1. The Glass Cage Virtualization security Claudio Criscione

2. Claudio Criscione Nibble Security 3. What is this speech about? Breaking out of the cage vendors are trying to put on your mind! 4. Virtualization in 3 Minutes Hardware Hypervisor Host Operating System 5. Design in the virtualization era Mail Server Web Server DNS Server Firewall 6. The Original Sin Il peccato originale la sicurezza della virt uguale a quella fisica The Original Sin The Original Sin 7. It is very practical to think about the cloud It is not really there! What you have is more systems 8. If it bleeds... 9. Hypervisors are running on top of standard OS Linux, Windows 2008, Nemesis And they are running services as well! 10. VMSA-0008-0002.1 Patches Virtual Center: running tomcat 5.5.17 VMSA-0008-0015 Patches remote buffer overflow in openwsman CVE-2007-1321 Heap Overflow in Xen NE2000 network driver Hyper-V SMBv2 anyone? 11. More than just Hypervisors 12. There's a whole ecosystem around virtualization Management software Storage managers Patchers Conversion software All of them can be hacked! SN-2009-02 - ToutVirtual VirtualIQ Pro Multiple Vulnerabilities 13. Client insicuri Client security 14. The attack surface is quite large SSL Web Services Rendering engines Integration & Plugins Auto-update functionalities 15. MITM Against Clients? Why not! With or without null byte 16. /client/clients.xml Requested every time VI client connects to a host 90233.0.03.1.0https://*/client/VMware- viclient.exe 17. What if we change that XML? By MitM or Post-exploitation on the host Demo time 18. Just woke up? Here's what's going on VI Client looks for clients.xml We do some MiTM We use Burp because it rocks and it's easy Change the clients.xml P0wned 19. Administrative Interface Security Glass windows in the castle 20. Some of them are even hidden... 21. ...and some of them are broken. 22. XEN Center Web Multiple vulnerabilities in the default installation RCE, File inclusion, XSS SN-2009-01 Alberto Trivero & Claudio Criscione 23. People were actually using it, over the internet But now it's gone... 24. VMware Studio A virtual appliance to build other virtual appliances Path traversal leading to unauthenticated arbitrary file upload to any directory SN-2009-03 by Claudio criscione 25. Virtualization ASsessment TOolkit A toolkit for virtualization penetration testing Currently under development @ Secure Network Metasploit based 26. Still in early Alpha stage Stable modules: Fingerprinting Brute Forcer VMware Studio Exploiter Let's see them (if we have time!) 27. Everyone has got some... Ubuntu just launched its Cloud infrastructure It leverages Eucalyptus And we have (at least) an XSS in Eucalytpus 28. VM hopping VM Hopping 29. You already knew about that, or at least thought about that It already happened multiple times, e.g. CloudBurst on VMware CVE-2007-1320 on XEN Overflow in Cirrus VGA: see a pattern? 30. Virtual Appliances Virtual Appliances 31. Sistemi di monitoraggio Monitoring 32. Virtual Appliances + Monitoring = Nice Example Astaro virtual firewall 33. One pre-auth request to the HTTP interface will result in Astaro doing a DNS query We won't get the results, but it's a nice one-way covert channel for any blind attack (tnx ikki) What's most important, no IDS in the network will detect any anomaly. It's all in-memory 34. Templates 35. So what 36. Virtualization Management Review Virtualization Architecture Review And now you know VASTO is coming 37. What about management issues? 38. VMSprawl VM Sprawl 39. Segregation of duties Segregation of duties 40. Thank you! Claudio Criscione c.criscione@securenetwork.it @paradoxengine