In this post, we show a proof-of-concept attack that gives us root access to a victim's VM in the Cloud Management Platform OpenNebula, which means that we can read and write all its data, install software, etc. The interesting thing about the attack is, that it allows an attacker to bridge the gap between the cloud's high-level web interface and the low-level shell-access to a virtual machine.
Like the latest blogpost of this series, this is a post about an old CSRF- and XSS-vulnerability that dates back to 2014. However, the interesting part is not the vulnerability itself but rather the exploit that we were able to develop for it.
An attacker needs the following information for a successful attack.
The following sections give detailed information about each step.
When a user updates the language setting, the browser sends an XMLHttpRequest of the form
An HTML form field like
Using this trick, the attacker sets the LANG parameter for the victim's account to "onerror=[remote code]//, where [remote code] is the attacker's exploit code. The attacker can either insert the complete exploit code into this parameter (there is no length limitation) or include code from a server under the attacker's control. Once the user reloads Sunstone, the server delivers HTML code to the client that executes the attacker's exploit.
From this point on, the attacker can use the Sunstone API with the privileges of the victim. This way, the attacker can gather all required information like OpenNebula's internal VM ID and the keyboard layout of the VM's operating system from Sunstone's data-structures based on the name or the IP address of the desired VM.
Once the noVNC-iFrame has loaded, the attacker can send keystrokes to the VM using the dispatchEvent function. Keystrokes on character keys can be simulated using keypress events. Keystrokes on special keys (Enter, Tab, etc.) have to be simulated using pairs of keydown and keyup events since noVNC filters keypress events on special keys.
Even if the bootloader is unknown, it is possible to use a try-and-error approach. Since the variety of bootloaders is small, one can try for one particular bootloader and reset the machine if the attack was unsuccessful. Alternatively, one can capture a screenshot of the noVNC canvas of the VM a few seconds after resetting the VM and determine the bootloader.
A video of the attack can be seen here. The browser on the right hand side shows the victim's actions. A second browser on the left hand side shows what is happening in OpenNebula. The console window on the bottom right shows that there is no user-made keyboard input while the attack is happening.
This bug has been fixed in OpenNebula 4.6.2.
This result is a collaborative work together with Mario Heiderich. It has been published at ACM CCSW 2015. The paper can be found here.
Like the latest blogpost of this series, this is a post about an old CSRF- and XSS-vulnerability that dates back to 2014. However, the interesting part is not the vulnerability itself but rather the exploit that we were able to develop for it.
An attacker needs the following information for a successful attack.
- ID of the VM to attack
OpenNebula's VM ID is a simple global integer that is increased whenever a VM is instantiated. The attacker may simply guess the ID. Once the attacker can execute JavaScript code in the scope of Sunstone, it is possible to use OpenNebula's API and data structures to retrieve this ID based on the name of the desired VM or its IP address. - Operating system & bootloader
There are various ways to get to know a VMs OS, apart from simply guessing. For example, if the VM runs a publicly accessible web server, the OS of the VM could be leaked in the HTTP-Header Server (see RFC 2616). Another option would be to check the images or the template the VM was created from. Usually, the name and description of an image contains information about the installed OS, especially if the image was imported from a marketplace.
Since most operating systems are shipped with a default bootloader, making a correct guess about a VMs bootloader is feasible. Even if this is not possible, other approaches can be used (see below). - Keyboard layout of the VM's operating system
As with the VMs bootloader, making an educated guess about a VM's keyboard layout is not difficult. For example, it is highly likely that VMs in a company's cloud will use the keyboard layout of the country the company is located in.
Overview of the Attack
The key idea of this attack is that neither Sunstone nor noVNC check whether keyboard related events were caused by human input or if they were generated by a script. This can be exploited so that gaining root access to a VM in OpenNebula requires five steps:- Using CSRF, a persistent XSS payload is deployed.
- The XSS payload controls Sunstone's API.
- The noVNC window of the VM to attack is loaded into an iFrame.
- The VM is restarted using Sunstone's API.
- Keystroke-events are simulated in the iFrame to let the bootloader open a root shell.
Figure 1: OpenNebula's Sunstone Interface displaying the terminal of a VM in a noVNC window. |
The following sections give detailed information about each step.
