[WEB SECURITY] Cross Cloud Injection Vulnerability in multiple

robert at webappsec.org robert at webappsec.org
Fri Apr 1 18:30:57 EDT 2011


> Do not be myopic, my friend. This is not just about the cloud.
> This is bigger than the cloud.
> 
> We have persistent code execution stealing legitimate user data
> across cloud applications, and between them. Leading security
> software tools and vendors have done little to protect us, though
> I believe the Next Generation Firewalls are implementing features
> to address Cross Cloud Injection as we speak.
> 
> This is the primary reason why the Cloud Web Large Server
> Alliance formed our Virtual Security Research Team:
> 
> to do something about this problem.
> 
> You can be part of the problem or part of the solution, Paul.
> 
> Which is it going to be?

If he's like 98% of all people in the security 'scene', just part of the problem.

:)

Regards,
- Robert
WASC Co Founder/Moderator of The Web security Mailing List
http://www.webappsec.org/
http://www.qasec.com/
http://www.cgisecurity.com/


> 
> ---
> T.D. Dave
> Senior Security Solutions Architecture Research Specialist
> CWLS Alliance, VSRT
> 
> ps - thanks for the visiting our temporary website, we are still
> raising funds to build a formal website for the Alliance. If you
> would like to join as a member or sponsor this would help tremendously!
> 
> 
> 
> 
> On Fri, Apr 1, 2011 at 1:47 PM, Paul McMillan <paul at mcmillan.ws> wrote:
> 
> > This is bullshit with a bunch of buzzwords.
> >
> > The process boils down to:
> >
> > upload malware to the web
> > have users install malware as a facebook application
> > malware steals data available to facebook application
> > (or possibly, malware gets installed locally and does that thing malware
> > does)
> > also, malware might set cookies. How terrible.
> >
> > I don't think this requires "cloud" anything. Either this is a real
> > threat that wasn't described at all, or it's someone puffing
> > themselves up with vulnerability reports. Also, a free drag-n-drop
> > project homepage? What's really going on here?
> >
> > -Paul
> >
> > On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate
> > <tddavethepirate at gmail.com> wrote:
> > > Cross Cloud Injection Vulnerability in multiple vendors leads to
> > > Persistent Remote Root
> > > ________________________________________________________________________
> > > Global CWLS Alliance Virtual Security Research Team
> > > T.D. Dave
> > > Thu, 31 March 2011 22:22:15 UMT -0700
> > > ________________________________________________________________________
> > > [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
> > > [*] Vuln Class Name: Cross-Cloud Injection
> > > [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
> > > [*] Affected Platforms: Cloud, SaaS
> > > [*] Affected Vendor: Multi-Vendor
> > > [*] Threat: Requires Authentication, but Widely Deployed
> > > [*] Severity: High Risk
> > > [*] Ease of Exploitation:: Trivial (2-4 hours)
> > > [*]Release Date::  3.31.2011
> > > [*] Issue fixed in version : Currently Exploitable
> > > [*] Vulnerability discovered by : T.D. Dave & CWLS VSR Team
> > > [*] CWLS VSRT: http://cwlsalliance.roxer.com/
> > > ________________________________________________________________________
> > >
> > > ::Overview::
> > > A critical new cloud-based attack vector has been discovered by the
> > > CWLS Alliance VSRT (Virtual Security Research Team).
> > >
> > > Using this new attack vector it is possible for an attacker to
> > > comprise multiple cloud-based platforms and script the execution of
> > > arbitrary code infecting all users of these system. This new attack
> > > vector is being exploited by dynamically-generated APT that current
> > > antivirus/malware solutions are not yet able to detect.
> > >
> > > ::Description::
> > > A new attack vector against public-cloud platforms makes it is
> > > possible for an attacker to compromise data in multiple vendors'
> > > private-cloud solutions via swod-niw family APT infection. The most
> > > common scenario is that the attacker will first gain administrative
> > > privilege access to one or more running application instances on a
> > > public cloud using techniques detailed below. The attacker will then
> > > modify this running application to host swod-niw family APT malware on
> > > the public cloud application. The APT malware uses a combination of
> > > Web 2.0 hacking techniques like CSRF and click-jacking to make calls
> > > to and access private-cloud infrastucture's web interfaces via
> > > legitimate private-cloud user's web browsers. While impersonating the
> > > user privilege of the logged-in browser, the APT will access and mine
> > > all data accessible to the private-cloud user. Additional activities
> > > detected including taking actions within the private-cloud application
> > > on behalf of the user.
