TD
TD Dave ThePirate
Fri, Apr 1, 2011 9:34 AM
Cross Cloud Injection Vulnerability in multiple vendors leads to
Persistent Remote Root
Global CWLS Alliance Virtual Security Research Team
T.D. Dave
Thu, 31 March 2011 22:22:15 UMT -0700
[] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
[] Vuln Class Name: Cross-Cloud Injection
[] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
[] Affected Platforms: Cloud, SaaS
[] Affected Vendor: Multi-Vendor
[] Threat: Requires Authentication, but Widely Deployed
[] Severity: High Risk
[] Ease of Exploitation:: Trivial (2-4 hours)
[]Release Date:: 3.31.2011
[] Issue fixed in version : Currently Exploitable
[] Vulnerability discovered by : T.D. Dave & CWLS VSR Team
[] CWLS VSRT: http://cwlsalliance.roxer.com/
::Overview::
A critical new cloud-based attack vector has been discovered by the
CWLS Alliance VSRT (Virtual Security Research Team).
Using this new attack vector it is possible for an attacker to
comprise multiple cloud-based platforms and script the execution of
arbitrary code infecting all users of these system. This new attack
vector is being exploited by dynamically-generated APT that current
antivirus/malware solutions are not yet able to detect.
::Description::
A new attack vector against public-cloud platforms makes it is
possible for an attacker to compromise data in multiple vendors'
private-cloud solutions via swod-niw family APT infection. The most
common scenario is that the attacker will first gain administrative
privilege access to one or more running application instances on a
public cloud using techniques detailed below. The attacker will then
modify this running application to host swod-niw family APT malware on
the public cloud application. The APT malware uses a combination of
Web 2.0 hacking techniques like CSRF and click-jacking to make calls
to and access private-cloud infrastucture's web interfaces via
legitimate private-cloud user's web browsers. While impersonating the
user privilege of the logged-in browser, the APT will access and mine
all data accessible to the private-cloud user. Additional activities
detected including taking actions within the private-cloud application
on behalf of the user.
The exploitable platforms are multi-vendor and widespread, and we fear
that attacks such as this have already become common. Due to the
difficulty in monitoring for these complex, multi-step attacks, often
using requests types not commonly logged, it is unlikely the majority
of Cross-Cloud Injection attacks are being detected today.
::Exploit details::
-
Malware: The attacker first creates an image to be deployed to a
public cloud. This image typically includes an operating system like
Windows, or shareware like Linux. And a web server. It will also
include malicious web application content usually in the form of PHP
web pages and/or SWFs, to be used in the data mining operation phase
of the attack.
-
Deployment: Next the attacker will upload the image, often
virtualized, to a public cloud. This typically requires authentication
but in all cases observed the attackers have already gained access to
legitimate userIDs and passwords. When these components are deployed
together on a public cloud this scenario is commonly referred to as
"APT" (Advanced Persistent Threat)
-
Phase One: Public-Cloud user Attack -- The attacker will take their
malware and integrate it into Web 2.0 applications like Facebook under
the guise of a legitimate application. Then APT is often disguised as
an online game using farming implements and leveraging monotonous
clicking to maximize the amount of time the user leaves the
application running. This, as we will see in turn, increases the
attack window of exposure allowing for deeper data mining by the APT
malware running in the user's browser.
Once the APT is on the social network the attacker waits for users to
access it with their web browser. Once a user executes the application
the second phase of the attack begins.
- Phase Two: Private-Cloud user attack -- The APT malware will now
attempt to access applications within the user's virtual private
cloud. This often takes the form of the APT leveraging benign seeming
features within the online "game", allowing the APT to access the
user's email address book locally or ACROSS both Public and Private
Cloud email and contact systems. If the user allows the malware to
continue executing it is possible to mine all contacts from both
Public and Private cloud messaging systems and begin replicating it's
attack across all users.
Additional potential and likely threats from this APT execution include:
- potential to mine all data from all systems accessible via a web
browser with both idempotent and non-idempotent web requests
- set APT Spy-Cookies and Geolocating Tracking-Cookies
::Remediation::
There are no known immediate remediation steps available. Mitigations
steps include:
- Only use secure web browsers
- Only use trusted, secure web applications
- Disable Javascript
- Disable dangerous plugins in the browser
- Disable or remove any insecure web browsers you have installed to
avoid accidental use
::Reference::
The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
Research Team responsible for discovering this new attack vector.
Future updates can be tracked on the CWLS website using this unique
identifier: CWLS Disclosure ID: CWLS20110104
APT (Advanced Persistent Threat):
http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
Cloud Computing:
http://en.wikipedia.org/wiki/Cloud_computing
Cloud Security:
https://cloudsecurityalliance.org/
(note there is a gap in information regarding Cross-Cloud security)
Code Injection:
http://en.wikipedia.org/wiki/Code_injection
CWLS Alliance:
http://cwlsalliance.roxer.com/
Cross Cloud Injection Vulnerability in multiple vendors leads to
Persistent Remote Root
________________________________________________________________________
Global CWLS Alliance Virtual Security Research Team
T.D. Dave
Thu, 31 March 2011 22:22:15 UMT -0700
________________________________________________________________________
[*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
[*] Vuln Class Name: Cross-Cloud Injection
[*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
[*] Affected Platforms: Cloud, SaaS
[*] Affected Vendor: Multi-Vendor
[*] Threat: Requires Authentication, but Widely Deployed
[*] Severity: High Risk
[*] Ease of Exploitation:: Trivial (2-4 hours)
[*]Release Date:: 3.31.2011
[*] Issue fixed in version : Currently Exploitable
[*] Vulnerability discovered by : T.D. Dave & CWLS VSR Team
[*] CWLS VSRT: http://cwlsalliance.roxer.com/
________________________________________________________________________
::Overview::
A critical new cloud-based attack vector has been discovered by the
CWLS Alliance VSRT (Virtual Security Research Team).
Using this new attack vector it is possible for an attacker to
comprise multiple cloud-based platforms and script the execution of
arbitrary code infecting all users of these system. This new attack
vector is being exploited by dynamically-generated APT that current
antivirus/malware solutions are not yet able to detect.
::Description::
A new attack vector against public-cloud platforms makes it is
possible for an attacker to compromise data in multiple vendors'
private-cloud solutions via swod-niw family APT infection. The most
common scenario is that the attacker will first gain administrative
privilege access to one or more running application instances on a
public cloud using techniques detailed below. The attacker will then
modify this running application to host swod-niw family APT malware on
the public cloud application. The APT malware uses a combination of
Web 2.0 hacking techniques like CSRF and click-jacking to make calls
to and access private-cloud infrastucture's web interfaces via
legitimate private-cloud user's web browsers. While impersonating the
user privilege of the logged-in browser, the APT will access and mine
all data accessible to the private-cloud user. Additional activities
detected including taking actions within the private-cloud application
on behalf of the user.
The exploitable platforms are multi-vendor and widespread, and we fear
that attacks such as this have already become common. Due to the
difficulty in monitoring for these complex, multi-step attacks, often
using requests types not commonly logged, it is unlikely the majority
of Cross-Cloud Injection attacks are being detected today.
::Exploit details::
1. Malware: The attacker first creates an image to be deployed to a
public cloud. This image typically includes an operating system like
Windows, or shareware like Linux. And a web server. It will also
include malicious web application content usually in the form of PHP
web pages and/or SWFs, to be used in the data mining operation phase
of the attack.
2. Deployment: Next the attacker will upload the image, often
virtualized, to a public cloud. This typically requires authentication
but in all cases observed the attackers have already gained access to
legitimate userIDs and passwords. When these components are deployed
together on a public cloud this scenario is commonly referred to as
"APT" (Advanced Persistent Threat)
3. Phase One: Public-Cloud user Attack -- The attacker will take their
malware and integrate it into Web 2.0 applications like Facebook under
the guise of a legitimate application. Then APT is often disguised as
an online game using farming implements and leveraging monotonous
clicking to maximize the amount of time the user leaves the
application running. This, as we will see in turn, increases the
attack window of exposure allowing for deeper data mining by the APT
malware running in the user's browser.
Once the APT is on the social network the attacker waits for users to
access it with their web browser. Once a user executes the application
the second phase of the attack begins.
4. Phase Two: Private-Cloud user attack -- The APT malware will now
attempt to access applications within the user's virtual private
cloud. This often takes the form of the APT leveraging benign seeming
features within the online "game", allowing the APT to access the
user's email address book locally or ACROSS both Public and Private
Cloud email and contact systems. If the user allows the malware to
continue executing it is possible to mine all contacts from both
Public and Private cloud messaging systems and begin replicating it's
attack across all users.
Additional potential and likely threats from this APT execution include:
+ potential to mine all data from all systems accessible via a web
browser with both idempotent and non-idempotent web requests
+ set APT Spy-Cookies and Geolocating Tracking-Cookies
::Remediation::
There are no known immediate remediation steps available. Mitigations
steps include:
+ Only use secure web browsers
+ Only use trusted, secure web applications
+ Disable Javascript
+ Disable dangerous plugins in the browser
+ Disable or remove any insecure web browsers you have installed to
avoid accidental use
::Reference::
The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
Research Team responsible for discovering this new attack vector.
Future updates can be tracked on the CWLS website using this unique
identifier: CWLS Disclosure ID: CWLS20110104
APT (Advanced Persistent Threat):
http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
Cloud Computing:
http://en.wikipedia.org/wiki/Cloud_computing
Cloud Security:
https://cloudsecurityalliance.org/
(note there is a gap in information regarding Cross-Cloud security)
Code Injection:
http://en.wikipedia.org/wiki/Code_injection
CWLS Alliance:
http://cwlsalliance.roxer.com/
PM
Paul McMillan
Fri, Apr 1, 2011 8:47 PM
This is bullshit with a bunch of buzzwords.
The process boils down to:
upload malware to the web
have users install malware as a facebook application
malware steals data available to facebook application
(or possibly, malware gets installed locally and does that thing malware does)
also, malware might set cookies. How terrible.
I don't think this requires "cloud" anything. Either this is a real
threat that wasn't described at all, or it's someone puffing
themselves up with vulnerability reports. Also, a free drag-n-drop
project homepage? What's really going on here?
-Paul
On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate
tddavethepirate@gmail.com wrote:
Cross Cloud Injection Vulnerability in multiple vendors leads to
Persistent Remote Root
Global CWLS Alliance Virtual Security Research Team
T.D. Dave
Thu, 31 March 2011 22:22:15 UMT -0700
[] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
[] Vuln Class Name: Cross-Cloud Injection
[] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
[] Affected Platforms: Cloud, SaaS
[] Affected Vendor: Multi-Vendor
[] Threat: Requires Authentication, but Widely Deployed
[] Severity: High Risk
[] Ease of Exploitation:: Trivial (2-4 hours)
[]Release Date:: 3.31.2011
[] Issue fixed in version : Currently Exploitable
[] Vulnerability discovered by : T.D. Dave & CWLS VSR Team
[] CWLS VSRT: http://cwlsalliance.roxer.com/
::Overview::
A critical new cloud-based attack vector has been discovered by the
CWLS Alliance VSRT (Virtual Security Research Team).
Using this new attack vector it is possible for an attacker to
comprise multiple cloud-based platforms and script the execution of
arbitrary code infecting all users of these system. This new attack
vector is being exploited by dynamically-generated APT that current
antivirus/malware solutions are not yet able to detect.
::Description::
A new attack vector against public-cloud platforms makes it is
possible for an attacker to compromise data in multiple vendors'
private-cloud solutions via swod-niw family APT infection. The most
common scenario is that the attacker will first gain administrative
privilege access to one or more running application instances on a
public cloud using techniques detailed below. The attacker will then
modify this running application to host swod-niw family APT malware on
the public cloud application. The APT malware uses a combination of
Web 2.0 hacking techniques like CSRF and click-jacking to make calls
to and access private-cloud infrastucture's web interfaces via
legitimate private-cloud user's web browsers. While impersonating the
user privilege of the logged-in browser, the APT will access and mine
all data accessible to the private-cloud user. Additional activities
detected including taking actions within the private-cloud application
on behalf of the user.
The exploitable platforms are multi-vendor and widespread, and we fear
that attacks such as this have already become common. Due to the
difficulty in monitoring for these complex, multi-step attacks, often
using requests types not commonly logged, it is unlikely the majority
of Cross-Cloud Injection attacks are being detected today.
::Exploit details::
-
Malware: The attacker first creates an image to be deployed to a
public cloud. This image typically includes an operating system like
Windows, or shareware like Linux. And a web server. It will also
include malicious web application content usually in the form of PHP
web pages and/or SWFs, to be used in the data mining operation phase
of the attack.
-
Deployment: Next the attacker will upload the image, often
virtualized, to a public cloud. This typically requires authentication
but in all cases observed the attackers have already gained access to
legitimate userIDs and passwords. When these components are deployed
together on a public cloud this scenario is commonly referred to as
"APT" (Advanced Persistent Threat)
-
Phase One: Public-Cloud user Attack -- The attacker will take their
malware and integrate it into Web 2.0 applications like Facebook under
the guise of a legitimate application. Then APT is often disguised as
an online game using farming implements and leveraging monotonous
clicking to maximize the amount of time the user leaves the
application running. This, as we will see in turn, increases the
attack window of exposure allowing for deeper data mining by the APT
malware running in the user's browser.
Once the APT is on the social network the attacker waits for users to
access it with their web browser. Once a user executes the application
the second phase of the attack begins.
- Phase Two: Private-Cloud user attack -- The APT malware will now
attempt to access applications within the user's virtual private
cloud. This often takes the form of the APT leveraging benign seeming
features within the online "game", allowing the APT to access the
user's email address book locally or ACROSS both Public and Private
Cloud email and contact systems. If the user allows the malware to
continue executing it is possible to mine all contacts from both
Public and Private cloud messaging systems and begin replicating it's
attack across all users.
Additional potential and likely threats from this APT execution include:
- potential to mine all data from all systems accessible via a web
browser with both idempotent and non-idempotent web requests
- set APT Spy-Cookies and Geolocating Tracking-Cookies
::Remediation::
There are no known immediate remediation steps available. Mitigations
steps include:
- Only use secure web browsers
- Only use trusted, secure web applications
- Disable Javascript
- Disable dangerous plugins in the browser
- Disable or remove any insecure web browsers you have installed to
avoid accidental use
::Reference::
The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
Research Team responsible for discovering this new attack vector.
Future updates can be tracked on the CWLS website using this unique
identifier: CWLS Disclosure ID: CWLS20110104
APT (Advanced Persistent Threat):
http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
Cloud Computing:
http://en.wikipedia.org/wiki/Cloud_computing
Cloud Security:
https://cloudsecurityalliance.org/
(note there is a gap in information regarding Cross-Cloud security)
Code Injection:
http://en.wikipedia.org/wiki/Code_injection
CWLS Alliance:
http://cwlsalliance.roxer.com/
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
This is bullshit with a bunch of buzzwords.
The process boils down to:
upload malware to the web
have users install malware as a facebook application
malware steals data available to facebook application
(or possibly, malware gets installed locally and does that thing malware does)
also, malware might set cookies. How terrible.
I don't think this requires "cloud" anything. Either this is a real
threat that wasn't described at all, or it's someone puffing
themselves up with vulnerability reports. Also, a free drag-n-drop
project homepage? What's really going on here?
-Paul
On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate
<tddavethepirate@gmail.com> wrote:
> Cross Cloud Injection Vulnerability in multiple vendors leads to
> Persistent Remote Root
> ________________________________________________________________________
> Global CWLS Alliance Virtual Security Research Team
> T.D. Dave
> Thu, 31 March 2011 22:22:15 UMT -0700
> ________________________________________________________________________
> [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
> [*] Vuln Class Name: Cross-Cloud Injection
> [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
> [*] Affected Platforms: Cloud, SaaS
> [*] Affected Vendor: Multi-Vendor
> [*] Threat: Requires Authentication, but Widely Deployed
> [*] Severity: High Risk
> [*] Ease of Exploitation:: Trivial (2-4 hours)
> [*]Release Date:: 3.31.2011
> [*] Issue fixed in version : Currently Exploitable
> [*] Vulnerability discovered by : T.D. Dave & CWLS VSR Team
> [*] CWLS VSRT: http://cwlsalliance.roxer.com/
> ________________________________________________________________________
>
> ::Overview::
> A critical new cloud-based attack vector has been discovered by the
> CWLS Alliance VSRT (Virtual Security Research Team).
>
> Using this new attack vector it is possible for an attacker to
> comprise multiple cloud-based platforms and script the execution of
> arbitrary code infecting all users of these system. This new attack
> vector is being exploited by dynamically-generated APT that current
> antivirus/malware solutions are not yet able to detect.
