In this post, we show a proof-of-concept attack that gives us root access to a victim's VM in the Cloud Management Platform OpenNebula, which means that we can read and write all its data, install software, etc. The interesting thing about the attack is, that it allows an attacker to bridge the gap between the cloud's high-level web interface and the low-level shell-access to a virtual machine.
Like the latest blogpost of this series, this is a post about an old CSRF- and XSS-vulnerability that dates back to 2014. However, the interesting part is not the vulnerability itself but rather the exploit that we were able to develop for it.
An attacker needs the following information for a successful attack.
The following sections give detailed information about each step.
When a user updates the language setting, the browser sends an XMLHttpRequest of the form
An HTML form field like
Using this trick, the attacker sets the LANG parameter for the victim's account to "onerror=[remote code]//, where [remote code] is the attacker's exploit code. The attacker can either insert the complete exploit code into this parameter (there is no length limitation) or include code from a server under the attacker's control. Once the user reloads Sunstone, the server delivers HTML code to the client that executes the attacker's exploit.
From this point on, the attacker can use the Sunstone API with the privileges of the victim. This way, the attacker can gather all required information like OpenNebula's internal VM ID and the keyboard layout of the VM's operating system from Sunstone's data-structures based on the name or the IP address of the desired VM.
Once the noVNC-iFrame has loaded, the attacker can send keystrokes to the VM using the dispatchEvent function. Keystrokes on character keys can be simulated using keypress events. Keystrokes on special keys (Enter, Tab, etc.) have to be simulated using pairs of keydown and keyup events since noVNC filters keypress events on special keys.
Even if the bootloader is unknown, it is possible to use a try-and-error approach. Since the variety of bootloaders is small, one can try for one particular bootloader and reset the machine if the attack was unsuccessful. Alternatively, one can capture a screenshot of the noVNC canvas of the VM a few seconds after resetting the VM and determine the bootloader.
A video of the attack can be seen here. The browser on the right hand side shows the victim's actions. A second browser on the left hand side shows what is happening in OpenNebula. The console window on the bottom right shows that there is no user-made keyboard input while the attack is happening.
This bug has been fixed in OpenNebula 4.6.2.
This result is a collaborative work together with Mario Heiderich. It has been published at ACM CCSW 2015. The paper can be found here.
Like the latest blogpost of this series, this is a post about an old CSRF- and XSS-vulnerability that dates back to 2014. However, the interesting part is not the vulnerability itself but rather the exploit that we were able to develop for it.
An attacker needs the following information for a successful attack.
- ID of the VM to attack
OpenNebula's VM ID is a simple global integer that is increased whenever a VM is instantiated. The attacker may simply guess the ID. Once the attacker can execute JavaScript code in the scope of Sunstone, it is possible to use OpenNebula's API and data structures to retrieve this ID based on the name of the desired VM or its IP address. - Operating system & bootloader
There are various ways to get to know a VMs OS, apart from simply guessing. For example, if the VM runs a publicly accessible web server, the OS of the VM could be leaked in the HTTP-Header Server (see RFC 2616). Another option would be to check the images or the template the VM was created from. Usually, the name and description of an image contains information about the installed OS, especially if the image was imported from a marketplace.
Since most operating systems are shipped with a default bootloader, making a correct guess about a VMs bootloader is feasible. Even if this is not possible, other approaches can be used (see below). - Keyboard layout of the VM's operating system
As with the VMs bootloader, making an educated guess about a VM's keyboard layout is not difficult. For example, it is highly likely that VMs in a company's cloud will use the keyboard layout of the country the company is located in.
Overview of the Attack
The key idea of this attack is that neither Sunstone nor noVNC check whether keyboard related events were caused by human input or if they were generated by a script. This can be exploited so that gaining root access to a VM in OpenNebula requires five steps:- Using CSRF, a persistent XSS payload is deployed.
- The XSS payload controls Sunstone's API.
- The noVNC window of the VM to attack is loaded into an iFrame.
- The VM is restarted using Sunstone's API.
- Keystroke-events are simulated in the iFrame to let the bootloader open a root shell.
Figure 1: OpenNebula's Sunstone Interface displaying the terminal of a VM in a noVNC window. |
The following sections give detailed information about each step.
Executing Remote Code in Sunstone
In Sunstone, every account can choose a display language. This choice is stored as an account parameter (e.g. for English LANG=en_US). In Sunstone, the value of the LANG parameter is used to construct a <script> tag that loads the corresponding localization script. For English, this creates the following tag:<script src="locale/en_US/en_US.js?v=4.6.1" type="text/javascript"></script>Setting the LANG parameter to a different string directly manipulates the path in the script tag. This poses an XSS vulnerability. By setting the LANG parameter to LANG="onerror=alert(1)//, the resulting script tag looks as follows:
<script src="locale/"onerror=alert(1)///"onerror=alert(1)//.js?v=4.6.1" type="text/javascript"></script>For the web browser, this is a command to fetch the script locale/ from the server. However, this URL points to a folder, not a script. Therefore, what the server returns is no JavaScript. For the browser, this is an error, so the browser executes the JavaScript in the onerror statement: alert(1). The rest of the line (including the second alert(1)) is treated as comment due to the forward slashes.
