[WEB SECURITY] Cross Cloud Injection Vulnerability in multiple vendors leads to Persistent Remote Root

Tasos Laskos tasos.laskos at gmail.com
Fri Apr 1 16:55:43 EDT 2011


I thought it was an April Fool's hoax myself...mostly because it 
mentioned APT.

On 04/01/2011 09:47 PM, Paul McMillan wrote:
> This is bullshit with a bunch of buzzwords.
>
> The process boils down to:
>
> upload malware to the web
> have users install malware as a facebook application
> malware steals data available to facebook application
> (or possibly, malware gets installed locally and does that thing malware does)
> also, malware might set cookies. How terrible.
>
> I don't think this requires "cloud" anything. Either this is a real
> threat that wasn't described at all, or it's someone puffing
> themselves up with vulnerability reports. Also, a free drag-n-drop
> project homepage? What's really going on here?
>
> -Paul
>
> On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate
> <tddavethepirate at gmail.com>  wrote:
>> Cross Cloud Injection Vulnerability in multiple vendors leads to
>> Persistent Remote Root
>> ________________________________________________________________________
>> Global CWLS Alliance Virtual Security Research Team
>> T.D. Dave
>> Thu, 31 March 2011 22:22:15 UMT -0700
>> ________________________________________________________________________
>> [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
>> [*] Vuln Class Name: Cross-Cloud Injection
>> [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
>> [*] Affected Platforms: Cloud, SaaS
>> [*] Affected Vendor: Multi-Vendor
>> [*] Threat: Requires Authentication, but Widely Deployed
>> [*] Severity: High Risk
>> [*] Ease of Exploitation:: Trivial (2-4 hours)
>> [*]Release Date::  3.31.2011
>> [*] Issue fixed in version : Currently Exploitable
>> [*] Vulnerability discovered by : T.D. Dave&  CWLS VSR Team
>> [*] CWLS VSRT: http://cwlsalliance.roxer.com/
>> ________________________________________________________________________
>>
>> ::Overview::
>> A critical new cloud-based attack vector has been discovered by the
>> CWLS Alliance VSRT (Virtual Security Research Team).
>>
>> Using this new attack vector it is possible for an attacker to
>> comprise multiple cloud-based platforms and script the execution of
>> arbitrary code infecting all users of these system. This new attack
>> vector is being exploited by dynamically-generated APT that current
>> antivirus/malware solutions are not yet able to detect.
>>
>> ::Description::
>> A new attack vector against public-cloud platforms makes it is
>> possible for an attacker to compromise data in multiple vendors'
>> private-cloud solutions via swod-niw family APT infection. The most
>> common scenario is that the attacker will first gain administrative
>> privilege access to one or more running application instances on a
>> public cloud using techniques detailed below. The attacker will then
>> modify this running application to host swod-niw family APT malware on
>> the public cloud application. The APT malware uses a combination of
>> Web 2.0 hacking techniques like CSRF and click-jacking to make calls
>> to and access private-cloud infrastucture's web interfaces via
>> legitimate private-cloud user's web browsers. While impersonating the
>> user privilege of the logged-in browser, the APT will access and mine
>> all data accessible to the private-cloud user. Additional activities
>> detected including taking actions within the private-cloud application
>> on behalf of the user.
>>
>> The exploitable platforms are multi-vendor and widespread, and we fear
>> that attacks such as this have already become common. Due to the
>> difficulty in monitoring for these complex, multi-step attacks, often
>> using requests types not commonly logged, it is unlikely the majority
>> of Cross-Cloud Injection attacks are being detected today.
>>
>> ::Exploit details::
>>
>> 1. Malware: The attacker first creates an image to be deployed to a
>> public cloud. This image typically includes an operating system like
>> Windows, or shareware like Linux. And a web server. It will also
>> include malicious web application content usually in the form of PHP
>> web pages and/or SWFs, to be used in the data mining operation phase
>> of the attack.
>>
>> 2. Deployment: Next the attacker will upload the image, often
>> virtualized, to a public cloud. This typically requires authentication
>> but in all cases observed the attackers have already gained access to
>> legitimate userIDs and passwords. When these components are deployed
>> together on a public cloud this scenario is commonly referred to as
>> "APT" (Advanced Persistent Threat)
>>
>> 3. Phase One: Public-Cloud user Attack -- The attacker will take their
>> malware and integrate it into Web 2.0 applications like Facebook under
>> the guise of a legitimate application. Then APT is often disguised as
>> an online game using farming implements and leveraging monotonous
>> clicking to maximize the amount of time the user leaves the
>> application running. This, as we will see in turn, increases the
>> attack window of exposure allowing for deeper data mining by the APT
>> malware running in the user's browser.
>>
>> Once the APT is on the social network the attacker waits for users to
>> access it with their web browser. Once a user executes the application
>> the second phase of the attack begins.
>>
>> 4. Phase Two: Private-Cloud user attack -- The APT malware will now
>> attempt to access applications within the user's virtual private
>> cloud. This often takes the form of the APT leveraging benign seeming
>> features within the online "game", allowing the APT to access the
>> user's email address book locally or ACROSS both Public and Private
>> Cloud email and contact systems. If the user allows the malware to
>> continue executing it is possible to mine all contacts from both
>> Public and Private cloud messaging systems and begin replicating it's
>> attack across all users.
>>
>> Additional potential and likely threats from this APT execution include:
>> + potential to mine all data from all systems accessible via a web
>> browser with both idempotent and non-idempotent web requests
>> + set APT Spy-Cookies and Geolocating Tracking-Cookies
>>
>> ::Remediation::
>> There are no known immediate remediation steps available. Mitigations
>> steps include:
>> + Only use secure web browsers
>> + Only use trusted, secure web applications
>> + Disable Javascript
>> + Disable dangerous plugins in the browser
>> + Disable or remove any insecure web browsers you have installed to
>> avoid accidental use
>>
>> ::Reference::
>> The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
>> Research Team responsible for discovering this new attack vector.
>> Future updates can be tracked on the CWLS website using this unique
>> identifier: CWLS Disclosure ID: CWLS20110104
>>
>> APT (Advanced Persistent Threat):
>> http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
>>
>> Cloud Computing:
>> http://en.wikipedia.org/wiki/Cloud_computing
>>
>> Cloud Security:
>> https://cloudsecurityalliance.org/
>> (note there is a gap in information regarding Cross-Cloud security)
>>
>> Code Injection:
>> http://en.wikipedia.org/wiki/Code_injection
>>
>> CWLS Alliance:
>> http://cwlsalliance.roxer.com/
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org





More information about the websecurity mailing list