>
> ::Description::
> A new attack vector against public-cloud platforms makes it is
> possible for an attacker to compromise data in multiple vendors'
> private-cloud solutions via swod-niw family APT infection. The most
> common scenario is that the attacker will first gain administrative
> privilege access to one or more running application instances on a
> public cloud using techniques detailed below. The attacker will then
> modify this running application to host swod-niw family APT malware on
> the public cloud application. The APT malware uses a combination of
> Web 2.0 hacking techniques like CSRF and click-jacking to make calls
> to and access private-cloud infrastucture's web interfaces via
> legitimate private-cloud user's web browsers. While impersonating the
> user privilege of the logged-in browser, the APT will access and mine
> all data accessible to the private-cloud user. Additional activities
> detected including taking actions within the private-cloud application
> on behalf of the user.
>
> The exploitable platforms are multi-vendor and widespread, and we fear
> that attacks such as this have already become common. Due to the
> difficulty in monitoring for these complex, multi-step attacks, often
> using requests types not commonly logged, it is unlikely the majority
> of Cross-Cloud Injection attacks are being detected today.
>
> ::Exploit details::
>
> 1. Malware: The attacker first creates an image to be deployed to a
> public cloud. This image typically includes an operating system like
> Windows, or shareware like Linux. And a web server. It will also
> include malicious web application content usually in the form of PHP
> web pages and/or SWFs, to be used in the data mining operation phase
> of the attack.
>
> 2. Deployment: Next the attacker will upload the image, often
> virtualized, to a public cloud. This typically requires authentication
> but in all cases observed the attackers have already gained access to
> legitimate userIDs and passwords. When these components are deployed
> together on a public cloud this scenario is commonly referred to as
> "APT" (Advanced Persistent Threat)
>
> 3. Phase One: Public-Cloud user Attack -- The attacker will take their
> malware and integrate it into Web 2.0 applications like Facebook under
> the guise of a legitimate application. Then APT is often disguised as
> an online game using farming implements and leveraging monotonous
> clicking to maximize the amount of time the user leaves the
> application running. This, as we will see in turn, increases the
> attack window of exposure allowing for deeper data mining by the APT
> malware running in the user's browser.
>
> Once the APT is on the social network the attacker waits for users to
> access it with their web browser. Once a user executes the application
> the second phase of the attack begins.
>
> 4. Phase Two: Private-Cloud user attack -- The APT malware will now
> attempt to access applications within the user's virtual private
> cloud. This often takes the form of the APT leveraging benign seeming
> features within the online "game", allowing the APT to access the
> user's email address book locally or ACROSS both Public and Private
> Cloud email and contact systems. If the user allows the malware to
> continue executing it is possible to mine all contacts from both
> Public and Private cloud messaging systems and begin replicating it's
> attack across all users.
>
> Additional potential and likely threats from this APT execution include:
> + potential to mine all data from all systems accessible via a web
> browser with both idempotent and non-idempotent web requests
> + set APT Spy-Cookies and Geolocating Tracking-Cookies
>
> ::Remediation::
> There are no known immediate remediation steps available. Mitigations
> steps include:
> + Only use secure web browsers
> + Only use trusted, secure web applications
> + Disable Javascript
> + Disable dangerous plugins in the browser
> + Disable or remove any insecure web browsers you have installed to
> avoid accidental use
>
> ::Reference::
> The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
> Research Team responsible for discovering this new attack vector.
> Future updates can be tracked on the CWLS website using this unique
> identifier: CWLS Disclosure ID: CWLS20110104
>
> APT (Advanced Persistent Threat):
> http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
>
> Cloud Computing:
> http://en.wikipedia.org/wiki/Cloud_computing
>
> Cloud Security:
> https://cloudsecurityalliance.org/
> (note there is a gap in information regarding Cross-Cloud security)
>
> Code Injection:
> http://en.wikipedia.org/wiki/Code_injection
>
> CWLS Alliance:
> http://cwlsalliance.roxer.com/
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity@lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
TL
Tasos Laskos
Fri, Apr 1, 2011 8:55 PM
I thought it was an April Fool's hoax myself...mostly because it
mentioned APT.
On 04/01/2011 09:47 PM, Paul McMillan wrote:
This is bullshit with a bunch of buzzwords.
The process boils down to:
upload malware to the web
have users install malware as a facebook application
malware steals data available to facebook application
(or possibly, malware gets installed locally and does that thing malware does)
also, malware might set cookies. How terrible.
I don't think this requires "cloud" anything. Either this is a real
threat that wasn't described at all, or it's someone puffing
themselves up with vulnerability reports. Also, a free drag-n-drop
project homepage? What's really going on here?
-Paul
On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate
tddavethepirate@gmail.com wrote:
Cross Cloud Injection Vulnerability in multiple vendors leads to
Persistent Remote Root
Global CWLS Alliance Virtual Security Research Team
T.D. Dave
Thu, 31 March 2011 22:22:15 UMT -0700
[] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
[] Vuln Class Name: Cross-Cloud Injection
[] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
[] Affected Platforms: Cloud, SaaS
[] Affected Vendor: Multi-Vendor
[] Threat: Requires Authentication, but Widely Deployed
[] Severity: High Risk
[] Ease of Exploitation:: Trivial (2-4 hours)
[]Release Date:: 3.31.2011
[] Issue fixed in version : Currently Exploitable
[] Vulnerability discovered by : T.D. Dave& CWLS VSR Team
[] CWLS VSRT: http://cwlsalliance.roxer.com/
::Overview::
A critical new cloud-based attack vector has been discovered by the
CWLS Alliance VSRT (Virtual Security Research Team).
Using this new attack vector it is possible for an attacker to
comprise multiple cloud-based platforms and script the execution of
arbitrary code infecting all users of these system. This new attack
vector is being exploited by dynamically-generated APT that current
antivirus/malware solutions are not yet able to detect.
::Description::
A new attack vector against public-cloud platforms makes it is
possible for an attacker to compromise data in multiple vendors'
private-cloud solutions via swod-niw family APT infection. The most
common scenario is that the attacker will first gain administrative
privilege access to one or more running application instances on a
public cloud using techniques detailed below. The attacker will then
modify this running application to host swod-niw family APT malware on
the public cloud application. The APT malware uses a combination of
Web 2.0 hacking techniques like CSRF and click-jacking to make calls
to and access private-cloud infrastucture's web interfaces via
legitimate private-cloud user's web browsers. While impersonating the
user privilege of the logged-in browser, the APT will access and mine
all data accessible to the private-cloud user. Additional activities
detected including taking actions within the private-cloud application
on behalf of the user.
The exploitable platforms are multi-vendor and widespread, and we fear
that attacks such as this have already become common. Due to the
difficulty in monitoring for these complex, multi-step attacks, often
using requests types not commonly logged, it is unlikely the majority
of Cross-Cloud Injection attacks are being detected today.
::Exploit details::
-
Malware: The attacker first creates an image to be deployed to a
public cloud. This image typically includes an operating system like
Windows, or shareware like Linux. And a web server. It will also
include malicious web application content usually in the form of PHP
web pages and/or SWFs, to be used in the data mining operation phase
of the attack.
-
Deployment: Next the attacker will upload the image, often
virtualized, to a public cloud. This typically requires authentication
but in all cases observed the attackers have already gained access to
legitimate userIDs and passwords. When these components are deployed
together on a public cloud this scenario is commonly referred to as
"APT" (Advanced Persistent Threat)
-
Phase One: Public-Cloud user Attack -- The attacker will take their
malware and integrate it into Web 2.0 applications like Facebook under
the guise of a legitimate application. Then APT is often disguised as
an online game using farming implements and leveraging monotonous
clicking to maximize the amount of time the user leaves the
application running. This, as we will see in turn, increases the
attack window of exposure allowing for deeper data mining by the APT
malware running in the user's browser.
Once the APT is on the social network the attacker waits for users to
access it with their web browser. Once a user executes the application
the second phase of the attack begins.
- Phase Two: Private-Cloud user attack -- The APT malware will now
attempt to access applications within the user's virtual private
cloud. This often takes the form of the APT leveraging benign seeming
features within the online "game", allowing the APT to access the
user's email address book locally or ACROSS both Public and Private
Cloud email and contact systems. If the user allows the malware to
continue executing it is possible to mine all contacts from both
Public and Private cloud messaging systems and begin replicating it's
attack across all users.
Additional potential and likely threats from this APT execution include:
- potential to mine all data from all systems accessible via a web
browser with both idempotent and non-idempotent web requests
- set APT Spy-Cookies and Geolocating Tracking-Cookies
::Remediation::
There are no known immediate remediation steps available. Mitigations
steps include:
- Only use secure web browsers
- Only use trusted, secure web applications
- Disable Javascript
- Disable dangerous plugins in the browser
- Disable or remove any insecure web browsers you have installed to
avoid accidental use
::Reference::
The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
Research Team responsible for discovering this new attack vector.
Future updates can be tracked on the CWLS website using this unique
identifier: CWLS Disclosure ID: CWLS20110104
APT (Advanced Persistent Threat):
http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
Cloud Computing:
http://en.wikipedia.org/wiki/Cloud_computing
Cloud Security:
https://cloudsecurityalliance.org/
(note there is a gap in information regarding Cross-Cloud security)
Code Injection:
http://en.wikipedia.org/wiki/Code_injection
CWLS Alliance:
http://cwlsalliance.roxer.com/
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
I thought it was an April Fool's hoax myself...mostly because it
mentioned APT.
On 04/01/2011 09:47 PM, Paul McMillan wrote:
> This is bullshit with a bunch of buzzwords.
>
> The process boils down to:
>
> upload malware to the web
> have users install malware as a facebook application
> malware steals data available to facebook application
> (or possibly, malware gets installed locally and does that thing malware does)
> also, malware might set cookies. How terrible.
>
> I don't think this requires "cloud" anything. Either this is a real
> threat that wasn't described at all, or it's someone puffing
> themselves up with vulnerability reports. Also, a free drag-n-drop
> project homepage? What's really going on here?
>
> -Paul
>
> On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate
> <tddavethepirate@gmail.com> wrote:
>> Cross Cloud Injection Vulnerability in multiple vendors leads to
>> Persistent Remote Root
>> ________________________________________________________________________
>> Global CWLS Alliance Virtual Security Research Team
>> T.D. Dave
>> Thu, 31 March 2011 22:22:15 UMT -0700
>> ________________________________________________________________________
>> [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
>> [*] Vuln Class Name: Cross-Cloud Injection
>> [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
>> [*] Affected Platforms: Cloud, SaaS
>> [*] Affected Vendor: Multi-Vendor
>> [*] Threat: Requires Authentication, but Widely Deployed
>> [*] Severity: High Risk
>> [*] Ease of Exploitation:: Trivial (2-4 hours)
>> [*]Release Date:: 3.31.2011
>> [*] Issue fixed in version : Currently Exploitable
>> [*] Vulnerability discovered by : T.D. Dave& CWLS VSR Team
>> [*] CWLS VSRT: http://cwlsalliance.roxer.com/
>> ________________________________________________________________________
>>
>> ::Overview::
>> A critical new cloud-based attack vector has been discovered by the
>> CWLS Alliance VSRT (Virtual Security Research Team).
>>
>> Using this new attack vector it is possible for an attacker to
>> comprise multiple cloud-based platforms and script the execution of
>> arbitrary code infecting all users of these system. This new attack
>> vector is being exploited by dynamically-generated APT that current
>> antivirus/malware solutions are not yet able to detect.
>>
>> ::Description::
>> A new attack vector against public-cloud platforms makes it is
>> possible for an attacker to compromise data in multiple vendors'
>> private-cloud solutions via swod-niw family APT infection. The most
>> common scenario is that the attacker will first gain administrative
>> privilege access to one or more running application instances on a
>> public cloud using techniques detailed below. The attacker will then
>> modify this running application to host swod-niw family APT malware on
>> the public cloud application. The APT malware uses a combination of
>> Web 2.0 hacking techniques like CSRF and click-jacking to make calls
>> to and access private-cloud infrastucture's web interfaces via
>> legitimate private-cloud user's web browsers. While impersonating the
>> user privilege of the logged-in browser, the APT will access and mine
>> all data accessible to the private-cloud user. Additional activities
>> detected including taking actions within the private-cloud application
>> on behalf of the user.
>>
>> The exploitable platforms are multi-vendor and widespread, and we fear
>> that attacks such as this have already become common. Due to the
>> difficulty in monitoring for these complex, multi-step attacks, often
>> using requests types not commonly logged, it is unlikely the majority
>> of Cross-Cloud Injection attacks are being detected today.
>>
>> ::Exploit details::
>>
>> 1. Malware: The attacker first creates an image to be deployed to a
>> public cloud. This image typically includes an operating system like
>> Windows, or shareware like Linux. And a web server. It will also
>> include malicious web application content usually in the form of PHP
>> web pages and/or SWFs, to be used in the data mining operation phase
>> of the attack.
>>
>> 2. Deployment: Next the attacker will upload the image, often
>> virtualized, to a public cloud. This typically requires authentication
>> but in all cases observed the attackers have already gained access to
>> legitimate userIDs and passwords. When these components are deployed
>> together on a public cloud this scenario is commonly referred to as
>> "APT" (Advanced Persistent Threat)
>>
>> 3. Phase One: Public-Cloud user Attack -- The attacker will take their
>> malware and integrate it into Web 2.0 applications like Facebook under
>> the guise of a legitimate application. Then APT is often disguised as
>> an online game using farming implements and leveraging monotonous
>> clicking to maximize the amount of time the user leaves the
>> application running. This, as we will see in turn, increases the
>> attack window of exposure allowing for deeper data mining by the APT
>> malware running in the user's browser.
>>
>> Once the APT is on the social network the attacker waits for users to
>> access it with their web browser. Once a user executes the application
>> the second phase of the attack begins.
>>
>> 4. Phase Two: Private-Cloud user attack -- The APT malware will now
>> attempt to access applications within the user's virtual private
>> cloud. This often takes the form of the APT leveraging benign seeming
>> features within the online "game", allowing the APT to access the
>> user's email address book locally or ACROSS both Public and Private
>> Cloud email and contact systems. If the user allows the malware to
>> continue executing it is possible to mine all contacts from both
>> Public and Private cloud messaging systems and begin replicating it's
>> attack across all users.
>>
>> Additional potential and likely threats from this APT execution include:
>> + potential to mine all data from all systems accessible via a web
>> browser with both idempotent and non-idempotent web requests
>> + set APT Spy-Cookies and Geolocating Tracking-Cookies
>>
>> ::Remediation::
>> There are no known immediate remediation steps available. Mitigations
>> steps include:
>> + Only use secure web browsers
>> + Only use trusted, secure web applications
>> + Disable Javascript
>> + Disable dangerous plugins in the browser
>> + Disable or remove any insecure web browsers you have installed to
>> avoid accidental use
>>
>> ::Reference::
>> The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
>> Research Team responsible for discovering this new attack vector.
>> Future updates can be tracked on the CWLS website using this unique
>> identifier: CWLS Disclosure ID: CWLS20110104
>>
>> APT (Advanced Persistent Threat):
>> http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
>>
>> Cloud Computing:
>> http://en.wikipedia.org/wiki/Cloud_computing
>>
>> Cloud Security:
>> https://cloudsecurityalliance.org/
>> (note there is a gap in information regarding Cross-Cloud security)
>>
>> Code Injection:
>> http://en.wikipedia.org/wiki/Code_injection
>>
>> CWLS Alliance:
>> http://cwlsalliance.roxer.com/
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity@lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity@lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
AP
Andrew Petukhov
Fri, Apr 1, 2011 9:09 PM
Paul,
I assume, that was a joke in the name of April the 1st.
Sincerely yours,
Captain Obvious
4/2/11 12:47 AM, Paul McMillan пишет:
This is bullshit with a bunch of buzzwords.
The process boils down to:
upload malware to the web
have users install malware as a facebook application
malware steals data available to facebook application
(or possibly, malware gets installed locally and does that thing malware does)
also, malware might set cookies. How terrible.
I don't think this requires "cloud" anything. Either this is a real
threat that wasn't described at all, or it's someone puffing
themselves up with vulnerability reports. Also, a free drag-n-drop
project homepage? What's really going on here?
