for kicking off the scan; all it does it send a specially formatted email to a specific Force.com address. Meanwhile, we tail the victim's httpd access_log to show the scan as it comes through. Incidentally, the 'tail' in the video was not sped up and shows the actual speed at which results came through. What's also noticeable is that as results are found, they're returned via email to the attacker.
  3. In part three we simply show that the target site was automatically added as an allowed endpoint within Force.com. We achieved this by auto-browsing the Force.com site from within Apex code, a surprisingly kludgey bit of code, but nicely demonstrates that all configurations options are available from within Apex, and so Apex can modify the environment within which it operates.
  4. Part four depicts the scanning as it continues.
  5. Part five reveals the results of the scan as they slowly arrive via email.
  6. The scan ends in part six.
  7. Finally, part 7 shows the overall results of the scan listed in a single email, and importantly shows how the entire scan of almost 3000 tests ran in about 11 minutes.

Video 2

The event loop method shown in video 1 was still subject to unpublished limits, and so instead of scaling by extending the number of iterations of the event loop, we decided to try and scale by registering many accounts. This was useful since accounts had zero cost. All that remained was to automate the registration process (see the slides for more details on this), and we accomplished this as shown in video 2, where a shell script automatically registered a bunch of accounts. The trick that allowed us to bypass the CAPTCHA in the registration page was a bug in the CAPTCHA script that also provided the image's text in ASCII-text (look for the lines "captcha captured:" in the video).

Of minor interest was that each account was registered in a different country. Since SalesForce assign accounts to instances (or geographically dispersed clusters) according to the customer's claimed location, we were able to register accounts on both the NA6 and AP1 instance, or North America and Asia Pacific respectively.

Conclusion

Cloud computing provides us with a tantalizing taste of vastly expanded resources and the plethora of services means that free or trial accounts abound. It's possible to stitch together the free resources to to produce a useable computing platform that can take advantage of the expanded resources without incurring cost to the attacker; the downside is that this is platform-specific and may require the learning of new technologies.

Fri, 7 Aug 2009

Clobbering the cloud slides

[updated: videos will be made available on this page]

140 slides in 75 minutes. They said it couldn't be done... and they were right! (mostly)

Regardless, our Vegas trip was as much fun as previous years and our presentations at BlackHat and DEFCON went down well from the looks of things. While we plan on writing up the interesting parts, a number of people have requested access to the slidedeck in the mean time, and we've posted them here:

Clobbering the cloud [PowerPoint]

(This is the BlackHat version; the DEFCON deck was trimmed down for time savings.)

Thu, 6 Aug 2009

BlackHat presentation demo vids: SalesForce ClickJacking

[part 2 in a series of 5 video write-ups from our BlackHat 09 talk, summary here]

Goal

The premise behind this video was that while we are migrating more and more services into the cloud, the front-end through which the services are accessed as well as managed is (in many cases) a web application and we still have not figured out how to write secure web applications reliably. The implication is that business-critical services and infrastructure maybe at risk due to a web developer's mistake.

To demonstrate this, we show Grossman and Hansen's well-known Clickjacking attack being implemented against a big player in the SaaS and PaaS markets, SalesForce.

Background

SalesForce's primary offering is a web-based CRM solution which they manage, and they also provide developers with the ability to write custom applications that run on the Force.com platform. They are a major player in the cloud universe with almost 60 000 customers, revenue over $1 billion and are a member of the S&P 500 index.

They have gone to great lengths to avoid common webapp pitfalls, but even they are susceptible to known attacks as shown in the following video.

Video

Our demonstration of Clickjacking focuses on the editing of a user's task list, but the principle is easily carried over to any click-based task.

  1. The first 30 seconds of the video show how a regular user would click around the interface in order to remove an item from the list of tasks.
  2. We then persuade the user to visit our evil page which conducts the Clickjacking attack (this is made visible for demonstration purposes by making the SalesForce page slightly visible)
  3. [Insert click bait of choice: punching monkey, dancing pigs etc]
  4. Once the user has followed our trail of clicks, the task has been deleted.

Conclusion

People are starting to rely heavily on cloud-based services but the interface into these services is often a web application. With each new browser version and HTML-feature, web developers must re-examine their apps to determine if the risk has changed, and our reliance on web interfaces for vital services seems misplaced at best. If a major cloud provider was vulnerable to a well-known attack such as Clickjacking, what hope do the smaller players have?

As if it weren't already obvious, we note that XSS and CSRF attacks become much more than toy-attacks in a world were everything is controlled via a web-interface.