[WEB SECURITY] Cross Cloud Injection Vulnerability in multiple vendors leads to Persistent Remote Root

TD Dave ThePirate tddavethepirate at gmail.com
Fri Apr 1 05:34:49 EDT 2011

Cross Cloud Injection Vulnerability in multiple vendors leads to
Persistent Remote Root
Global CWLS Alliance Virtual Security Research Team
T.D. Dave
Thu, 31 March 2011 22:22:15 UMT -0700
[*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
[*] Vuln Class Name: Cross-Cloud Injection
[*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
[*] Affected Platforms: Cloud, SaaS
[*] Affected Vendor: Multi-Vendor
[*] Threat: Requires Authentication, but Widely Deployed
[*] Severity: High Risk
[*] Ease of Exploitation:: Trivial (2-4 hours)
[*]Release Date::  3.31.2011
[*] Issue fixed in version : Currently Exploitable
[*] Vulnerability discovered by : T.D. Dave & CWLS VSR Team
[*] CWLS VSRT: http://cwlsalliance.roxer.com/

A critical new cloud-based attack vector has been discovered by the
CWLS Alliance VSRT (Virtual Security Research Team).

Using this new attack vector it is possible for an attacker to
comprise multiple cloud-based platforms and script the execution of
arbitrary code infecting all users of these system. This new attack
vector is being exploited by dynamically-generated APT that current
antivirus/malware solutions are not yet able to detect.

A new attack vector against public-cloud platforms makes it is
possible for an attacker to compromise data in multiple vendors'
private-cloud solutions via swod-niw family APT infection. The most
common scenario is that the attacker will first gain administrative
privilege access to one or more running application instances on a
public cloud using techniques detailed below. The attacker will then
modify this running application to host swod-niw family APT malware on
the public cloud application. The APT malware uses a combination of
Web 2.0 hacking techniques like CSRF and click-jacking to make calls
to and access private-cloud infrastucture's web interfaces via
legitimate private-cloud user's web browsers. While impersonating the
user privilege of the logged-in browser, the APT will access and mine
all data accessible to the private-cloud user. Additional activities
detected including taking actions within the private-cloud application
on behalf of the user.

The exploitable platforms are multi-vendor and widespread, and we fear
that attacks such as this have already become common. Due to the
difficulty in monitoring for these complex, multi-step attacks, often
using requests types not commonly logged, it is unlikely the majority
of Cross-Cloud Injection attacks are being detected today.

::Exploit details::

1. Malware: The attacker first creates an image to be deployed to a
public cloud. This image typically includes an operating system like
Windows, or shareware like Linux. And a web server. It will also
include malicious web application content usually in the form of PHP
web pages and/or SWFs, to be used in the data mining operation phase
of the attack.

2. Deployment: Next the attacker will upload the image, often
virtualized, to a public cloud. This typically requires authentication
but in all cases observed the attackers have already gained access to
legitimate userIDs and passwords. When these components are deployed
together on a public cloud this scenario is commonly referred to as
"APT" (Advanced Persistent Threat)

3. Phase One: Public-Cloud user Attack -- The attacker will take their
malware and integrate it into Web 2.0 applications like Facebook under
the guise of a legitimate application. Then APT is often disguised as
an online game using farming implements and leveraging monotonous
clicking to maximize the amount of time the user leaves the
application running. This, as we will see in turn, increases the
attack window of exposure allowing for deeper data mining by the APT
malware running in the user's browser.

Once the APT is on the social network the attacker waits for users to
access it with their web browser. Once a user executes the application
the second phase of the attack begins.

4. Phase Two: Private-Cloud user attack -- The APT malware will now
attempt to access applications within the user's virtual private
cloud. This often takes the form of the APT leveraging benign seeming
features within the online "game", allowing the APT to access the
user's email address book locally or ACROSS both Public and Private
Cloud email and contact systems. If the user allows the malware to
continue executing it is possible to mine all contacts from both
Public and Private cloud messaging systems and begin replicating it's
attack across all users.

Additional potential and likely threats from this APT execution include:
+ potential to mine all data from all systems accessible via a web
browser with both idempotent and non-idempotent web requests
+ set APT Spy-Cookies and Geolocating Tracking-Cookies

There are no known immediate remediation steps available. Mitigations
steps include:
+ Only use secure web browsers
+ Only use trusted, secure web applications
+ Disable Javascript
+ Disable dangerous plugins in the browser
+ Disable or remove any insecure web browsers you have installed to
avoid accidental use

The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
Research Team responsible for discovering this new attack vector.
Future updates can be tracked on the CWLS website using this unique
identifier: CWLS Disclosure ID: CWLS20110104

APT (Advanced Persistent Threat):

Cloud Computing:

Cloud Security:
(note there is a gap in information regarding Cross-Cloud security)

Code Injection:

CWLS Alliance:

More information about the websecurity mailing list