-Paul
On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate
tddavethepirate@gmail.com wrote:
Cross Cloud Injection Vulnerability in multiple vendors leads to
Persistent Remote Root
Global CWLS Alliance Virtual Security Research Team
T.D. Dave
Thu, 31 March 2011 22:22:15 UMT -0700
[] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
[] Vuln Class Name: Cross-Cloud Injection
[] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
[] Affected Platforms: Cloud, SaaS
[] Affected Vendor: Multi-Vendor
[] Threat: Requires Authentication, but Widely Deployed
[] Severity: High Risk
[] Ease of Exploitation:: Trivial (2-4 hours)
[]Release Date:: 3.31.2011
[] Issue fixed in version : Currently Exploitable
[] Vulnerability discovered by : T.D. Dave & CWLS VSR Team
[] CWLS VSRT: http://cwlsalliance.roxer.com/
::Overview::
A critical new cloud-based attack vector has been discovered by the
CWLS Alliance VSRT (Virtual Security Research Team).
Using this new attack vector it is possible for an attacker to
comprise multiple cloud-based platforms and script the execution of
arbitrary code infecting all users of these system. This new attack
vector is being exploited by dynamically-generated APT that current
antivirus/malware solutions are not yet able to detect.
::Description::
A new attack vector against public-cloud platforms makes it is
possible for an attacker to compromise data in multiple vendors'
private-cloud solutions via swod-niw family APT infection. The most
common scenario is that the attacker will first gain administrative
privilege access to one or more running application instances on a
public cloud using techniques detailed below. The attacker will then
modify this running application to host swod-niw family APT malware on
the public cloud application. The APT malware uses a combination of
Web 2.0 hacking techniques like CSRF and click-jacking to make calls
to and access private-cloud infrastucture's web interfaces via
legitimate private-cloud user's web browsers. While impersonating the
user privilege of the logged-in browser, the APT will access and mine
all data accessible to the private-cloud user. Additional activities
detected including taking actions within the private-cloud application
on behalf of the user.
The exploitable platforms are multi-vendor and widespread, and we fear
that attacks such as this have already become common. Due to the
difficulty in monitoring for these complex, multi-step attacks, often
using requests types not commonly logged, it is unlikely the majority
of Cross-Cloud Injection attacks are being detected today.
::Exploit details::
-
Malware: The attacker first creates an image to be deployed to a
public cloud. This image typically includes an operating system like
Windows, or shareware like Linux. And a web server. It will also
include malicious web application content usually in the form of PHP
web pages and/or SWFs, to be used in the data mining operation phase
of the attack.
-
Deployment: Next the attacker will upload the image, often
virtualized, to a public cloud. This typically requires authentication
but in all cases observed the attackers have already gained access to
legitimate userIDs and passwords. When these components are deployed
together on a public cloud this scenario is commonly referred to as
"APT" (Advanced Persistent Threat)
-
Phase One: Public-Cloud user Attack -- The attacker will take their
malware and integrate it into Web 2.0 applications like Facebook under
the guise of a legitimate application. Then APT is often disguised as
an online game using farming implements and leveraging monotonous
clicking to maximize the amount of time the user leaves the
application running. This, as we will see in turn, increases the
attack window of exposure allowing for deeper data mining by the APT
malware running in the user's browser.
Once the APT is on the social network the attacker waits for users to
access it with their web browser. Once a user executes the application
the second phase of the attack begins.
- Phase Two: Private-Cloud user attack -- The APT malware will now
attempt to access applications within the user's virtual private
cloud. This often takes the form of the APT leveraging benign seeming
features within the online "game", allowing the APT to access the
user's email address book locally or ACROSS both Public and Private
Cloud email and contact systems. If the user allows the malware to
continue executing it is possible to mine all contacts from both
Public and Private cloud messaging systems and begin replicating it's
attack across all users.
Additional potential and likely threats from this APT execution include:
- potential to mine all data from all systems accessible via a web
browser with both idempotent and non-idempotent web requests
- set APT Spy-Cookies and Geolocating Tracking-Cookies
::Remediation::
There are no known immediate remediation steps available. Mitigations
steps include:
- Only use secure web browsers
- Only use trusted, secure web applications
- Disable Javascript
- Disable dangerous plugins in the browser
- Disable or remove any insecure web browsers you have installed to
avoid accidental use
::Reference::
The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
Research Team responsible for discovering this new attack vector.
Future updates can be tracked on the CWLS website using this unique
identifier: CWLS Disclosure ID: CWLS20110104
APT (Advanced Persistent Threat):
http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
Cloud Computing:
http://en.wikipedia.org/wiki/Cloud_computing
Cloud Security:
https://cloudsecurityalliance.org/
(note there is a gap in information regarding Cross-Cloud security)
Code Injection:
http://en.wikipedia.org/wiki/Code_injection
CWLS Alliance:
http://cwlsalliance.roxer.com/
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Paul,
I assume, that was a joke in the name of April the 1st.
Sincerely yours,
Captain Obvious
4/2/11 12:47 AM, Paul McMillan пишет:
> This is bullshit with a bunch of buzzwords.
>
> The process boils down to:
>
> upload malware to the web
> have users install malware as a facebook application
> malware steals data available to facebook application
> (or possibly, malware gets installed locally and does that thing malware does)
> also, malware might set cookies. How terrible.
>
> I don't think this requires "cloud" anything. Either this is a real
> threat that wasn't described at all, or it's someone puffing
> themselves up with vulnerability reports. Also, a free drag-n-drop
> project homepage? What's really going on here?
>
> -Paul
>
> On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate
> <tddavethepirate@gmail.com> wrote:
>> Cross Cloud Injection Vulnerability in multiple vendors leads to
>> Persistent Remote Root
>> ________________________________________________________________________
>> Global CWLS Alliance Virtual Security Research Team
>> T.D. Dave
>> Thu, 31 March 2011 22:22:15 UMT -0700
>> ________________________________________________________________________
>> [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
>> [*] Vuln Class Name: Cross-Cloud Injection
>> [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
>> [*] Affected Platforms: Cloud, SaaS
>> [*] Affected Vendor: Multi-Vendor
>> [*] Threat: Requires Authentication, but Widely Deployed
>> [*] Severity: High Risk
>> [*] Ease of Exploitation:: Trivial (2-4 hours)
>> [*]Release Date:: 3.31.2011
>> [*] Issue fixed in version : Currently Exploitable
>> [*] Vulnerability discovered by : T.D. Dave & CWLS VSR Team
>> [*] CWLS VSRT: http://cwlsalliance.roxer.com/
>> ________________________________________________________________________
>>
>> ::Overview::
>> A critical new cloud-based attack vector has been discovered by the
>> CWLS Alliance VSRT (Virtual Security Research Team).
>>
>> Using this new attack vector it is possible for an attacker to
>> comprise multiple cloud-based platforms and script the execution of
>> arbitrary code infecting all users of these system. This new attack
>> vector is being exploited by dynamically-generated APT that current
>> antivirus/malware solutions are not yet able to detect.
>>
>> ::Description::
>> A new attack vector against public-cloud platforms makes it is
>> possible for an attacker to compromise data in multiple vendors'
>> private-cloud solutions via swod-niw family APT infection. The most
>> common scenario is that the attacker will first gain administrative
>> privilege access to one or more running application instances on a
>> public cloud using techniques detailed below. The attacker will then
>> modify this running application to host swod-niw family APT malware on
>> the public cloud application. The APT malware uses a combination of
>> Web 2.0 hacking techniques like CSRF and click-jacking to make calls
>> to and access private-cloud infrastucture's web interfaces via
>> legitimate private-cloud user's web browsers. While impersonating the
>> user privilege of the logged-in browser, the APT will access and mine
>> all data accessible to the private-cloud user. Additional activities
>> detected including taking actions within the private-cloud application
>> on behalf of the user.
>>
>> The exploitable platforms are multi-vendor and widespread, and we fear
>> that attacks such as this have already become common. Due to the
>> difficulty in monitoring for these complex, multi-step attacks, often
>> using requests types not commonly logged, it is unlikely the majority
>> of Cross-Cloud Injection attacks are being detected today.
>>
>> ::Exploit details::
>>
>> 1. Malware: The attacker first creates an image to be deployed to a
>> public cloud. This image typically includes an operating system like
>> Windows, or shareware like Linux. And a web server. It will also
>> include malicious web application content usually in the form of PHP
>> web pages and/or SWFs, to be used in the data mining operation phase
>> of the attack.
>>
>> 2. Deployment: Next the attacker will upload the image, often
>> virtualized, to a public cloud. This typically requires authentication
>> but in all cases observed the attackers have already gained access to
>> legitimate userIDs and passwords. When these components are deployed
>> together on a public cloud this scenario is commonly referred to as
>> "APT" (Advanced Persistent Threat)
>>
>> 3. Phase One: Public-Cloud user Attack -- The attacker will take their
>> malware and integrate it into Web 2.0 applications like Facebook under
>> the guise of a legitimate application. Then APT is often disguised as
>> an online game using farming implements and leveraging monotonous
>> clicking to maximize the amount of time the user leaves the
>> application running. This, as we will see in turn, increases the
>> attack window of exposure allowing for deeper data mining by the APT
>> malware running in the user's browser.
>>
>> Once the APT is on the social network the attacker waits for users to
>> access it with their web browser. Once a user executes the application
>> the second phase of the attack begins.
>>
>> 4. Phase Two: Private-Cloud user attack -- The APT malware will now
>> attempt to access applications within the user's virtual private
>> cloud. This often takes the form of the APT leveraging benign seeming
>> features within the online "game", allowing the APT to access the
>> user's email address book locally or ACROSS both Public and Private
>> Cloud email and contact systems. If the user allows the malware to
>> continue executing it is possible to mine all contacts from both
>> Public and Private cloud messaging systems and begin replicating it's
>> attack across all users.
>>
>> Additional potential and likely threats from this APT execution include:
>> + potential to mine all data from all systems accessible via a web
>> browser with both idempotent and non-idempotent web requests
>> + set APT Spy-Cookies and Geolocating Tracking-Cookies
>>
>> ::Remediation::
>> There are no known immediate remediation steps available. Mitigations
>> steps include:
>> + Only use secure web browsers
>> + Only use trusted, secure web applications
>> + Disable Javascript
>> + Disable dangerous plugins in the browser
>> + Disable or remove any insecure web browsers you have installed to
>> avoid accidental use
>>
>> ::Reference::
>> The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
>> Research Team responsible for discovering this new attack vector.
>> Future updates can be tracked on the CWLS website using this unique
>> identifier: CWLS Disclosure ID: CWLS20110104
>>
>> APT (Advanced Persistent Threat):
>> http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
>>
>> Cloud Computing:
>> http://en.wikipedia.org/wiki/Cloud_computing
>>
>> Cloud Security:
>> https://cloudsecurityalliance.org/
>> (note there is a gap in information regarding Cross-Cloud security)
>>
>> Code Injection:
>> http://en.wikipedia.org/wiki/Code_injection
>>
>> CWLS Alliance:
>> http://cwlsalliance.roxer.com/
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity@lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity@lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
TD
TD Dave ThePirate
Fri, Apr 1, 2011 9:29 PM
Paul,
Do not be myopic, my friend. This is not just about the cloud.
This is bigger than the cloud.
We have persistent code execution stealing legitimate user data
across cloud applications, and between them. Leading security
software tools and vendors have done little to protect us, though
I believe the Next Generation Firewalls are implementing features
to address Cross Cloud Injection as we speak.
This is the primary reason why the Cloud Web Large Server
Alliance formed our Virtual Security Research Team:
to do something about this problem.
You can be part of the problem or part of the solution, Paul.
Which is it going to be?
T.D. Dave
Senior Security Solutions Architecture Research Specialist
CWLS Alliance, VSRT
ps - thanks for the visiting our temporary website, we are still
raising funds to build a formal website for the Alliance. If you
would like to join as a member or sponsor this would help tremendously!
On Fri, Apr 1, 2011 at 1:47 PM, Paul McMillan paul@mcmillan.ws wrote:
This is bullshit with a bunch of buzzwords.
The process boils down to:
upload malware to the web
have users install malware as a facebook application
malware steals data available to facebook application
(or possibly, malware gets installed locally and does that thing malware
does)
also, malware might set cookies. How terrible.
I don't think this requires "cloud" anything. Either this is a real
threat that wasn't described at all, or it's someone puffing
themselves up with vulnerability reports. Also, a free drag-n-drop
project homepage? What's really going on here?
-Paul
On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate
tddavethepirate@gmail.com wrote:
Cross Cloud Injection Vulnerability in multiple vendors leads to
Persistent Remote Root
Global CWLS Alliance Virtual Security Research Team
T.D. Dave
Thu, 31 March 2011 22:22:15 UMT -0700
[] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
[] Vuln Class Name: Cross-Cloud Injection
[] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
[] Affected Platforms: Cloud, SaaS
[] Affected Vendor: Multi-Vendor
[] Threat: Requires Authentication, but Widely Deployed
[] Severity: High Risk
[] Ease of Exploitation:: Trivial (2-4 hours)
[]Release Date:: 3.31.2011
[] Issue fixed in version : Currently Exploitable
[] Vulnerability discovered by : T.D. Dave & CWLS VSR Team
[] CWLS VSRT: http://cwlsalliance.roxer.com/
::Overview::
A critical new cloud-based attack vector has been discovered by the
CWLS Alliance VSRT (Virtual Security Research Team).
Using this new attack vector it is possible for an attacker to
comprise multiple cloud-based platforms and script the execution of
arbitrary code infecting all users of these system. This new attack
vector is being exploited by dynamically-generated APT that current
antivirus/malware solutions are not yet able to detect.
::Description::
A new attack vector against public-cloud platforms makes it is
possible for an attacker to compromise data in multiple vendors'
private-cloud solutions via swod-niw family APT infection. The most
common scenario is that the attacker will first gain administrative
privilege access to one or more running application instances on a
public cloud using techniques detailed below. The attacker will then
modify this running application to host swod-niw family APT malware on
the public cloud application. The APT malware uses a combination of
Web 2.0 hacking techniques like CSRF and click-jacking to make calls
to and access private-cloud infrastucture's web interfaces via
legitimate private-cloud user's web browsers. While impersonating the
user privilege of the logged-in browser, the APT will access and mine
all data accessible to the private-cloud user. Additional activities
detected including taking actions within the private-cloud application
on behalf of the user.
The exploitable platforms are multi-vendor and widespread, and we fear
that attacks such as this have already become common. Due to the
difficulty in monitoring for these complex, multi-step attacks, often
using requests types not commonly logged, it is unlikely the majority
of Cross-Cloud Injection attacks are being detected today.
::Exploit details::
-
Malware: The attacker first creates an image to be deployed to a
public cloud. This image typically includes an operating system like
Windows, or shareware like Linux. And a web server. It will also
include malicious web application content usually in the form of PHP
web pages and/or SWFs, to be used in the data mining operation phase
of the attack.
-
Deployment: Next the attacker will upload the image, often
virtualized, to a public cloud. This typically requires authentication
but in all cases observed the attackers have already gained access to
legitimate userIDs and passwords. When these components are deployed
together on a public cloud this scenario is commonly referred to as
"APT" (Advanced Persistent Threat)
-
Phase One: Public-Cloud user Attack -- The attacker will take their
malware and integrate it into Web 2.0 applications like Facebook under
the guise of a legitimate application. Then APT is often disguised as
an online game using farming implements and leveraging monotonous
clicking to maximize the amount of time the user leaves the
application running. This, as we will see in turn, increases the
attack window of exposure allowing for deeper data mining by the APT
malware running in the user's browser.
Once the APT is on the social network the attacker waits for users to
access it with their web browser. Once a user executes the application
the second phase of the attack begins.
- Phase Two: Private-Cloud user attack -- The APT malware will now
attempt to access applications within the user's virtual private
cloud. This often takes the form of the APT leveraging benign seeming
features within the online "game", allowing the APT to access the
user's email address book locally or ACROSS both Public and Private
Cloud email and contact systems. If the user allows the malware to
continue executing it is possible to mine all contacts from both
Public and Private cloud messaging systems and begin replicating it's
attack across all users.
Additional potential and likely threats from this APT execution include:
- potential to mine all data from all systems accessible via a web
browser with both idempotent and non-idempotent web requests
- set APT Spy-Cookies and Geolocating Tracking-Cookies
::Remediation::
There are no known immediate remediation steps available. Mitigations
steps include:
- Only use secure web browsers
- Only use trusted, secure web applications
- Disable Javascript
- Disable dangerous plugins in the browser
- Disable or remove any insecure web browsers you have installed to
avoid accidental use
::Reference::
The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
Research Team responsible for discovering this new attack vector.
Future updates can be tracked on the CWLS website using this unique
identifier: CWLS Disclosure ID: CWLS20110104
APT (Advanced Persistent Threat):
http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
Cloud Computing:
http://en.wikipedia.org/wiki/Cloud_computing
Cloud Security:
https://cloudsecurityalliance.org/
(note there is a gap in information regarding Cross-Cloud security)
Code Injection:
http://en.wikipedia.org/wiki/Code_injection
CWLS Alliance:
http://cwlsalliance.roxer.com/
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
Paul,
Do not be myopic, my friend. This is not just about the cloud.