Executing Remote Code in Sunstone
In Sunstone, every account can choose a display language. This choice is stored as an account parameter (e.g. for English LANG=en_US). In Sunstone, the value of the LANG parameter is used to construct a <script> tag that loads the corresponding localization script. For English, this creates the following tag:<script src="locale/en_US/en_US.js?v=4.6.1" type="text/javascript"></script>Setting the LANG parameter to a different string directly manipulates the path in the script tag. This poses an XSS vulnerability. By setting the LANG parameter to LANG="onerror=alert(1)//, the resulting script tag looks as follows:
<script src="locale/"onerror=alert(1)///"onerror=alert(1)//.js?v=4.6.1" type="text/javascript"></script>For the web browser, this is a command to fetch the script locale/ from the server. However, this URL points to a folder, not a script. Therefore, what the server returns is no JavaScript. For the browser, this is an error, so the browser executes the JavaScript in the onerror statement: alert(1). The rest of the line (including the second alert(1)) is treated as comment due to the forward slashes.
When a user updates the language setting, the browser sends an XMLHttpRequest of the form
{ "action" : { "perform" : "update", "params" : { "template_raw" : "LANG=\"en_US\"" } }}to the server (The original request contains more parameters. Since these parameters are irrelevant for the technique, we omitted them for readability.). Forging a request to Sunstone from some other web page via the victim's browser requires a trick since one cannot use an XMLHttpRequest due to restrictions enforced by the browser's Same-Origin-Policy. Nevertheless, using a self-submitting HTML form, the attacker can let the victim's browser issue a POST request that is similar enough to an XMLHttpRequest so that the server accepts it.
An HTML form field like
<input name='deliver' value='attacker' />is translated to a request in the form of deliver=attacker. To create a request changing the user's language setting to en_US, the HTML form has to look like
<input name='{"action":{"perform":"update","params":{"template_raw":"LANG' value='\"en_US\""}}}' />Notice that the equals sign in LANG=\"en_US\" is inserted by the browser because of the name=value format.
Figure 2: OpenNebula's Sunstone Interface displaying a user's attributes with the malicious payload in the LANG attribute. |
Using this trick, the attacker sets the LANG parameter for the victim's account to "onerror=[remote code]//, where [remote code] is the attacker's exploit code. The attacker can either insert the complete exploit code into this parameter (there is no length limitation) or include code from a server under the attacker's control. Once the user reloads Sunstone, the server delivers HTML code to the client that executes the attacker's exploit.
Prepare Attack on VM
Due to the overwritten language parameter, the victim's browser does not load the localization script that is required for Sunstone to work. Therefore, the attacker achieved code execution, but Sunstone breaks and does not work anymore. For this reason, the attacker needs to set the language back to a working value (e.g. en_US) and reload the page in an iFrame. This way Sunstone is working again in the iFrame, but the attacker can control the iFrame from the outside. In addition, the attack code needs to disable a watchdog timer outside the iFrame that checks whether Sunstone is correctly initialized.From this point on, the attacker can use the Sunstone API with the privileges of the victim. This way, the attacker can gather all required information like OpenNebula's internal VM ID and the keyboard layout of the VM's operating system from Sunstone's data-structures based on the name or the IP address of the desired VM.
Compromising a VM
Using the Sunstone API the attacker can issue a command to open a VNC connection. However, this command calls window.open, which opens a new browser window that the attacker cannot control. To circumvent this restriction, the attacker can overwrite window.open with a function that creates an iFrame under the attacker's control.Once the noVNC-iFrame has loaded, the attacker can send keystrokes to the VM using the dispatchEvent function. Keystrokes on character keys can be simulated using keypress events. Keystrokes on special keys (Enter, Tab, etc.) have to be simulated using pairs of keydown and keyup events since noVNC filters keypress events on special keys.
Getting Root Access to VM
To get root access to a VM the attacker can reboot a victim's VM using the Sunstone API and then control the VM's bootloader by interrupting it with keystrokes. Once the attacker can inject commands into the bootloader, it is possible to use recovery options or the single user mode of Linux based operating systems to get a shell with root privileges. The hardest part with this attack is to get the timing right. Usually, one only has a few seconds to interrupt a bootloader. However, if the attacker uses the hard reboot feature, which instantly resets the VM without shutting it down gracefully, the time between the reboot command and the interrupting keystroke can be roughly estimated.Even if the bootloader is unknown, it is possible to use a try-and-error approach. Since the variety of bootloaders is small, one can try for one particular bootloader and reset the machine if the attack was unsuccessful. Alternatively, one can capture a screenshot of the noVNC canvas of the VM a few seconds after resetting the VM and determine the bootloader.
A video of the attack can be seen here. The browser on the right hand side shows the victim's actions. A second browser on the left hand side shows what is happening in OpenNebula. The console window on the bottom right shows that there is no user-made keyboard input while the attack is happening.
This bug has been fixed in OpenNebula 4.6.2.