When a user updates the language setting, the browser sends an XMLHttpRequest of the form
{ "action" : { "perform" : "update", "params" : { "template_raw" : "LANG=\"en_US\"" } }}to the server (The original request contains more parameters. Since these parameters are irrelevant for the technique, we omitted them for readability.). Forging a request to Sunstone from some other web page via the victim's browser requires a trick since one cannot use an XMLHttpRequest due to restrictions enforced by the browser's Same-Origin-Policy. Nevertheless, using a self-submitting HTML form, the attacker can let the victim's browser issue a POST request that is similar enough to an XMLHttpRequest so that the server accepts it.
An HTML form field like
<input name='deliver' value='attacker' />is translated to a request in the form of deliver=attacker. To create a request changing the user's language setting to en_US, the HTML form has to look like
<input name='{"action":{"perform":"update","params":{"template_raw":"LANG' value='\"en_US\""}}}' />Notice that the equals sign in LANG=\"en_US\" is inserted by the browser because of the name=value format.
Figure 2: OpenNebula's Sunstone Interface displaying a user's attributes with the malicious payload in the LANG attribute. |
Using this trick, the attacker sets the LANG parameter for the victim's account to "onerror=[remote code]//, where [remote code] is the attacker's exploit code. The attacker can either insert the complete exploit code into this parameter (there is no length limitation) or include code from a server under the attacker's control. Once the user reloads Sunstone, the server delivers HTML code to the client that executes the attacker's exploit.
Prepare Attack on VM
Due to the overwritten language parameter, the victim's browser does not load the localization script that is required for Sunstone to work. Therefore, the attacker achieved code execution, but Sunstone breaks and does not work anymore. For this reason, the attacker needs to set the language back to a working value (e.g. en_US) and reload the page in an iFrame. This way Sunstone is working again in the iFrame, but the attacker can control the iFrame from the outside. In addition, the attack code needs to disable a watchdog timer outside the iFrame that checks whether Sunstone is correctly initialized.From this point on, the attacker can use the Sunstone API with the privileges of the victim. This way, the attacker can gather all required information like OpenNebula's internal VM ID and the keyboard layout of the VM's operating system from Sunstone's data-structures based on the name or the IP address of the desired VM.
Compromising a VM
Using the Sunstone API the attacker can issue a command to open a VNC connection. However, this command calls window.open, which opens a new browser window that the attacker cannot control. To circumvent this restriction, the attacker can overwrite window.open with a function that creates an iFrame under the attacker's control.Once the noVNC-iFrame has loaded, the attacker can send keystrokes to the VM using the dispatchEvent function. Keystrokes on character keys can be simulated using keypress events. Keystrokes on special keys (Enter, Tab, etc.) have to be simulated using pairs of keydown and keyup events since noVNC filters keypress events on special keys.
Getting Root Access to VM
To get root access to a VM the attacker can reboot a victim's VM using the Sunstone API and then control the VM's bootloader by interrupting it with keystrokes. Once the attacker can inject commands into the bootloader, it is possible to use recovery options or the single user mode of Linux based operating systems to get a shell with root privileges. The hardest part with this attack is to get the timing right. Usually, one only has a few seconds to interrupt a bootloader. However, if the attacker uses the hard reboot feature, which instantly resets the VM without shutting it down gracefully, the time between the reboot command and the interrupting keystroke can be roughly estimated.Even if the bootloader is unknown, it is possible to use a try-and-error approach. Since the variety of bootloaders is small, one can try for one particular bootloader and reset the machine if the attack was unsuccessful. Alternatively, one can capture a screenshot of the noVNC canvas of the VM a few seconds after resetting the VM and determine the bootloader.
A video of the attack can be seen here. The browser on the right hand side shows the victim's actions. A second browser on the left hand side shows what is happening in OpenNebula. The console window on the bottom right shows that there is no user-made keyboard input while the attack is happening.
This bug has been fixed in OpenNebula 4.6.2.
This result is a collaborative work together with Mario Heiderich. It has been published at ACM CCSW 2015. The paper can be found here.