This is bigger than the cloud.
We have persistent code execution stealing legitimate user data
across cloud applications, and between them. Leading security
software tools and vendors have done little to protect us, though
I believe the Next Generation Firewalls are implementing features
to address Cross Cloud Injection as we speak.
This is the primary reason why the Cloud Web Large Server
Alliance formed our Virtual Security Research Team:
to do something about this problem.
You can be part of the problem or part of the solution, Paul.
Which is it going to be?
---
T.D. Dave
Senior Security Solutions Architecture Research Specialist
CWLS Alliance, VSRT
ps - thanks for the visiting our temporary website, we are still
raising funds to build a formal website for the Alliance. If you
would like to join as a member or sponsor this would help tremendously!
On Fri, Apr 1, 2011 at 1:47 PM, Paul McMillan <paul@mcmillan.ws> wrote:
> This is bullshit with a bunch of buzzwords.
>
> The process boils down to:
>
> upload malware to the web
> have users install malware as a facebook application
> malware steals data available to facebook application
> (or possibly, malware gets installed locally and does that thing malware
> does)
> also, malware might set cookies. How terrible.
>
> I don't think this requires "cloud" anything. Either this is a real
> threat that wasn't described at all, or it's someone puffing
> themselves up with vulnerability reports. Also, a free drag-n-drop
> project homepage? What's really going on here?
>
> -Paul
>
> On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate
> <tddavethepirate@gmail.com> wrote:
> > Cross Cloud Injection Vulnerability in multiple vendors leads to
> > Persistent Remote Root
> > ________________________________________________________________________
> > Global CWLS Alliance Virtual Security Research Team
> > T.D. Dave
> > Thu, 31 March 2011 22:22:15 UMT -0700
> > ________________________________________________________________________
> > [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
> > [*] Vuln Class Name: Cross-Cloud Injection
> > [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
> > [*] Affected Platforms: Cloud, SaaS
> > [*] Affected Vendor: Multi-Vendor
> > [*] Threat: Requires Authentication, but Widely Deployed
> > [*] Severity: High Risk
> > [*] Ease of Exploitation:: Trivial (2-4 hours)
> > [*]Release Date:: 3.31.2011
> > [*] Issue fixed in version : Currently Exploitable
> > [*] Vulnerability discovered by : T.D. Dave & CWLS VSR Team
> > [*] CWLS VSRT: http://cwlsalliance.roxer.com/
> > ________________________________________________________________________
> >
> > ::Overview::
> > A critical new cloud-based attack vector has been discovered by the
> > CWLS Alliance VSRT (Virtual Security Research Team).
> >
> > Using this new attack vector it is possible for an attacker to
> > comprise multiple cloud-based platforms and script the execution of
> > arbitrary code infecting all users of these system. This new attack
> > vector is being exploited by dynamically-generated APT that current
> > antivirus/malware solutions are not yet able to detect.
> >
> > ::Description::
> > A new attack vector against public-cloud platforms makes it is
> > possible for an attacker to compromise data in multiple vendors'
> > private-cloud solutions via swod-niw family APT infection. The most
> > common scenario is that the attacker will first gain administrative
> > privilege access to one or more running application instances on a
> > public cloud using techniques detailed below. The attacker will then
> > modify this running application to host swod-niw family APT malware on
> > the public cloud application. The APT malware uses a combination of
> > Web 2.0 hacking techniques like CSRF and click-jacking to make calls
> > to and access private-cloud infrastucture's web interfaces via
> > legitimate private-cloud user's web browsers. While impersonating the
> > user privilege of the logged-in browser, the APT will access and mine
> > all data accessible to the private-cloud user. Additional activities
> > detected including taking actions within the private-cloud application
> > on behalf of the user.
> >
> > The exploitable platforms are multi-vendor and widespread, and we fear
> > that attacks such as this have already become common. Due to the
> > difficulty in monitoring for these complex, multi-step attacks, often
> > using requests types not commonly logged, it is unlikely the majority
> > of Cross-Cloud Injection attacks are being detected today.
> >
> > ::Exploit details::
> >
> > 1. Malware: The attacker first creates an image to be deployed to a
> > public cloud. This image typically includes an operating system like
> > Windows, or shareware like Linux. And a web server. It will also
> > include malicious web application content usually in the form of PHP
> > web pages and/or SWFs, to be used in the data mining operation phase
> > of the attack.
> >
> > 2. Deployment: Next the attacker will upload the image, often
> > virtualized, to a public cloud. This typically requires authentication
> > but in all cases observed the attackers have already gained access to
> > legitimate userIDs and passwords. When these components are deployed
> > together on a public cloud this scenario is commonly referred to as
> > "APT" (Advanced Persistent Threat)
> >
> > 3. Phase One: Public-Cloud user Attack -- The attacker will take their
> > malware and integrate it into Web 2.0 applications like Facebook under
> > the guise of a legitimate application. Then APT is often disguised as
> > an online game using farming implements and leveraging monotonous
> > clicking to maximize the amount of time the user leaves the
> > application running. This, as we will see in turn, increases the
> > attack window of exposure allowing for deeper data mining by the APT
> > malware running in the user's browser.
> >
> > Once the APT is on the social network the attacker waits for users to
> > access it with their web browser. Once a user executes the application
> > the second phase of the attack begins.
> >
> > 4. Phase Two: Private-Cloud user attack -- The APT malware will now
> > attempt to access applications within the user's virtual private
> > cloud. This often takes the form of the APT leveraging benign seeming
> > features within the online "game", allowing the APT to access the
> > user's email address book locally or ACROSS both Public and Private
> > Cloud email and contact systems. If the user allows the malware to
> > continue executing it is possible to mine all contacts from both
> > Public and Private cloud messaging systems and begin replicating it's
> > attack across all users.
> >
> > Additional potential and likely threats from this APT execution include:
> > + potential to mine all data from all systems accessible via a web
> > browser with both idempotent and non-idempotent web requests
> > + set APT Spy-Cookies and Geolocating Tracking-Cookies
> >
> > ::Remediation::
> > There are no known immediate remediation steps available. Mitigations
> > steps include:
> > + Only use secure web browsers
> > + Only use trusted, secure web applications
> > + Disable Javascript
> > + Disable dangerous plugins in the browser
> > + Disable or remove any insecure web browsers you have installed to
> > avoid accidental use
> >
> > ::Reference::
> > The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
> > Research Team responsible for discovering this new attack vector.
> > Future updates can be tracked on the CWLS website using this unique
> > identifier: CWLS Disclosure ID: CWLS20110104
> >
> > APT (Advanced Persistent Threat):
> > http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
> >
> > Cloud Computing:
> > http://en.wikipedia.org/wiki/Cloud_computing
> >
> > Cloud Security:
> > https://cloudsecurityalliance.org/
> > (note there is a gap in information regarding Cross-Cloud security)
> >
> > Code Injection:
> > http://en.wikipedia.org/wiki/Code_injection
> >
> > CWLS Alliance:
> > http://cwlsalliance.roxer.com/
> >
> > _______________________________________________
> > The Web Security Mailing List
> >
> > WebSecurity RSS Feed
> > http://www.webappsec.org/rss/websecurity.rss
> >
> > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> > WASC on Twitter
> > http://twitter.com/wascupdates
> >
> > websecurity@lists.webappsec.org
> >
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> >
>
TL
Tasos Laskos
Fri, Apr 1, 2011 10:25 PM
I think the biggest problem is people throwing out buzzwords like APT
and Cloud and Web 2.0 just to sell stuff.
And when it comes to security it's even worse because buzzwords make old
threats sound new, everybody freaks out and starts asking for
(non-)solutions and
the situation starts pilling up.
APT basically means nothing, 'cloud' computing existed long before I was
born (mainframes and thin terminals and the like) and there is no Web 2.0.
And now an APT dubbed Cross Cloud Injection? This is an exercise in
recursive meaninglessness.
I'll agree with Paul on this one despite his overly enthusiastic candor.
On 04/01/2011 11:30 PM, robert@webappsec.org wrote:
Do not be myopic, my friend. This is not just about the cloud.
This is bigger than the cloud.
We have persistent code execution stealing legitimate user data
across cloud applications, and between them. Leading security
software tools and vendors have done little to protect us, though
I believe the Next Generation Firewalls are implementing features
to address Cross Cloud Injection as we speak.
This is the primary reason why the Cloud Web Large Server
Alliance formed our Virtual Security Research Team:
to do something about this problem.
You can be part of the problem or part of the solution, Paul.
Which is it going to be?
If he's like 98% of all people in the security 'scene', just part of the problem.
:)
Regards,
T.D. Dave
Senior Security Solutions Architecture Research Specialist
CWLS Alliance, VSRT
ps - thanks for the visiting our temporary website, we are still
raising funds to build a formal website for the Alliance. If you
would like to join as a member or sponsor this would help tremendously!
On Fri, Apr 1, 2011 at 1:47 PM, Paul McMillanpaul@mcmillan.ws wrote:
This is bullshit with a bunch of buzzwords.
The process boils down to:
upload malware to the web
have users install malware as a facebook application
malware steals data available to facebook application
(or possibly, malware gets installed locally and does that thing malware
does)
also, malware might set cookies. How terrible.
I don't think this requires "cloud" anything. Either this is a real
threat that wasn't described at all, or it's someone puffing
themselves up with vulnerability reports. Also, a free drag-n-drop
project homepage? What's really going on here?
-Paul
On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate
tddavethepirate@gmail.com wrote:
Cross Cloud Injection Vulnerability in multiple vendors leads to
Persistent Remote Root
Global CWLS Alliance Virtual Security Research Team
T.D. Dave
Thu, 31 March 2011 22:22:15 UMT -0700
[] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
[] Vuln Class Name: Cross-Cloud Injection
[] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
[] Affected Platforms: Cloud, SaaS
[] Affected Vendor: Multi-Vendor
[] Threat: Requires Authentication, but Widely Deployed
[] Severity: High Risk
[] Ease of Exploitation:: Trivial (2-4 hours)
[]Release Date:: 3.31.2011
[] Issue fixed in version : Currently Exploitable
[] Vulnerability discovered by : T.D. Dave& CWLS VSR Team
[] CWLS VSRT: http://cwlsalliance.roxer.com/
::Overview::
A critical new cloud-based attack vector has been discovered by the
CWLS Alliance VSRT (Virtual Security Research Team).
Using this new attack vector it is possible for an attacker to
comprise multiple cloud-based platforms and script the execution of
arbitrary code infecting all users of these system. This new attack
vector is being exploited by dynamically-generated APT that current
antivirus/malware solutions are not yet able to detect.
::Description::
A new attack vector against public-cloud platforms makes it is
possible for an attacker to compromise data in multiple vendors'
private-cloud solutions via swod-niw family APT infection. The most
common scenario is that the attacker will first gain administrative
privilege access to one or more running application instances on a
public cloud using techniques detailed below. The attacker will then
modify this running application to host swod-niw family APT malware on
the public cloud application. The APT malware uses a combination of
Web 2.0 hacking techniques like CSRF and click-jacking to make calls
to and access private-cloud infrastucture's web interfaces via
legitimate private-cloud user's web browsers. While impersonating the
user privilege of the logged-in browser, the APT will access and mine
all data accessible to the private-cloud user. Additional activities
detected including taking actions within the private-cloud application
on behalf of the user.
The exploitable platforms are multi-vendor and widespread, and we fear
that attacks such as this have already become common. Due to the
difficulty in monitoring for these complex, multi-step attacks, often
using requests types not commonly logged, it is unlikely the majority
of Cross-Cloud Injection attacks are being detected today.
::Exploit details::
-
Malware: The attacker first creates an image to be deployed to a
public cloud. This image typically includes an operating system like
Windows, or shareware like Linux. And a web server. It will also
include malicious web application content usually in the form of PHP
web pages and/or SWFs, to be used in the data mining operation phase
of the attack.
-
Deployment: Next the attacker will upload the image, often
virtualized, to a public cloud. This typically requires authentication
but in all cases observed the attackers have already gained access to
legitimate userIDs and passwords. When these components are deployed
together on a public cloud this scenario is commonly referred to as
"APT" (Advanced Persistent Threat)
-
Phase One: Public-Cloud user Attack -- The attacker will take their
malware and integrate it into Web 2.0 applications like Facebook under
the guise of a legitimate application. Then APT is often disguised as
an online game using farming implements and leveraging monotonous
clicking to maximize the amount of time the user leaves the
application running. This, as we will see in turn, increases the
attack window of exposure allowing for deeper data mining by the APT
malware running in the user's browser.
Once the APT is on the social network the attacker waits for users to
access it with their web browser. Once a user executes the application
the second phase of the attack begins.
- Phase Two: Private-Cloud user attack -- The APT malware will now
attempt to access applications within the user's virtual private
cloud. This often takes the form of the APT leveraging benign seeming
features within the online "game", allowing the APT to access the
user's email address book locally or ACROSS both Public and Private
Cloud email and contact systems. If the user allows the malware to
continue executing it is possible to mine all contacts from both
Public and Private cloud messaging systems and begin replicating it's
attack across all users.
Additional potential and likely threats from this APT execution include:
- potential to mine all data from all systems accessible via a web
browser with both idempotent and non-idempotent web requests
- set APT Spy-Cookies and Geolocating Tracking-Cookies
::Remediation::
There are no known immediate remediation steps available. Mitigations
steps include:
- Only use secure web browsers
- Only use trusted, secure web applications
- Disable Javascript
- Disable dangerous plugins in the browser
- Disable or remove any insecure web browsers you have installed to
avoid accidental use
::Reference::
The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
Research Team responsible for discovering this new attack vector.