> > >
> > > The exploitable platforms are multi-vendor and widespread, and we fear
> > > that attacks such as this have already become common. Due to the
> > > difficulty in monitoring for these complex, multi-step attacks, often
> > > using requests types not commonly logged, it is unlikely the majority
> > > of Cross-Cloud Injection attacks are being detected today.
> > >
> > > ::Exploit details::
> > >
> > > 1. Malware: The attacker first creates an image to be deployed to a
> > > public cloud. This image typically includes an operating system like
> > > Windows, or shareware like Linux. And a web server. It will also
> > > include malicious web application content usually in the form of PHP
> > > web pages and/or SWFs, to be used in the data mining operation phase
> > > of the attack.
> > >
> > > 2. Deployment: Next the attacker will upload the image, often
> > > virtualized, to a public cloud. This typically requires authentication
> > > but in all cases observed the attackers have already gained access to
> > > legitimate userIDs and passwords. When these components are deployed
> > > together on a public cloud this scenario is commonly referred to as
> > > "APT" (Advanced Persistent Threat)
> > >
> > > 3. Phase One: Public-Cloud user Attack -- The attacker will take their
> > > malware and integrate it into Web 2.0 applications like Facebook under
> > > the guise of a legitimate application. Then APT is often disguised as
> > > an online game using farming implements and leveraging monotonous
> > > clicking to maximize the amount of time the user leaves the
> > > application running. This, as we will see in turn, increases the
> > > attack window of exposure allowing for deeper data mining by the APT
> > > malware running in the user's browser.
> > >
> > > Once the APT is on the social network the attacker waits for users to
> > > access it with their web browser. Once a user executes the application
> > > the second phase of the attack begins.
> > >
> > > 4. Phase Two: Private-Cloud user attack -- The APT malware will now
> > > attempt to access applications within the user's virtual private
> > > cloud. This often takes the form of the APT leveraging benign seeming
> > > features within the online "game", allowing the APT to access the
> > > user's email address book locally or ACROSS both Public and Private
> > > Cloud email and contact systems. If the user allows the malware to
> > > continue executing it is possible to mine all contacts from both
> > > Public and Private cloud messaging systems and begin replicating it's
> > > attack across all users.
> > >
> > > Additional potential and likely threats from this APT execution include:
> > > + potential to mine all data from all systems accessible via a web
> > > browser with both idempotent and non-idempotent web requests
> > > + set APT Spy-Cookies and Geolocating Tracking-Cookies
> > >
> > > ::Remediation::
> > > There are no known immediate remediation steps available. Mitigations
> > > steps include:
> > > + Only use secure web browsers
> > > + Only use trusted, secure web applications
> > > + Disable Javascript
> > > + Disable dangerous plugins in the browser
> > > + Disable or remove any insecure web browsers you have installed to
> > > avoid accidental use
> > >
> > > ::Reference::
> > > The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
> > > Research Team responsible for discovering this new attack vector.