This result is a collaborative work together with Mario Heiderich. It has been published at ACM CCSW 2015. The paper can be found here.
More information
- Hacking Tools For Beginners
- Best Hacking Tools 2019
- Bluetooth Hacking Tools Kali
- Hacker Tools For Pc
- Hacking App
- Hacker Tools For Mac
- Hacker Tools For Pc
- Pentest Tools For Mac
- Hacker Tools Free Download
- How To Install Pentest Tools In Ubuntu
- Best Hacking Tools 2020
- Blackhat Hacker Tools
- Hacker Tools Free Download
- Pentest Tools Url Fuzzer
- Hack Apps
- New Hacker Tools
- Pentest Tools Github
- Hacker Tools Windows
- Hacker Tools
- Hacking Tools For Windows
- Hack Tools
- Install Pentest Tools Ubuntu
- Hacking Tools For Pc
- Hack Tool Apk No Root
- Install Pentest Tools Ubuntu
- Pentest Tools For Windows
- Pentest Tools Website Vulnerability
- Hack Tools For Pc
- Hacking Tools Free Download
- Hacker Tools For Pc
- Pentest Tools List
- Pentest Tools Free
- Hack And Tools
- Hacking Tools Download
- Hack Rom Tools
- Hacking Tools For Windows Free Download
- Pentest Reporting Tools
- Pentest Recon Tools
- Tools For Hacker
- Pentest Tools Port Scanner
- Hacking Tools Github
- Pentest Tools Android
- Hacking Tools Github
- Hack Tool Apk
- Black Hat Hacker Tools
- Hack Tools
- Hacking Tools Windows
- Hack Rom Tools
- Hacking Tools Kit
- Pentest Tools Download
- World No 1 Hacker Software
- Hacker Techniques Tools And Incident Handling
- Pentest Reporting Tools
- Hack And Tools
- Hack Tools Github
- Hack Rom Tools
- Hack Tools Online
- Pentest Tools Online
- Pentest Tools Android
- Hacking Tools And Software
- Pentest Tools Github
- Game Hacking
- Hacker Hardware Tools
- Pentest Tools Download
- Hacking App
- Blackhat Hacker Tools
- Hacking Tools
- Usb Pentest Tools
- Hacker Tools
- Android Hack Tools Github
- Pentest Tools Tcp Port Scanner
- Hacking Tools
- Pentest Tools Framework
- Hacking Tools Online
- Hack Rom Tools
- Hack Tools For Windows
- Hacks And Tools
- Pentest Tools Linux
- Hacker Tools Hardware
- Pentest Tools For Ubuntu
- How To Make Hacking Tools
- Hacking Tools Mac
- Hack Tools 2019
- Pentest Tools Windows
- Hacker Tools Mac
- Hacker Tools Github
- Underground Hacker Sites
- Hacker Tools For Windows
- Hacking Tools Hardware
- Hacking Tools For Kali Linux
- Pentest Tools Alternative
- Pentest Tools For Mac
- Pentest Tools Bluekeep
- Hacker
- Physical Pentest Tools
- Pentest Tools Apk
- Pentest Tools Android
- Install Pentest Tools Ubuntu
- Easy Hack Tools
- Hacking Tools Pc
- Android Hack Tools Github
- Physical Pentest Tools
- Hacking Tools Hardware
- Hack And Tools
- Hack Tools Mac
- Hack Tools For Pc
- Pentest Tools Android
- Hacker Tools Free
- How To Make Hacking Tools
- Hacking Tools For Kali Linux
- Kik Hack Tools
- Pentest Tools Apk
- Easy Hack Tools
- Hacking Tools For Beginners
- Hack Tools 2019
- What Is Hacking Tools
- Nsa Hack Tools
- Hacker Tools Software
- Pentest Tools Find Subdomains
- Hacking Tools For Windows Free Download
- Hacker Tools
- Best Pentesting Tools 2018
- Pentest Tools Linux
- Pentest Recon Tools
- How To Install Pentest Tools In Ubuntu
- Hacks And Tools
- Hackers Toolbox
- Hacker Security Tools
- Install Pentest Tools Ubuntu
- Hacking Tools And Software
- Hackrf Tools
- Hacker Tools For Pc
- Kik Hack Tools
- Hack Tools
- How To Make Hacking Tools
- Bluetooth Hacking Tools Kali
- Hacking App
- Pentest Tools Framework
- Hacking App
- Pentest Tools Free
- Pentest Tools For Android
- Hacker Tools Github
- Hacking Tools For Beginners
- Pentest Tools Url Fuzzer
No hay comentarios.:
Publicar un comentario