Future updates can be tracked on the CWLS website using this unique
identifier: CWLS Disclosure ID: CWLS20110104
APT (Advanced Persistent Threat):
http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
Cloud Computing:
http://en.wikipedia.org/wiki/Cloud_computing
Cloud Security:
https://cloudsecurityalliance.org/
(note there is a gap in information regarding Cross-Cloud security)
Code Injection:
http://en.wikipedia.org/wiki/Code_injection
CWLS Alliance:
http://cwlsalliance.roxer.com/
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
--001636e0b63452a3bd049fe21c8c
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Paul,<div><br></div><div>Do not be myopic, my friend. This is not just abou=
t the cloud.</div><div>This is bigger than the cloud.</div><div><br></div><=
div>We have persistent code execution=A0stealing legitimate user data</div>
<div>across cloud applications, and between them. Leading security</div><di=
v>software tools and=A0vendors have done little to protect us, though</div>=
<div>I believe the Next Generation Firewalls are implementing features</div=
<div>to address Cross Cloud Injection as we speak.</div><div><br></div><div=
This is the primary reason why the Cloud Web=A0Large Server</div><div>Alli=
ance formed our Virtual Security Research Team:</div><div><br></div><div>
to do something about this problem.</div><div><br></div><div>You can be par=
t of the problem or part of the solution, Paul.</div><div><br></div><div>Wh=
ich=A0is it going to be?</div><div><br></div><div>---</div><div>T.D. Dave</=
div>
<div>Senior Security Solutions Architecture Research Specialist</div><div>C=
WLS Alliance, VSRT</div><div><br></div><div>ps - thanks for the visiting ou=
r temporary website, we are still</div><div>raising funds to build a formal=
website for the Alliance. If you</div>
<div>would like to join as a member or sponsor this would help tremendously=
!</div><div><br></div><div><br></div><div><br></div><div><br><div class=3D"=
gmail_quote">On Fri, Apr 1, 2011 at 1:47 PM, Paul McMillan<span dir=3D"ltr=
"><<a href=3D"mailto:paul@mcmillan.ws">paul@mcmillan.ws</a>></span> w=
rote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex;">This is bullshit with a bunch of buzzwords.=
<br>
<br>
The process boils down to:<br>
<br>
upload malware to the web<br>
have users install malware as a facebook application<br>
malware steals data available to facebook application<br>
(or possibly, malware gets installed locally and does that thing malware do=
es)<br>
also, malware might set cookies. How terrible.<br>
<br>
I don't think this requires"cloud" anything. Either this is =
a real<br>
threat that wasn't described at all, or it's someone puffing<br>
themselves up with vulnerability reports. Also, a free drag-n-drop<br>
project homepage? What's really going on here?<br>
<font color=3D"#888888"><br>
-Paul<br>
</font><div><div></div><div class=3D"h5"><br>
On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate<br>
<<a href=3D"mailto:tddavethepirate@gmail.com">tddavethepirate@gmail.com<=
/a>> wrote:<br>
> Cross Cloud Injection Vulnerability in multiple vendors leads to<br>
> Persistent Remote Root<br>
> ______________________________________________________________________=
__<br>
> Global CWLS Alliance Virtual Security Research Team<br>
> T.D. Dave<br>
> Thu, 31 March 2011 22:22:15 UMT -0700<br>
> ______________________________________________________________________=
__<br>
> [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution<br>
> [*] Vuln Class Name: Cross-Cloud Injection<br>
> [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection<br>
> [*] Affected Platforms: Cloud, SaaS<br>
> [*] Affected Vendor: Multi-Vendor<br>
> [*] Threat: Requires Authentication, but Widely Deployed<br>
> [*] Severity: High Risk<br>
> [*] Ease of Exploitation:: Trivial (2-4 hours)<br>
> [*]Release Date:: =A03.31.2011<br>
> [*] Issue fixed in version : Currently Exploitable<br>
> [*] Vulnerability discovered by : T.D. Dave& CWLS VSR Team<br>
> [*] CWLS VSRT:<a href=3D"http://cwlsalliance.roxer.com/" target=3D"_b=
lank">http://cwlsalliance.roxer.com/</a><br>
> ______________________________________________________________________=
__<br>
><br>
> ::Overview::<br>
> A critical new cloud-based attack vector has been discovered by the<br=
> CWLS Alliance VSRT (Virtual Security Research Team).<br>
><br>
> Using this new attack vector it is possible for an attacker to<br>
> comprise multiple cloud-based platforms and script the execution of<br=
> arbitrary code infecting all users of these system. This new attack<br=
> vector is being exploited by dynamically-generated APT that current<br=
> antivirus/malware solutions are not yet able to detect.<br>
><br>
> ::Description::<br>
> A new attack vector against public-cloud platforms makes it is<br>
> possible for an attacker to compromise data in multiple vendors'<b=
r>
> private-cloud solutions via swod-niw family APT infection. The most<br=
> common scenario is that the attacker will first gain administrative<br=
> privilege access to one or more running application instances on a<br>
> public cloud using techniques detailed below. The attacker will then<b=
r>
> modify this running application to host swod-niw family APT malware on=
<br>
> the public cloud application. The APT malware uses a combination of<br=
> Web 2.0 hacking techniques like CSRF and click-jacking to make calls<b=
r>
> to and access private-cloud infrastucture's web interfaces via<br>
> legitimate private-cloud user's web browsers. While impersonating =
the<br>
> user privilege of the logged-in browser, the APT will access and mine<=
br>
> all data accessible to the private-cloud user. Additional activities<b=
r>
> detected including taking actions within the private-cloud application=
<br>
> on behalf of the user.<br>
><br>
> The exploitable platforms are multi-vendor and widespread, and we fear=
<br>
> that attacks such as this have already become common. Due to the<br>
> difficulty in monitoring for these complex, multi-step attacks, often<=
br>
> using requests types not commonly logged, it is unlikely the majority<=
br>
> of Cross-Cloud Injection attacks are being detected today.<br>
><br>
> ::Exploit details::<br>
><br>
> 1. Malware: The attacker first creates an image to be deployed to a<br=
> public cloud. This image typically includes an operating system like<b=
r>
> Windows, or shareware like Linux. And a web server. It will also<br>
> include malicious web application content usually in the form of PHP<b=
r>
> web pages and/or SWFs, to be used in the data mining operation phase<b=
r>
> of the attack.<br>
><br>
> 2. Deployment: Next the attacker will upload the image, often<br>
> virtualized, to a public cloud. This typically requires authentication=
<br>
> but in all cases observed the attackers have already gained access to<=
br>
> legitimate userIDs and passwords. When these components are deployed<b=
r>
> together on a public cloud this scenario is commonly referred to as<br=
>"APT" (Advanced Persistent Threat)<br>
><br>
> 3. Phase One: Public-Cloud user Attack -- The attacker will take their=
<br>
> malware and integrate it into Web 2.0 applications like Facebook under=
<br>
> the guise of a legitimate application. Then APT is often disguised as<=
br>
> an online game using farming implements and leveraging monotonous<br>
> clicking to maximize the amount of time the user leaves the<br>
> application running. This, as we will see in turn, increases the<br>
> attack window of exposure allowing for deeper data mining by the APT<b=
r>
> malware running in the user's browser.<br>
><br>
> Once the APT is on the social network the attacker waits for users to<=
br>
> access it with their web browser. Once a user executes the application=
<br>
> the second phase of the attack begins.<br>
><br>
> 4. Phase Two: Private-Cloud user attack -- The APT malware will now<br=
> attempt to access applications within the user's virtual private<b=
r>
> cloud. This often takes the form of the APT leveraging benign seeming<=
br>
> features within the online"game", allowing the APT to acces=
s the<br>
> user's email address book locally or ACROSS both Public and Privat=
e<br>
> Cloud email and contact systems. If the user allows the malware to<br>
> continue executing it is possible to mine all contacts from both<br>
> Public and Private cloud messaging systems and begin replicating it=
9;s<br>
> attack across all users.<br>
><br>
> Additional potential and likely threats from this APT execution includ=
e:<br>
> + potential to mine all data from all systems accessible via a web<br>
> browser with both idempotent and non-idempotent web requests<br>
> + set APT Spy-Cookies and Geolocating Tracking-Cookies<br>
><br>
> ::Remediation::<br>
> There are no known immediate remediation steps available. Mitigations<=
br>
> steps include:<br>
> + Only use secure web browsers<br>
> + Only use trusted, secure web applications<br>
> + Disable Javascript<br>
> + Disable dangerous plugins in the browser<br>
> + Disable or remove any insecure web browsers you have installed to<br=
> avoid accidental use<br>
><br>
> ::Reference::<br>
> The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security=
<br>
> Research Team responsible for discovering this new attack vector.<br>
> Future updates can be tracked on the CWLS website using this unique<br=
> identifier: CWLS Disclosure ID: CWLS20110104<br>
><br>
> APT (Advanced Persistent Threat):<br>
><a href=3D"http://en.wikipedia.org/wiki/Advanced_Persistent_Threat" ta=
rget=3D"_blank">http://en.wikipedia.org/wiki/Advanced_Persistent_Threat</a>=
<br>
><br>
> Cloud Computing:<br>
><a href=3D"http://en.wikipedia.org/wiki/Cloud_computing" target=3D"_bl=
ank">http://en.wikipedia.org/wiki/Cloud_computing</a><br>
><br>
> Cloud Security:<br>
><a href=3D"https://cloudsecurityalliance.org/" target=3D"_blank">https=
://cloudsecurityalliance.org/</a><br>
> (note there is a gap in information regarding Cross-Cloud security)<br=
><br>
> Code Injection:<br>
><a href=3D"http://en.wikipedia.org/wiki/Code_injection" target=3D"_bla=
nk">http://en.wikipedia.org/wiki/Code_injection</a><br>
><br>
> CWLS Alliance:<br>
><a href=3D"http://cwlsalliance.roxer.com/" target=3D"_blank">http://cw=
lsalliance.roxer.com/</a><br>
><br>
</div></div><div><div></div><div class=3D"h5">> ________________________=
_______________________<br>
> The Web Security Mailing List<br>
><br>
> WebSecurity RSS Feed<br>
><a href=3D"http://www.webappsec.org/rss/websecurity.rss" target=3D"_bl=
ank">http://www.webappsec.org/rss/websecurity.rss</a><br>
><br>
> Join WASC on LinkedIn<a href=3D"http://www.linkedin.com/e/gis/83336/4=
B20E4374DBA" target=3D"_blank">http://www.linkedin.com/e/gis/83336/4B20E437=
4DBA</a><br>
><br>
> WASC on Twitter<br>
><a href=3D"http://twitter.com/wascupdates" target=3D"_blank">http://tw=
itter.com/wascupdates</a><br>
><br>
><a href=3D"mailto:websecurity@lists.webappsec.org">websecurity@lists.w=
ebappsec.org</a><br>
><a href=3D"http://lists.webappsec.org/mailman/listinfo/websecurity_lis=
ts.webappsec.org" target=3D"_blank">http://lists.webappsec.org/mailman/list=
info/websecurity_lists.webappsec.org</a><br>
><br>
</div></div></blockquote></div><br></div>
--001636e0b63452a3bd049fe21c8c--
--===============0787354708290838694==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--===============0787354708290838694==--
I think the biggest problem is people throwing out buzzwords like APT
and Cloud and Web 2.0 just to sell stuff.
And when it comes to security it's even worse because buzzwords make old
threats sound new, everybody freaks out and starts asking for
(non-)solutions and
the situation starts pilling up.
APT basically means nothing, 'cloud' computing existed long before I was
born (mainframes and thin terminals and the like) and there is no Web 2.0.
And now an APT dubbed Cross Cloud Injection? This is an exercise in
recursive meaninglessness.
I'll agree with Paul on this one despite his overly enthusiastic candor.
On 04/01/2011 11:30 PM, robert@webappsec.org wrote:
>> Do not be myopic, my friend. This is not just about the cloud.
>> This is bigger than the cloud.
>>
>> We have persistent code execution stealing legitimate user data
>> across cloud applications, and between them. Leading security
>> software tools and vendors have done little to protect us, though
>> I believe the Next Generation Firewalls are implementing features
>> to address Cross Cloud Injection as we speak.
>>
>> This is the primary reason why the Cloud Web Large Server
>> Alliance formed our Virtual Security Research Team:
>>
>> to do something about this problem.
>>
>> You can be part of the problem or part of the solution, Paul.
>>
>> Which is it going to be?
>
> If he's like 98% of all people in the security 'scene', just part of the problem.
>
> :)
>
> Regards,
> - Robert
> WASC Co Founder/Moderator of The Web security Mailing List
> http://www.webappsec.org/
> http://www.qasec.com/
> http://www.cgisecurity.com/
>
>
>>
>> ---
>> T.D. Dave
>> Senior Security Solutions Architecture Research Specialist
>> CWLS Alliance, VSRT
>>
>> ps - thanks for the visiting our temporary website, we are still
>> raising funds to build a formal website for the Alliance. If you
>> would like to join as a member or sponsor this would help tremendously!
>>
>>
>>
>>
>> On Fri, Apr 1, 2011 at 1:47 PM, Paul McMillan<paul@mcmillan.ws> wrote:
>>
>>> This is bullshit with a bunch of buzzwords.
>>>
>>> The process boils down to:
>>>
>>> upload malware to the web
>>> have users install malware as a facebook application
>>> malware steals data available to facebook application
>>> (or possibly, malware gets installed locally and does that thing malware
>>> does)
>>> also, malware might set cookies. How terrible.
>>>
>>> I don't think this requires "cloud" anything. Either this is a real
>>> threat that wasn't described at all, or it's someone puffing
>>> themselves up with vulnerability reports. Also, a free drag-n-drop
>>> project homepage? What's really going on here?
>>>
>>> -Paul
>>>
>>> On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate
>>> <tddavethepirate@gmail.com> wrote:
>>>> Cross Cloud Injection Vulnerability in multiple vendors leads to
>>>> Persistent Remote Root
>>>> ________________________________________________________________________
>>>> Global CWLS Alliance Virtual Security Research Team
>>>> T.D. Dave
>>>> Thu, 31 March 2011 22:22:15 UMT -0700
>>>> ________________________________________________________________________
>>>> [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
>>>> [*] Vuln Class Name: Cross-Cloud Injection
>>>> [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
>>>> [*] Affected Platforms: Cloud, SaaS
>>>> [*] Affected Vendor: Multi-Vendor
>>>> [*] Threat: Requires Authentication, but Widely Deployed
>>>> [*] Severity: High Risk
>>>> [*] Ease of Exploitation:: Trivial (2-4 hours)
>>>> [*]Release Date:: 3.31.2011
>>>> [*] Issue fixed in version : Currently Exploitable
>>>> [*] Vulnerability discovered by : T.D. Dave& CWLS VSR Team
>>>> [*] CWLS VSRT: http://cwlsalliance.roxer.com/
>>>> ________________________________________________________________________
>>>>
>>>> ::Overview::
>>>> A critical new cloud-based attack vector has been discovered by the
>>>> CWLS Alliance VSRT (Virtual Security Research Team).
>>>>
>>>> Using this new attack vector it is possible for an attacker to
>>>> comprise multiple cloud-based platforms and script the execution of
>>>> arbitrary code infecting all users of these system. This new attack
>>>> vector is being exploited by dynamically-generated APT that current
>>>> antivirus/malware solutions are not yet able to detect.
>>>>
>>>> ::Description::
>>>> A new attack vector against public-cloud platforms makes it is
>>>> possible for an attacker to compromise data in multiple vendors'
>>>> private-cloud solutions via swod-niw family APT infection. The most
>>>> common scenario is that the attacker will first gain administrative
>>>> privilege access to one or more running application instances on a
>>>> public cloud using techniques detailed below. The attacker will then
>>>> modify this running application to host swod-niw family APT malware on
>>>> the public cloud application. The APT malware uses a combination of
>>>> Web 2.0 hacking techniques like CSRF and click-jacking to make calls
>>>> to and access private-cloud infrastucture's web interfaces via
>>>> legitimate private-cloud user's web browsers. While impersonating the
>>>> user privilege of the logged-in browser, the APT will access and mine
>>>> all data accessible to the private-cloud user. Additional activities
>>>> detected including taking actions within the private-cloud application
>>>> on behalf of the user.
>>>>
>>>> The exploitable platforms are multi-vendor and widespread, and we fear
>>>> that attacks such as this have already become common. Due to the
>>>> difficulty in monitoring for these complex, multi-step attacks, often
>>>> using requests types not commonly logged, it is unlikely the majority
>>>> of Cross-Cloud Injection attacks are being detected today.
>>>>
>>>> ::Exploit details::
>>>>
>>>> 1. Malware: The attacker first creates an image to be deployed to a
>>>> public cloud. This image typically includes an operating system like
>>>> Windows, or shareware like Linux. And a web server. It will also
>>>> include malicious web application content usually in the form of PHP
>>>> web pages and/or SWFs, to be used in the data mining operation phase
>>>> of the attack.
>>>>
>>>> 2. Deployment: Next the attacker will upload the image, often
>>>> virtualized, to a public cloud. This typically requires authentication
>>>> but in all cases observed the attackers have already gained access to
>>>> legitimate userIDs and passwords. When these components are deployed
>>>> together on a public cloud this scenario is commonly referred to as
>>>> "APT" (Advanced Persistent Threat)
>>>>
>>>> 3. Phase One: Public-Cloud user Attack -- The attacker will take their
>>>> malware and integrate it into Web 2.0 applications like Facebook under
>>>> the guise of a legitimate application. Then APT is often disguised as
>>>> an online game using farming implements and leveraging monotonous
>>>> clicking to maximize the amount of time the user leaves the
>>>> application running. This, as we will see in turn, increases the
>>>> attack window of exposure allowing for deeper data mining by the APT
>>>> malware running in the user's browser.
>>>>
>>>> Once the APT is on the social network the attacker waits for users to
>>>> access it with their web browser. Once a user executes the application
>>>> the second phase of the attack begins.
>>>>
>>>> 4. Phase Two: Private-Cloud user attack -- The APT malware will now
>>>> attempt to access applications within the user's virtual private
>>>> cloud. This often takes the form of the APT leveraging benign seeming
>>>> features within the online "game", allowing the APT to access the
>>>> user's email address book locally or ACROSS both Public and Private
>>>> Cloud email and contact systems. If the user allows the malware to
>>>> continue executing it is possible to mine all contacts from both
>>>> Public and Private cloud messaging systems and begin replicating it's
>>>> attack across all users.
>>>>
>>>> Additional potential and likely threats from this APT execution include:
>>>> + potential to mine all data from all systems accessible via a web
>>>> browser with both idempotent and non-idempotent web requests
>>>> + set APT Spy-Cookies and Geolocating Tracking-Cookies
>>>>
>>>> ::Remediation::
>>>> There are no known immediate remediation steps available. Mitigations
>>>> steps include:
>>>> + Only use secure web browsers
>>>> + Only use trusted, secure web applications
>>>> + Disable Javascript
>>>> + Disable dangerous plugins in the browser
>>>> + Disable or remove any insecure web browsers you have installed to
>>>> avoid accidental use
>>>>
>>>> ::Reference::
>>>> The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
>>>> Research Team responsible for discovering this new attack vector.