Related posts
- Hackers Toolbox
- Easy Hack Tools
- Wifi Hacker Tools For Windows
- Hacker Techniques Tools And Incident Handling
- Pentest Tools Online
- Hack Tools For Games
- Hacker Tools Windows
- Hacking Tools Windows 10
- Hacker Tools Apk Download
- Pentest Tools Online
- Pentest Recon Tools
- Hacker Tools For Windows
- Pentest Tools Find Subdomains
- Hack Tools Mac
- Hacking Tools Download
- Pentest Automation Tools
- Pentest Tools Framework
- Hacker Tools 2019
- Nsa Hack Tools Download
- World No 1 Hacker Software
- Best Hacking Tools 2020
- Pentest Tools Bluekeep
- Hacker Techniques Tools And Incident Handling
- Hacking Tools For Games
- Pentest Box Tools Download
- Hack App
- Pentest Tools Kali Linux
- Hack Tools For Ubuntu
- Hacking Tools 2020
- Free Pentest Tools For Windows
- Pentest Tools Apk
- Hacker Security Tools
- Hacker Tools Linux
- Hack Tools Pc
- Pentest Tools Open Source
- Hacker
- Tools Used For Hacking
- Growth Hacker Tools
- Free Pentest Tools For Windows
- Pentest Tools For Windows
- Hack Tool Apk
- Hacker Tools For Mac
- Hacker Tools For Ios
- Hacking Tools Online
- Hacker Tools For Mac
- Hacking Tools 2019
- Pentest Tools Url Fuzzer
- Hack Tools For Windows
- Pentest Tools Alternative
- Pentest Tools Find Subdomains
- Hacking Tools Windows 10
- What Is Hacking Tools
- Best Hacking Tools 2019
- Bluetooth Hacking Tools Kali
- Hacker Tools Apk
- World No 1 Hacker Software
- Hack Rom Tools
- Android Hack Tools Github
- Pentest Tools Nmap
- Hack Tools Mac
- Hacker Tools For Pc
- Hack Tools Online
- Hacking Tools Name
- World No 1 Hacker Software
- Hacks And Tools
- Hacker Tools List
- Hacker Tools Apk
- Pentest Tools Bluekeep
- Pentest Tools Nmap
- Hacks And Tools
- New Hack Tools
- Physical Pentest Tools
- Top Pentest Tools
- Pentest Automation Tools
- Hacking Tools 2020
- Game Hacking
- Hack Tools Online
- Pentest Tools Url Fuzzer
- Hacking Tools For Windows Free Download
- Hacker Tools Linux
- Hacker Tools For Ios
- Pentest Reporting Tools
- Pentest Tools Port Scanner
- Pentest Tools Download
- Pentest Tools Alternative
- Easy Hack Tools
- Hacking Tools For Games
- How To Hack
- Hacking Tools For Pc
- Pentest Automation Tools
- Pentest Tools For Mac
- Hack Rom Tools
- Wifi Hacker Tools For Windows
- How To Hack
- Easy Hack Tools
- Hacker Tools Windows
- Hacker Tools Linux
- Hacking Tools For Windows 7
- Hacking Tools Mac
- Hacker Tools Apk Download
- Hacker Tools List
- Pentest Tools Linux
- Tools 4 Hack
- Hackers Toolbox
- Pentest Tools Online
- Hacking Tools Online
- Hack Tools
- Pentest Tools Online
- How To Hack
- Pentest Tools Website
- Hackrf Tools
- Bluetooth Hacking Tools Kali
- Hack Tools Download
- Hacker Tools 2020
- Hacking Tools Mac
- Pentest Recon Tools
- Hackrf Tools
- Hacking Tools Name
- How To Hack
- Top Pentest Tools
- What Is Hacking Tools
- Underground Hacker Sites
- Pentest Tools Port Scanner
- Hacker Tools For Pc
- Hacking Tools And Software
- Pentest Tools Windows
- Hacker Tools Mac
- Hacker Hardware Tools
- Hacking Tools For Beginners
- Hacker Tools Free Download
- Hacker Tools
- Github Hacking Tools
- Hacking Tools For Windows Free Download
- Hack Tools Online
- Pentest Automation Tools
- Pentest Tools Url Fuzzer
- Hacker Tools
- Pentest Tools Url Fuzzer
- Hacking Tools For Windows
- Hacker Hardware Tools
- Hacker Tools List
- Hak5 Tools
- Nsa Hack Tools Download
- Hacker Tools Windows
- Free Pentest Tools For Windows
- Usb Pentest Tools
- Hak5 Tools
- Hacking Tools Name
- New Hack Tools
- Hacking Tools For Kali Linux
- Pentest Reporting Tools
- Hack And Tools
- Nsa Hacker Tools
- Hack Tools Online
- Pentest Recon Tools
- Hack Tools
- Pentest Tools Github
- Underground Hacker Sites
No comments:
Post a Comment