> > > Future updates can be tracked on the CWLS website using this unique
> > > identifier: CWLS Disclosure ID: CWLS20110104
> > >
> > > APT (Advanced Persistent Threat):
> > > http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
> > >
> > > Cloud Computing:
> > > http://en.wikipedia.org/wiki/Cloud_computing
> > >
> > > Cloud Security:
> > > https://cloudsecurityalliance.org/
> > > (note there is a gap in information regarding Cross-Cloud security)
> > >
> > > Code Injection:
> > > http://en.wikipedia.org/wiki/Code_injection
> > >
> > > CWLS Alliance:
> > > http://cwlsalliance.roxer.com/
> > >
> > > _______________________________________________
> > > The Web Security Mailing List
> > >
> > > WebSecurity RSS Feed
> > > http://www.webappsec.org/rss/websecurity.rss
> > >
> > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> > >
> > > WASC on Twitter
> > > http://twitter.com/wascupdates
> > >
> > > websecurity at lists.webappsec.org
> > >
> > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> > >
> >
> 
> --001636e0b63452a3bd049fe21c8c
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> 
> Paul,<div><br></div><div>Do not be myopic, my friend. This is not just abou=
> t the cloud.</div><div>This is bigger than the cloud.</div><div><br></div><=
> div>We have persistent code execution=A0stealing legitimate user data</div>
> <div>across cloud applications, and between them. Leading security</div><di=
> v>software tools and=A0vendors have done little to protect us, though</div>=
> <div>I believe the Next Generation Firewalls are implementing features</div=
> >
> <div>to address Cross Cloud Injection as we speak.</div><div><br></div><div=
> >This is the primary reason why the Cloud Web=A0Large Server</div><div>Alli=
> ance formed our Virtual Security Research Team:</div><div><br></div><div>
> to do something about this problem.</div><div><br></div><div>You can be par=
> t of the problem or part of the solution, Paul.</div><div><br></div><div>Wh=
> ich=A0is it going to be?</div><div><br></div><div>---</div><div>T.D. Dave</=
> div>
> <div>Senior Security Solutions Architecture Research Specialist</div><div>C=
> WLS Alliance, VSRT</div><div><br></div><div>ps - thanks for the visiting ou=
> r temporary website, we are still</div><div>raising funds to build a formal=
>  website for the Alliance. If you</div>
> <div>would like to join as a member or sponsor this would help tremendously=
> !</div><div><br></div><div><br></div><div><br></div><div><br><div class=3D"=
> gmail_quote">On Fri, Apr 1, 2011 at 1:47 PM, Paul McMillan <span dir=3D"ltr=
> "><<a href=3D"mailto:paul at mcmillan.ws">paul at mcmillan.ws</a>></span> w=
> rote:<br>
> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
> x #ccc solid;padding-left:1ex;">This is bullshit with a bunch of buzzwords.=
> <br>
> <br>
> The process boils down to:<br>
> <br>
> upload malware to the web<br>
> have users install malware as a facebook application<br>
> malware steals data available to facebook application<br>
> (or possibly, malware gets installed locally and does that thing malware do=
> es)<br>
> also, malware might set cookies. How terrible.<br>
> <br>
> I don't think this requires "cloud" anything. Either this is =
> a real<br>
> threat that wasn't described at all, or it's someone puffing<br>
> themselves up with vulnerability reports. Also, a free drag-n-drop<br>
> project homepage? What's really going on here?<br>
> <font color=3D"#888888"><br>
> -Paul<br>
> </font><div><div></div><div class=3D"h5"><br>
> On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate<br>
> <<a href=3D"mailto:tddavethepirate at gmail.com">tddavethepirate at gmail.com<=
> /a>> wrote:<br>
> > Cross Cloud Injection Vulnerability in multiple vendors leads to<br>
> > Persistent Remote Root<br>
> > ______________________________________________________________________=
> __<br>
> > Global CWLS Alliance Virtual Security Research Team<br>
> > T.D. Dave<br>
> > Thu, 31 March 2011 22:22:15 UMT -0700<br>
> > ______________________________________________________________________=
> __<br>
> > [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution<br>
> > [*] Vuln Class Name: Cross-Cloud Injection<br>