>>>> Future updates can be tracked on the CWLS website using this unique
>>>> identifier: CWLS Disclosure ID: CWLS20110104
>>>>
>>>> APT (Advanced Persistent Threat):
>>>> http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
>>>>
>>>> Cloud Computing:
>>>> http://en.wikipedia.org/wiki/Cloud_computing
>>>>
>>>> Cloud Security:
>>>> https://cloudsecurityalliance.org/
>>>> (note there is a gap in information regarding Cross-Cloud security)
>>>>
>>>> Code Injection:
>>>> http://en.wikipedia.org/wiki/Code_injection
>>>>
>>>> CWLS Alliance:
>>>> http://cwlsalliance.roxer.com/
>>>>
>>>> _______________________________________________
>>>> The Web Security Mailing List
>>>>
>>>> WebSecurity RSS Feed
>>>> http://www.webappsec.org/rss/websecurity.rss
>>>>
>>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>
>>>> WASC on Twitter
>>>> http://twitter.com/wascupdates
>>>>
>>>> websecurity@lists.webappsec.org
>>>>
>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>>>
>>>
>>
>> --001636e0b63452a3bd049fe21c8c
>> Content-Type: text/html; charset=ISO-8859-1
>> Content-Transfer-Encoding: quoted-printable
>>
>> Paul,<div><br></div><div>Do not be myopic, my friend. This is not just abou=
>> t the cloud.</div><div>This is bigger than the cloud.</div><div><br></div><=
>> div>We have persistent code execution=A0stealing legitimate user data</div>
>> <div>across cloud applications, and between them. Leading security</div><di=
>> v>software tools and=A0vendors have done little to protect us, though</div>=
>> <div>I believe the Next Generation Firewalls are implementing features</div=
>>>
>> <div>to address Cross Cloud Injection as we speak.</div><div><br></div><div=
>>> This is the primary reason why the Cloud Web=A0Large Server</div><div>Alli=
>> ance formed our Virtual Security Research Team:</div><div><br></div><div>
>> to do something about this problem.</div><div><br></div><div>You can be par=
>> t of the problem or part of the solution, Paul.</div><div><br></div><div>Wh=
>> ich=A0is it going to be?</div><div><br></div><div>---</div><div>T.D. Dave</=
>> div>
>> <div>Senior Security Solutions Architecture Research Specialist</div><div>C=
>> WLS Alliance, VSRT</div><div><br></div><div>ps - thanks for the visiting ou=
>> r temporary website, we are still</div><div>raising funds to build a formal=
>> website for the Alliance. If you</div>
>> <div>would like to join as a member or sponsor this would help tremendously=
>> !</div><div><br></div><div><br></div><div><br></div><div><br><div class=3D"=
>> gmail_quote">On Fri, Apr 1, 2011 at 1:47 PM, Paul McMillan<span dir=3D"ltr=
>> "><<a href=3D"mailto:paul@mcmillan.ws">paul@mcmillan.ws</a>></span> w=
>> rote:<br>
>> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
>> x #ccc solid;padding-left:1ex;">This is bullshit with a bunch of buzzwords.=
>> <br>
>> <br>
>> The process boils down to:<br>
>> <br>
>> upload malware to the web<br>
>> have users install malware as a facebook application<br>
>> malware steals data available to facebook application<br>
>> (or possibly, malware gets installed locally and does that thing malware do=
>> es)<br>
>> also, malware might set cookies. How terrible.<br>
>> <br>
>> I don't think this requires"cloud" anything. Either this is =
>> a real<br>
>> threat that wasn't described at all, or it's someone puffing<br>
>> themselves up with vulnerability reports. Also, a free drag-n-drop<br>
>> project homepage? What's really going on here?<br>
>> <font color=3D"#888888"><br>
>> -Paul<br>
>> </font><div><div></div><div class=3D"h5"><br>
>> On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate<br>
>> <<a href=3D"mailto:tddavethepirate@gmail.com">tddavethepirate@gmail.com<=
>> /a>> wrote:<br>
>> > Cross Cloud Injection Vulnerability in multiple vendors leads to<br>
>> > Persistent Remote Root<br>
>> > ______________________________________________________________________=
>> __<br>
>> > Global CWLS Alliance Virtual Security Research Team<br>
>> > T.D. Dave<br>
>> > Thu, 31 March 2011 22:22:15 UMT -0700<br>
>> > ______________________________________________________________________=
>> __<br>
>> > [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution<br>
>> > [*] Vuln Class Name: Cross-Cloud Injection<br>
>> > [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection<br>
>> > [*] Affected Platforms: Cloud, SaaS<br>
>> > [*] Affected Vendor: Multi-Vendor<br>
>> > [*] Threat: Requires Authentication, but Widely Deployed<br>
>> > [*] Severity: High Risk<br>
>> > [*] Ease of Exploitation:: Trivial (2-4 hours)<br>
>> > [*]Release Date:: =A03.31.2011<br>
>> > [*] Issue fixed in version : Currently Exploitable<br>
>> > [*] Vulnerability discovered by : T.D. Dave& CWLS VSR Team<br>
>> > [*] CWLS VSRT:<a href=3D"http://cwlsalliance.roxer.com/" target=3D"_b=
>> lank">http://cwlsalliance.roxer.com/</a><br>
>> > ______________________________________________________________________=
>> __<br>
>> ><br>
>> > ::Overview::<br>
>> > A critical new cloud-based attack vector has been discovered by the<br=
>>>
>> > CWLS Alliance VSRT (Virtual Security Research Team).<br>
>> ><br>
>> > Using this new attack vector it is possible for an attacker to<br>
>> > comprise multiple cloud-based platforms and script the execution of<br=
>>>
>> > arbitrary code infecting all users of these system. This new attack<br=
>>>
>> > vector is being exploited by dynamically-generated APT that current<br=
>>>
>> > antivirus/malware solutions are not yet able to detect.<br>
>> ><br>
>> > ::Description::<br>
>> > A new attack vector against public-cloud platforms makes it is<br>
>> > possible for an attacker to compromise data in multiple vendors'<b=
>> r>
>> > private-cloud solutions via swod-niw family APT infection. The most<br=
>>>
>> > common scenario is that the attacker will first gain administrative<br=
>>>
>> > privilege access to one or more running application instances on a<br>
>> > public cloud using techniques detailed below. The attacker will then<b=
>> r>
>> > modify this running application to host swod-niw family APT malware on=
>> <br>
>> > the public cloud application. The APT malware uses a combination of<br=
>>>
>> > Web 2.0 hacking techniques like CSRF and click-jacking to make calls<b=
>> r>
>> > to and access private-cloud infrastucture's web interfaces via<br>
>> > legitimate private-cloud user's web browsers. While impersonating =
>> the<br>
>> > user privilege of the logged-in browser, the APT will access and mine<=
>> br>
>> > all data accessible to the private-cloud user. Additional activities<b=
>> r>
>> > detected including taking actions within the private-cloud application=
>> <br>
>> > on behalf of the user.<br>
>> ><br>
>> > The exploitable platforms are multi-vendor and widespread, and we fear=
>> <br>
>> > that attacks such as this have already become common. Due to the<br>
>> > difficulty in monitoring for these complex, multi-step attacks, often<=
>> br>
>> > using requests types not commonly logged, it is unlikely the majority<=
>> br>
>> > of Cross-Cloud Injection attacks are being detected today.<br>
>> ><br>
>> > ::Exploit details::<br>
>> ><br>
>> > 1. Malware: The attacker first creates an image to be deployed to a<br=
>>>
>> > public cloud. This image typically includes an operating system like<b=
>> r>
>> > Windows, or shareware like Linux. And a web server. It will also<br>
>> > include malicious web application content usually in the form of PHP<b=
>> r>
>> > web pages and/or SWFs, to be used in the data mining operation phase<b=
>> r>
>> > of the attack.<br>
>> ><br>
>> > 2. Deployment: Next the attacker will upload the image, often<br>
>> > virtualized, to a public cloud. This typically requires authentication=
>> <br>
>> > but in all cases observed the attackers have already gained access to<=
>> br>
>> > legitimate userIDs and passwords. When these components are deployed<b=
>> r>
>> > together on a public cloud this scenario is commonly referred to as<br=
>>>
>> >"APT" (Advanced Persistent Threat)<br>
>> ><br>
>> > 3. Phase One: Public-Cloud user Attack -- The attacker will take their=
>> <br>
>> > malware and integrate it into Web 2.0 applications like Facebook under=
>> <br>
>> > the guise of a legitimate application. Then APT is often disguised as<=
>> br>
>> > an online game using farming implements and leveraging monotonous<br>
>> > clicking to maximize the amount of time the user leaves the<br>
>> > application running. This, as we will see in turn, increases the<br>
>> > attack window of exposure allowing for deeper data mining by the APT<b=
>> r>
>> > malware running in the user's browser.<br>
>> ><br>
>> > Once the APT is on the social network the attacker waits for users to<=
>> br>
>> > access it with their web browser. Once a user executes the application=
>> <br>
>> > the second phase of the attack begins.<br>
>> ><br>
>> > 4. Phase Two: Private-Cloud user attack -- The APT malware will now<br=
>>>
>> > attempt to access applications within the user's virtual private<b=
>> r>
>> > cloud. This often takes the form of the APT leveraging benign seeming<=
>> br>
>> > features within the online"game", allowing the APT to acces=
>> s the<br>
>> > user's email address book locally or ACROSS both Public and Privat=
>> e<br>
>> > Cloud email and contact systems. If the user allows the malware to<br>
>> > continue executing it is possible to mine all contacts from both<br>
>> > Public and Private cloud messaging systems and begin replicating it=
>> 9;s<br>
>> > attack across all users.<br>
>> ><br>
>> > Additional potential and likely threats from this APT execution includ=
>> e:<br>
>> > + potential to mine all data from all systems accessible via a web<br>
>> > browser with both idempotent and non-idempotent web requests<br>
>> > + set APT Spy-Cookies and Geolocating Tracking-Cookies<br>
>> ><br>
>> > ::Remediation::<br>
>> > There are no known immediate remediation steps available. Mitigations<=
>> br>
>> > steps include:<br>
>> > + Only use secure web browsers<br>
>> > + Only use trusted, secure web applications<br>
>> > + Disable Javascript<br>
>> > + Disable dangerous plugins in the browser<br>
>> > + Disable or remove any insecure web browsers you have installed to<br=
>>>
>> > avoid accidental use<br>
>> ><br>
>> > ::Reference::<br>
>> > The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security=
>> <br>
>> > Research Team responsible for discovering this new attack vector.<br>
>> > Future updates can be tracked on the CWLS website using this unique<br=
>>>
>> > identifier: CWLS Disclosure ID: CWLS20110104<br>
>> ><br>
>> > APT (Advanced Persistent Threat):<br>
>> ><a href=3D"http://en.wikipedia.org/wiki/Advanced_Persistent_Threat" ta=
>> rget=3D"_blank">http://en.wikipedia.org/wiki/Advanced_Persistent_Threat</a>=
>> <br>
>> ><br>
>> > Cloud Computing:<br>
>> ><a href=3D"http://en.wikipedia.org/wiki/Cloud_computing" target=3D"_bl=
>> ank">http://en.wikipedia.org/wiki/Cloud_computing</a><br>
>> ><br>
>> > Cloud Security:<br>
>> ><a href=3D"https://cloudsecurityalliance.org/" target=3D"_blank">https=
>> ://cloudsecurityalliance.org/</a><br>
>> > (note there is a gap in information regarding Cross-Cloud security)<br=
>>>
>> ><br>
>> > Code Injection:<br>
>> ><a href=3D"http://en.wikipedia.org/wiki/Code_injection" target=3D"_bla=
>> nk">http://en.wikipedia.org/wiki/Code_injection</a><br>
>> ><br>
>> > CWLS Alliance:<br>
>> ><a href=3D"http://cwlsalliance.roxer.com/" target=3D"_blank">http://cw=
>> lsalliance.roxer.com/</a><br>
>> ><br>
>> </div></div><div><div></div><div class=3D"h5">> ________________________=
>> _______________________<br>
>> > The Web Security Mailing List<br>
>> ><br>
>> > WebSecurity RSS Feed<br>
>> ><a href=3D"http://www.webappsec.org/rss/websecurity.rss" target=3D"_bl=
>> ank">http://www.webappsec.org/rss/websecurity.rss</a><br>
>> ><br>
>> > Join WASC on LinkedIn<a href=3D"http://www.linkedin.com/e/gis/83336/4=
>> B20E4374DBA" target=3D"_blank">http://www.linkedin.com/e/gis/83336/4B20E437=
>> 4DBA</a><br>
>> ><br>
>> > WASC on Twitter<br>
>> ><a href=3D"http://twitter.com/wascupdates" target=3D"_blank">http://tw=
>> itter.com/wascupdates</a><br>
>> ><br>
>> ><a href=3D"mailto:websecurity@lists.webappsec.org">websecurity@lists.w=
>> ebappsec.org</a><br>
>> ><a href=3D"http://lists.webappsec.org/mailman/listinfo/websecurity_lis=
>> ts.webappsec.org" target=3D"_blank">http://lists.webappsec.org/mailman/list=
>> info/websecurity_lists.webappsec.org</a><br>
>> ><br>
>> </div></div></blockquote></div><br></div>
>>
>> --001636e0b63452a3bd049fe21c8c--
>>
>>
>> --===============0787354708290838694==
>> Content-Type: text/plain; charset="us-ascii"
>> MIME-Version: 1.0
>> Content-Transfer-Encoding: 7bit
>> Content-Disposition: inline
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity@lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>> --===============0787354708290838694==--
>>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity@lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
R
robert@webappsec.org
Fri, Apr 1, 2011 10:30 PM
Do not be myopic, my friend. This is not just about the cloud.
This is bigger than the cloud.
We have persistent code execution stealing legitimate user data
across cloud applications, and between them. Leading security
software tools and vendors have done little to protect us, though
I believe the Next Generation Firewalls are implementing features
to address Cross Cloud Injection as we speak.
This is the primary reason why the Cloud Web Large Server
Alliance formed our Virtual Security Research Team:
to do something about this problem.
You can be part of the problem or part of the solution, Paul.
Which is it going to be?
If he's like 98% of all people in the security 'scene', just part of the problem.
:)
Regards,
T.D. Dave
Senior Security Solutions Architecture Research Specialist
CWLS Alliance, VSRT
ps - thanks for the visiting our temporary website, we are still
raising funds to build a formal website for the Alliance. If you
would like to join as a member or sponsor this would help tremendously!
On Fri, Apr 1, 2011 at 1:47 PM, Paul McMillan paul@mcmillan.ws wrote:
This is bullshit with a bunch of buzzwords.
The process boils down to:
upload malware to the web
have users install malware as a facebook application
malware steals data available to facebook application
(or possibly, malware gets installed locally and does that thing malware
does)
also, malware might set cookies. How terrible.
I don't think this requires "cloud" anything. Either this is a real
threat that wasn't described at all, or it's someone puffing
themselves up with vulnerability reports. Also, a free drag-n-drop
project homepage? What's really going on here?
-Paul
On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate
tddavethepirate@gmail.com wrote:
Cross Cloud Injection Vulnerability in multiple vendors leads to
Persistent Remote Root
Global CWLS Alliance Virtual Security Research Team
T.D. Dave
Thu, 31 March 2011 22:22:15 UMT -0700
[] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
[] Vuln Class Name: Cross-Cloud Injection
[] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
[] Affected Platforms: Cloud, SaaS
[] Affected Vendor: Multi-Vendor
[] Threat: Requires Authentication, but Widely Deployed
[] Severity: High Risk
[] Ease of Exploitation:: Trivial (2-4 hours)
[]Release Date:: 3.31.2011
[] Issue fixed in version : Currently Exploitable
[] Vulnerability discovered by : T.D. Dave & CWLS VSR Team
[] CWLS VSRT: http://cwlsalliance.roxer.com/
::Overview::
A critical new cloud-based attack vector has been discovered by the
CWLS Alliance VSRT (Virtual Security Research Team).
Using this new attack vector it is possible for an attacker to
comprise multiple cloud-based platforms and script the execution of
arbitrary code infecting all users of these system. This new attack
vector is being exploited by dynamically-generated APT that current
antivirus/malware solutions are not yet able to detect.
::Description::
A new attack vector against public-cloud platforms makes it is
possible for an attacker to compromise data in multiple vendors'
private-cloud solutions via swod-niw family APT infection. The most
common scenario is that the attacker will first gain administrative
privilege access to one or more running application instances on a
public cloud using techniques detailed below. The attacker will then
modify this running application to host swod-niw family APT malware on
the public cloud application. The APT malware uses a combination of
Web 2.0 hacking techniques like CSRF and click-jacking to make calls
to and access private-cloud infrastucture's web interfaces via
legitimate private-cloud user's web browsers. While impersonating the
user privilege of the logged-in browser, the APT will access and mine
all data accessible to the private-cloud user. Additional activities
detected including taking actions within the private-cloud application
on behalf of the user.
