[WEB SECURITY] Cross Cloud Injection Vulnerability in multiple vendors leads to Persistent Remote Root

TD Dave ThePirate tddavethepirate at gmail.com
Fri Apr 1 17:29:53 EDT 2011


Paul,

Do not be myopic, my friend. This is not just about the cloud.
This is bigger than the cloud.

We have persistent code execution stealing legitimate user data
across cloud applications, and between them. Leading security
software tools and vendors have done little to protect us, though
I believe the Next Generation Firewalls are implementing features
to address Cross Cloud Injection as we speak.

This is the primary reason why the Cloud Web Large Server
Alliance formed our Virtual Security Research Team:

to do something about this problem.

You can be part of the problem or part of the solution, Paul.

Which is it going to be?

---
T.D. Dave
Senior Security Solutions Architecture Research Specialist
CWLS Alliance, VSRT

ps - thanks for the visiting our temporary website, we are still
raising funds to build a formal website for the Alliance. If you
would like to join as a member or sponsor this would help tremendously!




On Fri, Apr 1, 2011 at 1:47 PM, Paul McMillan <paul at mcmillan.ws> wrote:

> This is bullshit with a bunch of buzzwords.
>
> The process boils down to:
>
> upload malware to the web
> have users install malware as a facebook application
> malware steals data available to facebook application
> (or possibly, malware gets installed locally and does that thing malware
> does)
> also, malware might set cookies. How terrible.
>
> I don't think this requires "cloud" anything. Either this is a real
> threat that wasn't described at all, or it's someone puffing
> themselves up with vulnerability reports. Also, a free drag-n-drop
> project homepage? What's really going on here?
>
> -Paul
>
> On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate
> <tddavethepirate at gmail.com> wrote:
> > Cross Cloud Injection Vulnerability in multiple vendors leads to
> > Persistent Remote Root
> > ________________________________________________________________________
> > Global CWLS Alliance Virtual Security Research Team
> > T.D. Dave
> > Thu, 31 March 2011 22:22:15 UMT -0700
> > ________________________________________________________________________
> > [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
> > [*] Vuln Class Name: Cross-Cloud Injection
> > [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
> > [*] Affected Platforms: Cloud, SaaS
> > [*] Affected Vendor: Multi-Vendor
> > [*] Threat: Requires Authentication, but Widely Deployed
> > [*] Severity: High Risk
> > [*] Ease of Exploitation:: Trivial (2-4 hours)
> > [*]Release Date::  3.31.2011
> > [*] Issue fixed in version : Currently Exploitable
> > [*] Vulnerability discovered by : T.D. Dave & CWLS VSR Team
> > [*] CWLS VSRT: http://cwlsalliance.roxer.com/
> > ________________________________________________________________________
> >
> > ::Overview::
> > A critical new cloud-based attack vector has been discovered by the
> > CWLS Alliance VSRT (Virtual Security Research Team).
> >
> > Using this new attack vector it is possible for an attacker to
> > comprise multiple cloud-based platforms and script the execution of
> > arbitrary code infecting all users of these system. This new attack
> > vector is being exploited by dynamically-generated APT that current
> > antivirus/malware solutions are not yet able to detect.
> >
> > ::Description::
> > A new attack vector against public-cloud platforms makes it is
> > possible for an attacker to compromise data in multiple vendors'
> > private-cloud solutions via swod-niw family APT infection. The most
> > common scenario is that the attacker will first gain administrative
> > privilege access to one or more running application instances on a
> > public cloud using techniques detailed below. The attacker will then
> > modify this running application to host swod-niw family APT malware on
> > the public cloud application. The APT malware uses a combination of
> > Web 2.0 hacking techniques like CSRF and click-jacking to make calls
> > to and access private-cloud infrastucture's web interfaces via
> > legitimate private-cloud user's web browsers. While impersonating the
> > user privilege of the logged-in browser, the APT will access and mine
> > all data accessible to the private-cloud user. Additional activities