> > [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection<br>
> > [*] Affected Platforms: Cloud, SaaS<br>
> > [*] Affected Vendor: Multi-Vendor<br>
> > [*] Threat: Requires Authentication, but Widely Deployed<br>
> > [*] Severity: High Risk<br>
> > [*] Ease of Exploitation:: Trivial (2-4 hours)<br>
> > [*]Release Date:: =A03.31.2011<br>
> > [*] Issue fixed in version : Currently Exploitable<br>
> > [*] Vulnerability discovered by : T.D. Dave & CWLS VSR Team<br>
> > [*] CWLS VSRT: <a href=3D"http://cwlsalliance.roxer.com/" target=3D"_b=
> lank">http://cwlsalliance.roxer.com/</a><br>
> > ______________________________________________________________________=
> __<br>
> ><br>
> > ::Overview::<br>
> > A critical new cloud-based attack vector has been discovered by the<br=
> >
> > CWLS Alliance VSRT (Virtual Security Research Team).<br>
> ><br>
> > Using this new attack vector it is possible for an attacker to<br>
> > comprise multiple cloud-based platforms and script the execution of<br=
> >
> > arbitrary code infecting all users of these system. This new attack<br=
> >
> > vector is being exploited by dynamically-generated APT that current<br=
> >
> > antivirus/malware solutions are not yet able to detect.<br>
> ><br>
> > ::Description::<br>
> > A new attack vector against public-cloud platforms makes it is<br>
> > possible for an attacker to compromise data in multiple vendors'<b=
> r>
> > private-cloud solutions via swod-niw family APT infection. The most<br=
> >
> > common scenario is that the attacker will first gain administrative<br=
> >
> > privilege access to one or more running application instances on a<br>
> > public cloud using techniques detailed below. The attacker will then<b=
> r>
> > modify this running application to host swod-niw family APT malware on=
> <br>
> > the public cloud application. The APT malware uses a combination of<br=
> >
> > Web 2.0 hacking techniques like CSRF and click-jacking to make calls<b=
> r>
> > to and access private-cloud infrastucture's web interfaces via<br>
> > legitimate private-cloud user's web browsers. While impersonating =
> the<br>
> > user privilege of the logged-in browser, the APT will access and mine<=
> br>
> > all data accessible to the private-cloud user. Additional activities<b=
> r>
> > detected including taking actions within the private-cloud application=
> <br>
> > on behalf of the user.<br>
> ><br>
> > The exploitable platforms are multi-vendor and widespread, and we fear=
> <br>
> > that attacks such as this have already become common. Due to the<br>
> > difficulty in monitoring for these complex, multi-step attacks, often<=
> br>
> > using requests types not commonly logged, it is unlikely the majority<=
> br>
> > of Cross-Cloud Injection attacks are being detected today.<br>
> ><br>
> > ::Exploit details::<br>
> ><br>
> > 1. Malware: The attacker first creates an image to be deployed to a<br=
> >
> > public cloud. This image typically includes an operating system like<b=
> r>
> > Windows, or shareware like Linux. And a web server. It will also<br>
> > include malicious web application content usually in the form of PHP<b=
> r>
> > web pages and/or SWFs, to be used in the data mining operation phase<b=
> r>
> > of the attack.<br>
> ><br>
> > 2. Deployment: Next the attacker will upload the image, often<br>
> > virtualized, to a public cloud. This typically requires authentication=
> <br>
> > but in all cases observed the attackers have already gained access to<=
> br>
> > legitimate userIDs and passwords. When these components are deployed<b=
> r>
> > together on a public cloud this scenario is commonly referred to as<br=
> >
> > "APT" (Advanced Persistent Threat)<br>
> ><br>
> > 3. Phase One: Public-Cloud user Attack -- The attacker will take their=
> <br>
> > malware and integrate it into Web 2.0 applications like Facebook under=
> <br>
> > the guise of a legitimate application. Then APT is often disguised as<=
> br>
> > an online game using farming implements and leveraging monotonous<br>
> > clicking to maximize the amount of time the user leaves the<br>
> > application running. This, as we will see in turn, increases the<br>