The exploitable platforms are multi-vendor and widespread, and we fear
that attacks such as this have already become common. Due to the
difficulty in monitoring for these complex, multi-step attacks, often
using requests types not commonly logged, it is unlikely the majority
of Cross-Cloud Injection attacks are being detected today.
::Exploit details::
-
Malware: The attacker first creates an image to be deployed to a
public cloud. This image typically includes an operating system like
Windows, or shareware like Linux. And a web server. It will also
include malicious web application content usually in the form of PHP
web pages and/or SWFs, to be used in the data mining operation phase
of the attack.
-
Deployment: Next the attacker will upload the image, often
virtualized, to a public cloud. This typically requires authentication
but in all cases observed the attackers have already gained access to
legitimate userIDs and passwords. When these components are deployed
together on a public cloud this scenario is commonly referred to as
"APT" (Advanced Persistent Threat)
-
Phase One: Public-Cloud user Attack -- The attacker will take their
malware and integrate it into Web 2.0 applications like Facebook under
the guise of a legitimate application. Then APT is often disguised as
an online game using farming implements and leveraging monotonous
clicking to maximize the amount of time the user leaves the
application running. This, as we will see in turn, increases the
attack window of exposure allowing for deeper data mining by the APT
malware running in the user's browser.
Once the APT is on the social network the attacker waits for users to
access it with their web browser. Once a user executes the application
the second phase of the attack begins.
- Phase Two: Private-Cloud user attack -- The APT malware will now
attempt to access applications within the user's virtual private
cloud. This often takes the form of the APT leveraging benign seeming
features within the online "game", allowing the APT to access the
user's email address book locally or ACROSS both Public and Private
Cloud email and contact systems. If the user allows the malware to
continue executing it is possible to mine all contacts from both
Public and Private cloud messaging systems and begin replicating it's
attack across all users.
Additional potential and likely threats from this APT execution include:
- potential to mine all data from all systems accessible via a web
browser with both idempotent and non-idempotent web requests
- set APT Spy-Cookies and Geolocating Tracking-Cookies
::Remediation::
There are no known immediate remediation steps available. Mitigations
steps include:
- Only use secure web browsers
- Only use trusted, secure web applications
- Disable Javascript
- Disable dangerous plugins in the browser
- Disable or remove any insecure web browsers you have installed to
avoid accidental use
::Reference::
The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
Research Team responsible for discovering this new attack vector.
Future updates can be tracked on the CWLS website using this unique
identifier: CWLS Disclosure ID: CWLS20110104
APT (Advanced Persistent Threat):
http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
Cloud Computing:
http://en.wikipedia.org/wiki/Cloud_computing
Cloud Security:
https://cloudsecurityalliance.org/
(note there is a gap in information regarding Cross-Cloud security)
Code Injection:
http://en.wikipedia.org/wiki/Code_injection
CWLS Alliance:
http://cwlsalliance.roxer.com/
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
--001636e0b63452a3bd049fe21c8c
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Paul,<div><br></div><div>Do not be myopic, my friend. This is not just abou=
t the cloud.</div><div>This is bigger than the cloud.</div><div><br></div><=
div>We have persistent code execution=A0stealing legitimate user data</div>
<div>across cloud applications, and between them. Leading security</div><di=
v>software tools and=A0vendors have done little to protect us, though</div>=
<div>I believe the Next Generation Firewalls are implementing features</div=
<div>to address Cross Cloud Injection as we speak.</div><div><br></div><div=
This is the primary reason why the Cloud Web=A0Large Server</div><div>Alli=
ance formed our Virtual Security Research Team:</div><div><br></div><div>
to do something about this problem.</div><div><br></div><div>You can be par=
t of the problem or part of the solution, Paul.</div><div><br></div><div>Wh=
ich=A0is it going to be?</div><div><br></div><div>---</div><div>T.D. Dave</=
div>
<div>Senior Security Solutions Architecture Research Specialist</div><div>C=
WLS Alliance, VSRT</div><div><br></div><div>ps - thanks for the visiting ou=
r temporary website, we are still</div><div>raising funds to build a formal=
website for the Alliance. If you</div>
<div>would like to join as a member or sponsor this would help tremendously=
!</div><div><br></div><div><br></div><div><br></div><div><br><div class=3D"=
gmail_quote">On Fri, Apr 1, 2011 at 1:47 PM, Paul McMillan <span dir=3D"ltr=
"><<a href=3D"mailto:paul@mcmillan.ws">paul@mcmillan.ws</a>></span> w=
rote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex;">This is bullshit with a bunch of buzzwords.=
<br>
<br>
The process boils down to:<br>
<br>
upload malware to the web<br>
have users install malware as a facebook application<br>
malware steals data available to facebook application<br>
(or possibly, malware gets installed locally and does that thing malware do=
es)<br>
also, malware might set cookies. How terrible.<br>
<br>
I don't think this requires "cloud" anything. Either this is =
a real<br>
threat that wasn't described at all, or it's someone puffing<br>
themselves up with vulnerability reports. Also, a free drag-n-drop<br>
project homepage? What's really going on here?<br>
<font color=3D"#888888"><br>
-Paul<br>
</font><div><div></div><div class=3D"h5"><br>
On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate<br>
<<a href=3D"mailto:tddavethepirate@gmail.com">tddavethepirate@gmail.com<=
/a>> wrote:<br>
> Cross Cloud Injection Vulnerability in multiple vendors leads to<br>
> Persistent Remote Root<br>
> ______________________________________________________________________=
__<br>
> Global CWLS Alliance Virtual Security Research Team<br>
> T.D. Dave<br>
> Thu, 31 March 2011 22:22:15 UMT -0700<br>
> ______________________________________________________________________=
__<br>
> [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution<br>
> [*] Vuln Class Name: Cross-Cloud Injection<br>
> [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection<br>
> [*] Affected Platforms: Cloud, SaaS<br>
> [*] Affected Vendor: Multi-Vendor<br>
> [*] Threat: Requires Authentication, but Widely Deployed<br>
> [*] Severity: High Risk<br>
> [*] Ease of Exploitation:: Trivial (2-4 hours)<br>
> [*]Release Date:: =A03.31.2011<br>
> [*] Issue fixed in version : Currently Exploitable<br>
> [*] Vulnerability discovered by : T.D. Dave & CWLS VSR Team<br>
> [*] CWLS VSRT: <a href=3D"http://cwlsalliance.roxer.com/" target=3D"_b=
lank">http://cwlsalliance.roxer.com/</a><br>
> ______________________________________________________________________=
__<br>
><br>
> ::Overview::<br>
> A critical new cloud-based attack vector has been discovered by the<br=
> CWLS Alliance VSRT (Virtual Security Research Team).<br>
><br>
> Using this new attack vector it is possible for an attacker to<br>
> comprise multiple cloud-based platforms and script the execution of<br=
> arbitrary code infecting all users of these system. This new attack<br=
> vector is being exploited by dynamically-generated APT that current<br=
> antivirus/malware solutions are not yet able to detect.<br>
><br>
> ::Description::<br>
> A new attack vector against public-cloud platforms makes it is<br>
> possible for an attacker to compromise data in multiple vendors'<b=
r>
> private-cloud solutions via swod-niw family APT infection. The most<br=
> common scenario is that the attacker will first gain administrative<br=
> privilege access to one or more running application instances on a<br>
> public cloud using techniques detailed below. The attacker will then<b=
r>
> modify this running application to host swod-niw family APT malware on=
<br>
> the public cloud application. The APT malware uses a combination of<br=
> Web 2.0 hacking techniques like CSRF and click-jacking to make calls<b=
r>
> to and access private-cloud infrastucture's web interfaces via<br>
> legitimate private-cloud user's web browsers. While impersonating =
the<br>
> user privilege of the logged-in browser, the APT will access and mine<=
br>
> all data accessible to the private-cloud user. Additional activities<b=
r>
> detected including taking actions within the private-cloud application=
<br>
> on behalf of the user.<br>
><br>
> The exploitable platforms are multi-vendor and widespread, and we fear=
<br>
> that attacks such as this have already become common. Due to the<br>
> difficulty in monitoring for these complex, multi-step attacks, often<=
br>
> using requests types not commonly logged, it is unlikely the majority<=
br>
> of Cross-Cloud Injection attacks are being detected today.<br>
><br>
> ::Exploit details::<br>
><br>
> 1. Malware: The attacker first creates an image to be deployed to a<br=
> public cloud. This image typically includes an operating system like<b=
r>
> Windows, or shareware like Linux. And a web server. It will also<br>
> include malicious web application content usually in the form of PHP<b=
r>
> web pages and/or SWFs, to be used in the data mining operation phase<b=
r>
> of the attack.<br>
><br>
> 2. Deployment: Next the attacker will upload the image, often<br>
> virtualized, to a public cloud. This typically requires authentication=
<br>
> but in all cases observed the attackers have already gained access to<=
br>
> legitimate userIDs and passwords. When these components are deployed<b=
r>
> together on a public cloud this scenario is commonly referred to as<br=
> "APT" (Advanced Persistent Threat)<br>
><br>
> 3. Phase One: Public-Cloud user Attack -- The attacker will take their=
<br>
> malware and integrate it into Web 2.0 applications like Facebook under=
<br>
> the guise of a legitimate application. Then APT is often disguised as<=
br>
> an online game using farming implements and leveraging monotonous<br>
> clicking to maximize the amount of time the user leaves the<br>
> application running. This, as we will see in turn, increases the<br>
> attack window of exposure allowing for deeper data mining by the APT<b=
r>
> malware running in the user's browser.<br>
><br>
> Once the APT is on the social network the attacker waits for users to<=
br>
> access it with their web browser. Once a user executes the application=
<br>
> the second phase of the attack begins.<br>
><br>
> 4. Phase Two: Private-Cloud user attack -- The APT malware will now<br=
> attempt to access applications within the user's virtual private<b=
r>
> cloud. This often takes the form of the APT leveraging benign seeming<=
br>
> features within the online "game", allowing the APT to acces=
s the<br>
> user's email address book locally or ACROSS both Public and Privat=
e<br>
> Cloud email and contact systems. If the user allows the malware to<br>
> continue executing it is possible to mine all contacts from both<br>
> Public and Private cloud messaging systems and begin replicating it=
9;s<br>
> attack across all users.<br>
><br>
> Additional potential and likely threats from this APT execution includ=
e:<br>
> + potential to mine all data from all systems accessible via a web<br>
> browser with both idempotent and non-idempotent web requests<br>
> + set APT Spy-Cookies and Geolocating Tracking-Cookies<br>
><br>
> ::Remediation::<br>
> There are no known immediate remediation steps available. Mitigations<=
br>
> steps include:<br>
> + Only use secure web browsers<br>
> + Only use trusted, secure web applications<br>
> + Disable Javascript<br>
> + Disable dangerous plugins in the browser<br>
> + Disable or remove any insecure web browsers you have installed to<br=
> avoid accidental use<br>
><br>
> ::Reference::<br>
> The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security=
<br>
> Research Team responsible for discovering this new attack vector.<br>
> Future updates can be tracked on the CWLS website using this unique<br=
> identifier: CWLS Disclosure ID: CWLS20110104<br>
><br>
> APT (Advanced Persistent Threat):<br>
> <a href=3D"http://en.wikipedia.org/wiki/Advanced_Persistent_Threat" ta=
rget=3D"_blank">http://en.wikipedia.org/wiki/Advanced_Persistent_Threat</a>=
<br>
><br>
> Cloud Computing:<br>
> <a href=3D"http://en.wikipedia.org/wiki/Cloud_computing" target=3D"_bl=
ank">http://en.wikipedia.org/wiki/Cloud_computing</a><br>
><br>
> Cloud Security:<br>
> <a href=3D"https://cloudsecurityalliance.org/" target=3D"_blank">https=
://cloudsecurityalliance.org/</a><br>
> (note there is a gap in information regarding Cross-Cloud security)<br=
><br>
> Code Injection:<br>
> <a href=3D"http://en.wikipedia.org/wiki/Code_injection" target=3D"_bla=
nk">http://en.wikipedia.org/wiki/Code_injection</a><br>
><br>
> CWLS Alliance:<br>
> <a href=3D"http://cwlsalliance.roxer.com/" target=3D"_blank">http://cw=
lsalliance.roxer.com/</a><br>
><br>
</div></div><div><div></div><div class=3D"h5">> ________________________=
_______________________<br>
> The Web Security Mailing List<br>
><br>
> WebSecurity RSS Feed<br>
> <a href=3D"http://www.webappsec.org/rss/websecurity.rss" target=3D"_bl=
ank">http://www.webappsec.org/rss/websecurity.rss</a><br>
><br>
> Join WASC on LinkedIn <a href=3D"http://www.linkedin.com/e/gis/83336/4=
B20E4374DBA" target=3D"_blank">http://www.linkedin.com/e/gis/83336/4B20E437=
4DBA</a><br>
><br>
> WASC on Twitter<br>
> <a href=3D"http://twitter.com/wascupdates" target=3D"_blank">http://tw=
itter.com/wascupdates</a><br>
><br>
> <a href=3D"mailto:websecurity@lists.webappsec.org">websecurity@lists.w=
ebappsec.org</a><br>
> <a href=3D"http://lists.webappsec.org/mailman/listinfo/websecurity_lis=
ts.webappsec.org" target=3D"_blank">http://lists.webappsec.org/mailman/list=
info/websecurity_lists.webappsec.org</a><br>
><br>
</div></div></blockquote></div><br></div>
--001636e0b63452a3bd049fe21c8c--
--===============0787354708290838694==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--===============0787354708290838694==--
> Do not be myopic, my friend. This is not just about the cloud.
> This is bigger than the cloud.
>
> We have persistent code execution stealing legitimate user data
> across cloud applications, and between them. Leading security
> software tools and vendors have done little to protect us, though
> I believe the Next Generation Firewalls are implementing features
> to address Cross Cloud Injection as we speak.
>
> This is the primary reason why the Cloud Web Large Server
> Alliance formed our Virtual Security Research Team:
>
> to do something about this problem.
>
> You can be part of the problem or part of the solution, Paul.
>
> Which is it going to be?
If he's like 98% of all people in the security 'scene', just part of the problem.
:)
Regards,
- Robert
WASC Co Founder/Moderator of The Web security Mailing List
http://www.webappsec.org/
http://www.qasec.com/
http://www.cgisecurity.com/
>
> ---
> T.D. Dave
> Senior Security Solutions Architecture Research Specialist
> CWLS Alliance, VSRT
>
> ps - thanks for the visiting our temporary website, we are still
> raising funds to build a formal website for the Alliance. If you
> would like to join as a member or sponsor this would help tremendously!
>
>
>
>
> On Fri, Apr 1, 2011 at 1:47 PM, Paul McMillan <paul@mcmillan.ws> wrote:
>
> > This is bullshit with a bunch of buzzwords.
> >
> > The process boils down to:
> >
> > upload malware to the web
> > have users install malware as a facebook application
> > malware steals data available to facebook application
> > (or possibly, malware gets installed locally and does that thing malware
> > does)
> > also, malware might set cookies. How terrible.
> >
> > I don't think this requires "cloud" anything. Either this is a real
> > threat that wasn't described at all, or it's someone puffing
> > themselves up with vulnerability reports. Also, a free drag-n-drop
> > project homepage? What's really going on here?
> >
> > -Paul
> >
> > On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate
> > <tddavethepirate@gmail.com> wrote:
> > > Cross Cloud Injection Vulnerability in multiple vendors leads to
> > > Persistent Remote Root
> > > ________________________________________________________________________
> > > Global CWLS Alliance Virtual Security Research Team
> > > T.D. Dave
> > > Thu, 31 March 2011 22:22:15 UMT -0700
> > > ________________________________________________________________________
> > > [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution
> > > [*] Vuln Class Name: Cross-Cloud Injection
> > > [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection
> > > [*] Affected Platforms: Cloud, SaaS
> > > [*] Affected Vendor: Multi-Vendor
> > > [*] Threat: Requires Authentication, but Widely Deployed
> > > [*] Severity: High Risk
> > > [*] Ease of Exploitation:: Trivial (2-4 hours)
> > > [*]Release Date:: 3.31.2011
> > > [*] Issue fixed in version : Currently Exploitable
> > > [*] Vulnerability discovered by : T.D. Dave & CWLS VSR Team
> > > [*] CWLS VSRT: http://cwlsalliance.roxer.com/
> > > ________________________________________________________________________
> > >
> > > ::Overview::
> > > A critical new cloud-based attack vector has been discovered by the
> > > CWLS Alliance VSRT (Virtual Security Research Team).
