[WEB SECURITY] Cross Cloud Injection Vulnerability in multiple vendors leads to Persistent Remote Root

Paul McMillan paul at mcmillan.ws
Fri Apr 1 16:47:56 EDT 2011

This is bullshit with a bunch of buzzwords.

The process boils down to:

upload malware to the web
have users install malware as a facebook application
malware steals data available to facebook application
(or possibly, malware gets installed locally and does that thing malware does)
also, malware might set cookies. How terrible.

I don't think this requires "cloud" anything. Either this is a real
threat that wasn't described at all, or it's someone puffing
themselves up with vulnerability reports. Also, a free drag-n-drop
project homepage? What's really going on here?


On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate
<tddavethepirate at gmail.com> wrote:
> Cross Cloud Injection Vulnerability in multiple vendors leads to
> Persistent Remote Root
> ________________________________________________________________________
> Global CWLS Alliance Virtual Security Research Team
> T.D. Dave
> Thu, 31 March 2011 22:22:15 UMT -0700
> ________________________________________________________________________
> [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
> [*] Vuln Class Name: Cross-Cloud Injection
> [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
> [*] Affected Platforms: Cloud, SaaS
> [*] Affected Vendor: Multi-Vendor
> [*] Threat: Requires Authentication, but Widely Deployed
> [*] Severity: High Risk
> [*] Ease of Exploitation:: Trivial (2-4 hours)
> [*]Release Date::  3.31.2011
> [*] Issue fixed in version : Currently Exploitable
> [*] Vulnerability discovered by : T.D. Dave & CWLS VSR Team
> [*] CWLS VSRT: http://cwlsalliance.roxer.com/
> ________________________________________________________________________
> ::Overview::
> A critical new cloud-based attack vector has been discovered by the
> CWLS Alliance VSRT (Virtual Security Research Team).
> Using this new attack vector it is possible for an attacker to
> comprise multiple cloud-based platforms and script the execution of
> arbitrary code infecting all users of these system. This new attack
> vector is being exploited by dynamically-generated APT that current
> antivirus/malware solutions are not yet able to detect.
> ::Description::
> A new attack vector against public-cloud platforms makes it is
> possible for an attacker to compromise data in multiple vendors'
> private-cloud solutions via swod-niw family APT infection. The most
> common scenario is that the attacker will first gain administrative
> privilege access to one or more running application instances on a
> public cloud using techniques detailed below. The attacker will then
> modify this running application to host swod-niw family APT malware on
> the public cloud application. The APT malware uses a combination of
> Web 2.0 hacking techniques like CSRF and click-jacking to make calls
> to and access private-cloud infrastucture's web interfaces via
> legitimate private-cloud user's web browsers. While impersonating the
> user privilege of the logged-in browser, the APT will access and mine
> all data accessible to the private-cloud user. Additional activities
> detected including taking actions within the private-cloud application
> on behalf of the user.
> The exploitable platforms are multi-vendor and widespread, and we fear
> that attacks such as this have already become common. Due to the
> difficulty in monitoring for these complex, multi-step attacks, often
> using requests types not commonly logged, it is unlikely the majority
> of Cross-Cloud Injection attacks are being detected today.
> ::Exploit details::
> 1. Malware: The attacker first creates an image to be deployed to a
> public cloud. This image typically includes an operating system like
> Windows, or shareware like Linux. And a web server. It will also
> include malicious web application content usually in the form of PHP
> web pages and/or SWFs, to be used in the data mining operation phase
> of the attack.
> 2. Deployment: Next the attacker will upload the image, often
> virtualized, to a public cloud. This typically requires authentication
> but in all cases observed the attackers have already gained access to
> legitimate userIDs and passwords. When these components are deployed
> together on a public cloud this scenario is commonly referred to as
> "APT" (Advanced Persistent Threat)
> 3. Phase One: Public-Cloud user Attack -- The attacker will take their
> malware and integrate it into Web 2.0 applications like Facebook under
> the guise of a legitimate application. Then APT is often disguised as
> an online game using farming implements and leveraging monotonous
> clicking to maximize the amount of time the user leaves the
> application running. This, as we will see in turn, increases the
> attack window of exposure allowing for deeper data mining by the APT
> malware running in the user's browser.
> Once the APT is on the social network the attacker waits for users to
> access it with their web browser. Once a user executes the application
> the second phase of the attack begins.
> 4. Phase Two: Private-Cloud user attack -- The APT malware will now
> attempt to access applications within the user's virtual private
> cloud. This often takes the form of the APT leveraging benign seeming
> features within the online "game", allowing the APT to access the
> user's email address book locally or ACROSS both Public and Private
> Cloud email and contact systems. If the user allows the malware to
> continue executing it is possible to mine all contacts from both
> Public and Private cloud messaging systems and begin replicating it's
> attack across all users.
> Additional potential and likely threats from this APT execution include:
> + potential to mine all data from all systems accessible via a web
> browser with both idempotent and non-idempotent web requests
> + set APT Spy-Cookies and Geolocating Tracking-Cookies
> ::Remediation::
> There are no known immediate remediation steps available. Mitigations
> steps include:
> + Only use secure web browsers
> + Only use trusted, secure web applications
> + Disable Javascript
> + Disable dangerous plugins in the browser
> + Disable or remove any insecure web browsers you have installed to
> avoid accidental use
> ::Reference::
> The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
> Research Team responsible for discovering this new attack vector.
> Future updates can be tracked on the CWLS website using this unique
> identifier: CWLS Disclosure ID: CWLS20110104
> APT (Advanced Persistent Threat):
> http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
> Cloud Computing:
> http://en.wikipedia.org/wiki/Cloud_computing
> Cloud Security:
> https://cloudsecurityalliance.org/
> (note there is a gap in information regarding Cross-Cloud security)
> Code Injection:
> http://en.wikipedia.org/wiki/Code_injection
> CWLS Alliance:
> http://cwlsalliance.roxer.com/
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

More information about the websecurity mailing list