> > attack window of exposure allowing for deeper data mining by the APT<b=
> r>
> > malware running in the user's browser.<br>
> ><br>
> > Once the APT is on the social network the attacker waits for users to<=
> br>
> > access it with their web browser. Once a user executes the application=
> <br>
> > the second phase of the attack begins.<br>
> ><br>
> > 4. Phase Two: Private-Cloud user attack -- The APT malware will now<br=
> >
> > attempt to access applications within the user's virtual private<b=
> r>
> > cloud. This often takes the form of the APT leveraging benign seeming<=
> br>
> > features within the online "game", allowing the APT to acces=
> s the<br>
> > user's email address book locally or ACROSS both Public and Privat=
> e<br>
> > Cloud email and contact systems. If the user allows the malware to<br>
> > continue executing it is possible to mine all contacts from both<br>
> > Public and Private cloud messaging systems and begin replicating it&#3=
> 9;s<br>
> > attack across all users.<br>
> ><br>
> > Additional potential and likely threats from this APT execution includ=
> e:<br>
> > + potential to mine all data from all systems accessible via a web<br>
> > browser with both idempotent and non-idempotent web requests<br>
> > + set APT Spy-Cookies and Geolocating Tracking-Cookies<br>
> ><br>
> > ::Remediation::<br>
> > There are no known immediate remediation steps available. Mitigations<=
> br>
> > steps include:<br>
> > + Only use secure web browsers<br>
> > + Only use trusted, secure web applications<br>
> > + Disable Javascript<br>
> > + Disable dangerous plugins in the browser<br>
> > + Disable or remove any insecure web browsers you have installed to<br=
> >
> > avoid accidental use<br>
> ><br>
> > ::Reference::<br>
> > The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security=
> <br>
> > Research Team responsible for discovering this new attack vector.<br>
> > Future updates can be tracked on the CWLS website using this unique<br=
> >
> > identifier: CWLS Disclosure ID: CWLS20110104<br>
> ><br>
> > APT (Advanced Persistent Threat):<br>
> > <a href=3D"http://en.wikipedia.org/wiki/Advanced_Persistent_Threat" ta=
> rget=3D"_blank">http://en.wikipedia.org/wiki/Advanced_Persistent_Threat</a>=
> <br>
> ><br>
> > Cloud Computing:<br>
> > <a href=3D"http://en.wikipedia.org/wiki/Cloud_computing" target=3D"_bl=
> ank">http://en.wikipedia.org/wiki/Cloud_computing</a><br>
> ><br>
> > Cloud Security:<br>
> > <a href=3D"https://cloudsecurityalliance.org/" target=3D"_blank">https=
> ://cloudsecurityalliance.org/</a><br>
> > (note there is a gap in information regarding Cross-Cloud security)<br=
> >
> ><br>
> > Code Injection:<br>
> > <a href=3D"http://en.wikipedia.org/wiki/Code_injection" target=3D"_bla=
> nk">http://en.wikipedia.org/wiki/Code_injection</a><br>
> ><br>
> > CWLS Alliance:<br>
> > <a href=3D"http://cwlsalliance.roxer.com/" target=3D"_blank">http://cw=
> lsalliance.roxer.com/</a><br>
> ><br>
> </div></div><div><div></div><div class=3D"h5">> ________________________=
> _______________________<br>
> > The Web Security Mailing List<br>
> ><br>
> > WebSecurity RSS Feed<br>
> > <a href=3D"http://www.webappsec.org/rss/websecurity.rss" target=3D"_bl=
> ank">http://www.webappsec.org/rss/websecurity.rss</a><br>
> ><br>
> > Join WASC on LinkedIn <a href=3D"http://www.linkedin.com/e/gis/83336/4=
> B20E4374DBA" target=3D"_blank">http://www.linkedin.com/e/gis/83336/4B20E437=
> 4DBA</a><br>
> ><br>
> > WASC on Twitter<br>
> > <a href=3D"http://twitter.com/wascupdates" target=3D"_blank">http://tw=
> itter.com/wascupdates</a><br>
> ><br>
> > <a href=3D"mailto:websecurity at lists.webappsec.org">websecurity at lists.w=
> ebappsec.org</a><br>
> > <a href=3D"http://lists.webappsec.org/mailman/listinfo/websecurity_lis=
> ts.webappsec.org" target=3D"_blank">http://lists.webappsec.org/mailman/list=
> info/websecurity_lists.webappsec.org</a><br>
> ><br>
> </div></div></blockquote></div><br></div>
> 
> --001636e0b63452a3bd049fe21c8c--
> 
> 
> --===============0787354708290838694==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> 
> --===============0787354708290838694==--
> 





More information about the websecurity mailing list