> > >
> > > Using this new attack vector it is possible for an attacker to
> > > comprise multiple cloud-based platforms and script the execution of
> > > arbitrary code infecting all users of these system. This new attack
> > > vector is being exploited by dynamically-generated APT that current
> > > antivirus/malware solutions are not yet able to detect.
> > >
> > > ::Description::
> > > A new attack vector against public-cloud platforms makes it is
> > > possible for an attacker to compromise data in multiple vendors'
> > > private-cloud solutions via swod-niw family APT infection. The most
> > > common scenario is that the attacker will first gain administrative
> > > privilege access to one or more running application instances on a
> > > public cloud using techniques detailed below. The attacker will then
> > > modify this running application to host swod-niw family APT malware on
> > > the public cloud application. The APT malware uses a combination of
> > > Web 2.0 hacking techniques like CSRF and click-jacking to make calls
> > > to and access private-cloud infrastucture's web interfaces via
> > > legitimate private-cloud user's web browsers. While impersonating the
> > > user privilege of the logged-in browser, the APT will access and mine
> > > all data accessible to the private-cloud user. Additional activities
> > > detected including taking actions within the private-cloud application
> > > on behalf of the user.
> > >
> > > The exploitable platforms are multi-vendor and widespread, and we fear
> > > that attacks such as this have already become common. Due to the
> > > difficulty in monitoring for these complex, multi-step attacks, often
> > > using requests types not commonly logged, it is unlikely the majority
> > > of Cross-Cloud Injection attacks are being detected today.
> > >
> > > ::Exploit details::
> > >
> > > 1. Malware: The attacker first creates an image to be deployed to a
> > > public cloud. This image typically includes an operating system like
> > > Windows, or shareware like Linux. And a web server. It will also
> > > include malicious web application content usually in the form of PHP
> > > web pages and/or SWFs, to be used in the data mining operation phase
> > > of the attack.
> > >
> > > 2. Deployment: Next the attacker will upload the image, often
> > > virtualized, to a public cloud. This typically requires authentication
> > > but in all cases observed the attackers have already gained access to
> > > legitimate userIDs and passwords. When these components are deployed
> > > together on a public cloud this scenario is commonly referred to as
> > > "APT" (Advanced Persistent Threat)
> > >
> > > 3. Phase One: Public-Cloud user Attack -- The attacker will take their
> > > malware and integrate it into Web 2.0 applications like Facebook under
> > > the guise of a legitimate application. Then APT is often disguised as
> > > an online game using farming implements and leveraging monotonous
> > > clicking to maximize the amount of time the user leaves the
> > > application running. This, as we will see in turn, increases the
> > > attack window of exposure allowing for deeper data mining by the APT
> > > malware running in the user's browser.
> > >
> > > Once the APT is on the social network the attacker waits for users to
> > > access it with their web browser. Once a user executes the application
> > > the second phase of the attack begins.
> > >
> > > 4. Phase Two: Private-Cloud user attack -- The APT malware will now
> > > attempt to access applications within the user's virtual private
> > > cloud. This often takes the form of the APT leveraging benign seeming
> > > features within the online "game", allowing the APT to access the
> > > user's email address book locally or ACROSS both Public and Private
> > > Cloud email and contact systems. If the user allows the malware to
> > > continue executing it is possible to mine all contacts from both
> > > Public and Private cloud messaging systems and begin replicating it's
> > > attack across all users.
> > >
> > > Additional potential and likely threats from this APT execution include:
> > > + potential to mine all data from all systems accessible via a web
> > > browser with both idempotent and non-idempotent web requests
> > > + set APT Spy-Cookies and Geolocating Tracking-Cookies
> > >
> > > ::Remediation::
> > > There are no known immediate remediation steps available. Mitigations
> > > steps include:
> > > + Only use secure web browsers
> > > + Only use trusted, secure web applications
> > > + Disable Javascript
> > > + Disable dangerous plugins in the browser
> > > + Disable or remove any insecure web browsers you have installed to
> > > avoid accidental use
> > >
> > > ::Reference::
> > > The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security
> > > Research Team responsible for discovering this new attack vector.
> > > Future updates can be tracked on the CWLS website using this unique
> > > identifier: CWLS Disclosure ID: CWLS20110104
> > >
> > > APT (Advanced Persistent Threat):
> > > http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
> > >
> > > Cloud Computing:
> > > http://en.wikipedia.org/wiki/Cloud_computing
> > >
> > > Cloud Security:
> > > https://cloudsecurityalliance.org/
> > > (note there is a gap in information regarding Cross-Cloud security)
> > >
> > > Code Injection:
> > > http://en.wikipedia.org/wiki/Code_injection
> > >
> > > CWLS Alliance:
> > > http://cwlsalliance.roxer.com/
> > >
> > > _______________________________________________
> > > The Web Security Mailing List
> > >
> > > WebSecurity RSS Feed
> > > http://www.webappsec.org/rss/websecurity.rss
> > >
> > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> > >
> > > WASC on Twitter
> > > http://twitter.com/wascupdates
> > >
> > > websecurity@lists.webappsec.org
> > >
> > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> > >
> >
>
> --001636e0b63452a3bd049fe21c8c
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> Paul,<div><br></div><div>Do not be myopic, my friend. This is not just abou=
> t the cloud.</div><div>This is bigger than the cloud.</div><div><br></div><=
> div>We have persistent code execution=A0stealing legitimate user data</div>
> <div>across cloud applications, and between them. Leading security</div><di=
> v>software tools and=A0vendors have done little to protect us, though</div>=
> <div>I believe the Next Generation Firewalls are implementing features</div=
> >
> <div>to address Cross Cloud Injection as we speak.</div><div><br></div><div=
> >This is the primary reason why the Cloud Web=A0Large Server</div><div>Alli=
> ance formed our Virtual Security Research Team:</div><div><br></div><div>
> to do something about this problem.</div><div><br></div><div>You can be par=
> t of the problem or part of the solution, Paul.</div><div><br></div><div>Wh=
> ich=A0is it going to be?</div><div><br></div><div>---</div><div>T.D. Dave</=
> div>
> <div>Senior Security Solutions Architecture Research Specialist</div><div>C=
> WLS Alliance, VSRT</div><div><br></div><div>ps - thanks for the visiting ou=
> r temporary website, we are still</div><div>raising funds to build a formal=
> website for the Alliance. If you</div>
> <div>would like to join as a member or sponsor this would help tremendously=
> !</div><div><br></div><div><br></div><div><br></div><div><br><div class=3D"=
> gmail_quote">On Fri, Apr 1, 2011 at 1:47 PM, Paul McMillan <span dir=3D"ltr=
> "><<a href=3D"mailto:paul@mcmillan.ws">paul@mcmillan.ws</a>></span> w=
> rote:<br>
> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
> x #ccc solid;padding-left:1ex;">This is bullshit with a bunch of buzzwords.=
> <br>
> <br>
> The process boils down to:<br>
> <br>
> upload malware to the web<br>
> have users install malware as a facebook application<br>
> malware steals data available to facebook application<br>
> (or possibly, malware gets installed locally and does that thing malware do=
> es)<br>
> also, malware might set cookies. How terrible.<br>
> <br>
> I don't think this requires "cloud" anything. Either this is =
> a real<br>
> threat that wasn't described at all, or it's someone puffing<br>
> themselves up with vulnerability reports. Also, a free drag-n-drop<br>
> project homepage? What's really going on here?<br>
> <font color=3D"#888888"><br>
> -Paul<br>
> </font><div><div></div><div class=3D"h5"><br>
> On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate<br>
> <<a href=3D"mailto:tddavethepirate@gmail.com">tddavethepirate@gmail.com<=
> /a>> wrote:<br>
> > Cross Cloud Injection Vulnerability in multiple vendors leads to<br>
> > Persistent Remote Root<br>
> > ______________________________________________________________________=
> __<br>
> > Global CWLS Alliance Virtual Security Research Team<br>
> > T.D. Dave<br>
> > Thu, 31 March 2011 22:22:15 UMT -0700<br>
> > ______________________________________________________________________=
> __<br>
> > [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution<br>
> > [*] Vuln Class Name: Cross-Cloud Injection<br>
> > [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection<br>
> > [*] Affected Platforms: Cloud, SaaS<br>
> > [*] Affected Vendor: Multi-Vendor<br>
> > [*] Threat: Requires Authentication, but Widely Deployed<br>
> > [*] Severity: High Risk<br>
> > [*] Ease of Exploitation:: Trivial (2-4 hours)<br>
> > [*]Release Date:: =A03.31.2011<br>
> > [*] Issue fixed in version : Currently Exploitable<br>
> > [*] Vulnerability discovered by : T.D. Dave & CWLS VSR Team<br>
> > [*] CWLS VSRT: <a href=3D"http://cwlsalliance.roxer.com/" target=3D"_b=
> lank">http://cwlsalliance.roxer.com/</a><br>
> > ______________________________________________________________________=
> __<br>
> ><br>
> > ::Overview::<br>
> > A critical new cloud-based attack vector has been discovered by the<br=
> >
> > CWLS Alliance VSRT (Virtual Security Research Team).<br>
> ><br>
> > Using this new attack vector it is possible for an attacker to<br>
> > comprise multiple cloud-based platforms and script the execution of<br=
> >
> > arbitrary code infecting all users of these system. This new attack<br=
> >
> > vector is being exploited by dynamically-generated APT that current<br=
> >
> > antivirus/malware solutions are not yet able to detect.<br>
> ><br>
> > ::Description::<br>
> > A new attack vector against public-cloud platforms makes it is<br>
> > possible for an attacker to compromise data in multiple vendors'<b=
> r>
> > private-cloud solutions via swod-niw family APT infection. The most<br=
> >
> > common scenario is that the attacker will first gain administrative<br=
> >
> > privilege access to one or more running application instances on a<br>
> > public cloud using techniques detailed below. The attacker will then<b=
> r>
> > modify this running application to host swod-niw family APT malware on=
> <br>
> > the public cloud application. The APT malware uses a combination of<br=
> >
> > Web 2.0 hacking techniques like CSRF and click-jacking to make calls<b=
> r>
> > to and access private-cloud infrastucture's web interfaces via<br>
> > legitimate private-cloud user's web browsers. While impersonating =
> the<br>
> > user privilege of the logged-in browser, the APT will access and mine<=
> br>
> > all data accessible to the private-cloud user. Additional activities<b=
> r>
> > detected including taking actions within the private-cloud application=
> <br>
> > on behalf of the user.<br>
> ><br>
> > The exploitable platforms are multi-vendor and widespread, and we fear=
> <br>
> > that attacks such as this have already become common. Due to the<br>
> > difficulty in monitoring for these complex, multi-step attacks, often<=
> br>
> > using requests types not commonly logged, it is unlikely the majority<=
> br>
> > of Cross-Cloud Injection attacks are being detected today.<br>
> ><br>
> > ::Exploit details::<br>
> ><br>
> > 1. Malware: The attacker first creates an image to be deployed to a<br=
> >
> > public cloud. This image typically includes an operating system like<b=
> r>
> > Windows, or shareware like Linux. And a web server. It will also<br>
> > include malicious web application content usually in the form of PHP<b=
> r>
> > web pages and/or SWFs, to be used in the data mining operation phase<b=
> r>
> > of the attack.<br>
> ><br>
> > 2. Deployment: Next the attacker will upload the image, often<br>
> > virtualized, to a public cloud. This typically requires authentication=
> <br>
> > but in all cases observed the attackers have already gained access to<=
> br>
> > legitimate userIDs and passwords. When these components are deployed<b=
> r>
> > together on a public cloud this scenario is commonly referred to as<br=
> >
> > "APT" (Advanced Persistent Threat)<br>
> ><br>
> > 3. Phase One: Public-Cloud user Attack -- The attacker will take their=
> <br>
> > malware and integrate it into Web 2.0 applications like Facebook under=
> <br>
> > the guise of a legitimate application. Then APT is often disguised as<=
> br>
> > an online game using farming implements and leveraging monotonous<br>
> > clicking to maximize the amount of time the user leaves the<br>
> > application running. This, as we will see in turn, increases the<br>
> > attack window of exposure allowing for deeper data mining by the APT<b=
> r>
> > malware running in the user's browser.<br>
> ><br>
> > Once the APT is on the social network the attacker waits for users to<=
> br>
> > access it with their web browser. Once a user executes the application=
> <br>
> > the second phase of the attack begins.<br>
> ><br>
> > 4. Phase Two: Private-Cloud user attack -- The APT malware will now<br=
> >
> > attempt to access applications within the user's virtual private<b=
> r>
> > cloud. This often takes the form of the APT leveraging benign seeming<=
> br>
> > features within the online "game", allowing the APT to acces=
> s the<br>
> > user's email address book locally or ACROSS both Public and Privat=
> e<br>
> > Cloud email and contact systems. If the user allows the malware to<br>
> > continue executing it is possible to mine all contacts from both<br>
> > Public and Private cloud messaging systems and begin replicating it=
> 9;s<br>
> > attack across all users.<br>
> ><br>
> > Additional potential and likely threats from this APT execution includ=
> e:<br>
> > + potential to mine all data from all systems accessible via a web<br>
> > browser with both idempotent and non-idempotent web requests<br>
> > + set APT Spy-Cookies and Geolocating Tracking-Cookies<br>
> ><br>
> > ::Remediation::<br>
> > There are no known immediate remediation steps available. Mitigations<=
> br>
> > steps include:<br>
> > + Only use secure web browsers<br>
> > + Only use trusted, secure web applications<br>
> > + Disable Javascript<br>
> > + Disable dangerous plugins in the browser<br>
> > + Disable or remove any insecure web browsers you have installed to<br=
> >
> > avoid accidental use<br>
> ><br>
> > ::Reference::<br>
> > The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security=
> <br>
> > Research Team responsible for discovering this new attack vector.<br>
> > Future updates can be tracked on the CWLS website using this unique<br=
> >
> > identifier: CWLS Disclosure ID: CWLS20110104<br>
> ><br>
> > APT (Advanced Persistent Threat):<br>
> > <a href=3D"http://en.wikipedia.org/wiki/Advanced_Persistent_Threat" ta=
> rget=3D"_blank">http://en.wikipedia.org/wiki/Advanced_Persistent_Threat</a>=
> <br>
> ><br>
> > Cloud Computing:<br>
> > <a href=3D"http://en.wikipedia.org/wiki/Cloud_computing" target=3D"_bl=
> ank">http://en.wikipedia.org/wiki/Cloud_computing</a><br>
> ><br>
> > Cloud Security:<br>
> > <a href=3D"https://cloudsecurityalliance.org/" target=3D"_blank">https=
> ://cloudsecurityalliance.org/</a><br>
> > (note there is a gap in information regarding Cross-Cloud security)<br=
> >
> ><br>
> > Code Injection:<br>
> > <a href=3D"http://en.wikipedia.org/wiki/Code_injection" target=3D"_bla=
> nk">http://en.wikipedia.org/wiki/Code_injection</a><br>
> ><br>
> > CWLS Alliance:<br>
> > <a href=3D"http://cwlsalliance.roxer.com/" target=3D"_blank">http://cw=
> lsalliance.roxer.com/</a><br>
> ><br>
> </div></div><div><div></div><div class=3D"h5">> ________________________=
> _______________________<br>
> > The Web Security Mailing List<br>
> ><br>
> > WebSecurity RSS Feed<br>
> > <a href=3D"http://www.webappsec.org/rss/websecurity.rss" target=3D"_bl=
> ank">http://www.webappsec.org/rss/websecurity.rss</a><br>
> ><br>
> > Join WASC on LinkedIn <a href=3D"http://www.linkedin.com/e/gis/83336/4=
> B20E4374DBA" target=3D"_blank">http://www.linkedin.com/e/gis/83336/4B20E437=
> 4DBA</a><br>
> ><br>
> > WASC on Twitter<br>
> > <a href=3D"http://twitter.com/wascupdates" target=3D"_blank">http://tw=
> itter.com/wascupdates</a><br>
> ><br>
> > <a href=3D"mailto:websecurity@lists.webappsec.org">websecurity@lists.w=
> ebappsec.org</a><br>
> > <a href=3D"http://lists.webappsec.org/mailman/listinfo/websecurity_lis=
> ts.webappsec.org" target=3D"_blank">http://lists.webappsec.org/mailman/list=
> info/websecurity_lists.webappsec.org</a><br>
> ><br>
> </div></div></blockquote></div><br></div>
>
> --001636e0b63452a3bd049fe21c8c--
>
>
> --===============0787354708290838694==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity@lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
> --===============0787354708290838694==--
>