> > detected including taking actions within the private-cloud application
> > on behalf of the user.
> >
> > The exploitable platforms are multi-vendor and widespread, and we fear
> > that attacks such as this have already become common. Due to the
> > difficulty in monitoring for these complex, multi-step attacks, often
> > using requests types not commonly logged, it is unlikely the majority
> > of Cross-Cloud Injection attacks are being detected today.
> >
> > ::Exploit details::
> >
> > 1. Malware: The attacker first creates an image to be deployed to a
> > public cloud. This image typically includes an operating system like
> > Windows, or shareware like Linux. And a web server. It will also
> > include malicious web application content usually in the form of PHP
> > web pages and/or SWFs, to be used in the data mining operation phase
> > of the attack.
> >
> > 2. Deployment: Next the attacker will upload the image, often
> > virtualized, to a public cloud. This typically requires authentication
> > but in all cases observed the attackers have already gained access to
> > legitimate userIDs and passwords. When these components are deployed
> > together on a public cloud this scenario is commonly referred to as
> > "APT" (Advanced Persistent Threat)
> >
> > 3. Phase One: Public-Cloud user Attack -- The attacker will take their
> > malware and integrate it into Web 2.0 applications like Facebook under
> > the guise of a legitimate application. Then APT is often disguised as
> > an online game using farming implements and leveraging monotonous
> > clicking to maximize the amount of time the user leaves the
> > application running. This, as we will see in turn, increases the
> > attack window of exposure allowing for deeper data mining by the APT
> > malware running in the user's browser.
> >
> > Once the APT is on the social network the attacker waits for users to
> > access it with their web browser. Once a user executes the application
> > the second phase of the attack begins.
> >
> > 4. Phase Two: Private-Cloud user attack -- The APT malware will now
> > attempt to access applications within the user's virtual private
> > cloud. This often takes the form of the APT leveraging benign seeming
> > features within the online "game", allowing the APT to access the
> > user's email address book locally or ACROSS both Public and Private
> > Cloud email and contact systems. If the user allows the malware to
> > continue executing it is possible to mine all contacts from both
> > Public and Private cloud messaging systems and begin replicating it's
> > attack across all users.
> >
> > Additional potential and likely threats from this APT execution include:
> > + potential to mine all data from all systems accessible via a web
> > browser with both idempotent and non-idempotent web requests
> > + set APT Spy-Cookies and Geolocating Tracking-Cookies
> >
> > ::Remediation::
> > There are no known immediate remediation steps available. Mitigations
> > steps include:
> > + Only use secure web browsers
> > + Only use trusted, secure web applications
> > + Disable Javascript
> > + Disable dangerous plugins in the browser
> > + Disable or remove any insecure web browsers you have installed to
> > avoid accidental use
> >
> > ::Reference::
> > The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
> > Research Team responsible for discovering this new attack vector.
> > Future updates can be tracked on the CWLS website using this unique
> > identifier: CWLS Disclosure ID: CWLS20110104
> >
> > APT (Advanced Persistent Threat):
> > http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
> >
> > Cloud Computing:
> > http://en.wikipedia.org/wiki/Cloud_computing
> >
> > Cloud Security:
> > https://cloudsecurityalliance.org/
> > (note there is a gap in information regarding Cross-Cloud security)
> >
> > Code Injection:
> > http://en.wikipedia.org/wiki/Code_injection
> >
> > CWLS Alliance:
> > http://cwlsalliance.roxer.com/
> >
> > _______________________________________________
> > The Web Security Mailing List
> >
> > WebSecurity RSS Feed
> > http://www.webappsec.org/rss/websecurity.rss
> >
> > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> > WASC on Twitter
> > http://twitter.com/wascupdates
> >
> > websecurity at lists.webappsec.org
> >
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110401/37ec1f18/attachment-0003.html>


More information about the websecurity mailing list