This is a post about an old vulnerability that I finally found the time to blog about. It dates back to 2014, but from a technical point of view it is nevertheless interesting: An XML parser that tries to fix structural errors in a document caused a DoS problem.
All previous posts of this series focused on XSS. This time, we present a vulnerability which is connected another Cloud Management Platform: OpenNebula. This Infrastructure-as-a-Service platform started as a research project in 2005. It is used by information technology companies like IBM, Dell and Akamai as well as academic institutions and the European Space Administrations (ESA). By relying on standard Linux tools as far as possible, OpenNebula reaches a high level of customizability and flexibility in hypervisors, storage systems, and network infrastructures. OpenNebula is distributed using the Apache-2 license.
OpenNebula offers a broad variety of interfaces to control a cloud. This post focuses on Sunstone, OpenNebula's web interface (see Figure 1).
Before OpenNebula 4.6.2, Sunstone had no Cross-Site Request Forgery (CSRF) protection. This is a severe problem. Consider an attacker who lures a victim into clicking on a malicious link while being logged in at a private cloud. This enables the attacker to send arbitrary requests to the private cloud through the victims browser. However, we could find other bugs in OpenNebula that allowed us to perform much more sophisticated attacks.
OpenNebula saves the incorrectly generated XML document in a database. The next time the OpenNebula core retrieves information about that particular VM from the database the XML parser is mixed up and runs into an error because it only expects a string as name, not an XML tree. As a result, Sunstone cannot be used to control the VM anymore. The Denial-of-Service attack can only be reverted from the command line interface of OpenNebula.
This bug can be triggered by a CSRF-attack, which means that it is a valid attack against a private cloud: By luring a victim onto a maliciously crafted website while logged in into Sunstone, an attacker can make all the victim's VMs uncontrollable via Sunstone. A video of the attack can be seen here:
This bug has been fixed in OpenNebula 4.6.2.
This result is a collaborative work together with Mario Heiderich. It has been published at ACM CCSW 2015. The paper can be found here.
All previous posts of this series focused on XSS. This time, we present a vulnerability which is connected another Cloud Management Platform: OpenNebula. This Infrastructure-as-a-Service platform started as a research project in 2005. It is used by information technology companies like IBM, Dell and Akamai as well as academic institutions and the European Space Administrations (ESA). By relying on standard Linux tools as far as possible, OpenNebula reaches a high level of customizability and flexibility in hypervisors, storage systems, and network infrastructures. OpenNebula is distributed using the Apache-2 license.
OpenNebula offers a broad variety of interfaces to control a cloud. This post focuses on Sunstone, OpenNebula's web interface (see Figure 1).
 |
| Figure 1: OpenNebula's Sunstone Interface displaying a VM's control interface |
Before OpenNebula 4.6.2, Sunstone had no Cross-Site Request Forgery (CSRF) protection. This is a severe problem. Consider an attacker who lures a victim into clicking on a malicious link while being logged in at a private cloud. This enables the attacker to send arbitrary requests to the private cloud through the victims browser. However, we could find other bugs in OpenNebula that allowed us to perform much more sophisticated attacks.
Denial-of-Service on OpenNebula-VM
At its backend, OpenNebula manages VMs with XML documents. A sample for such an XML document looks like this:<VM>OpenNebula 4.6.1 contains a bug in the sanitization of input for these XML documents: Whenever a VM's name contains an opening XML tag (but no corresponding closing one), an XML generator at the backend automatically inserts the corresponding closing tag to ensure well-formedness of the resulting document. However, the generator outputs an XML document that does not comply with the XML schema OpenNebula expects. The listing below shows the structure that is created after renaming the VM to 'My <x> VM':
<ID>0</ID>
<NAME>My VM</NAME>
<PERMISSIONS>...</PERMISSIONS>
<MEMORY>512</MEMORY>
<CPU>1</CPU>
...
</VM>
<VM>The generator closes the <x> tag, but not the <NAME> tag. At the end of the document, the generator closes all opened tags including <NAME>.
<ID>0</ID>
<NAME>My <x> VM</x>
<PERMISSIONS>...</PERMISSIONS>
<MEMORY>512</MEMORY>
<CPU>1</CPU>
...
</NAME>
</VM>
OpenNebula saves the incorrectly generated XML document in a database. The next time the OpenNebula core retrieves information about that particular VM from the database the XML parser is mixed up and runs into an error because it only expects a string as name, not an XML tree. As a result, Sunstone cannot be used to control the VM anymore. The Denial-of-Service attack can only be reverted from the command line interface of OpenNebula.
This bug can be triggered by a CSRF-attack, which means that it is a valid attack against a private cloud: By luring a victim onto a maliciously crafted website while logged in into Sunstone, an attacker can make all the victim's VMs uncontrollable via Sunstone. A video of the attack can be seen here:
This bug has been fixed in OpenNebula 4.6.2.
This result is a collaborative work together with Mario Heiderich. It has been published at ACM CCSW 2015. The paper can be found here.
Read more
- Hacking Tools Download
- Hack Tool Apk
- Github Hacking Tools
- Hacker Security Tools
- Hackers Toolbox
- Hackrf Tools
- Install Pentest Tools Ubuntu
- Hacking Tools Online
- Hacking Tools For Pc
- Hacking Tools Hardware
- Usb Pentest Tools
- Pentest Tools Port Scanner
- Hacking Apps
- Hacking Tools For Windows 7
- Pentest Tools Review
- Hacker Tool Kit
- Hacker Tools Software
- Hacking Tools Download
- Hack App
- Hack Tools 2019
- Hacker Tools For Windows
- Hacking Tools For Pc
- Hacking Tools
- New Hacker Tools
- Hacking Tools For Mac
- Hackers Toolbox
- Hacker Tools For Pc
- Github Hacking Tools
- Hacking Tools For Games
- Hacker Tools List
- Pentest Tools Subdomain
- Hack And Tools
- Hacker Search Tools
- World No 1 Hacker Software
- Hacker Tools Apk
- Pentest Tools Android
- Hack Tool Apk No Root
- Hacking App
- What Are Hacking Tools
- Kik Hack Tools
- Hack Tools 2019
- Pentest Tools Linux
- Pentest Tools Kali Linux
- Pentest Tools Online
- Hack Apps
- Hacker Tools Software
- Best Pentesting Tools 2018
- Hacker Tools Software
- Hacking Tools Mac
- Underground Hacker Sites
- Pentest Tools Windows
- Hacker Tools Online
- Pentest Tools Linux
- Hacking Tools For Windows 7
- Termux Hacking Tools 2019
- Hack Tools
- Easy Hack Tools
- Hacking Tools For Windows 7
- Game Hacking
- Hacker Security Tools
- Hackrf Tools
- Pentest Tools Download
- Hack Tools For Pc
- Hacker Tools Apk
- Hacker Tools Free Download
- Hacker Tools
- Kik Hack Tools
- Growth Hacker Tools
- Underground Hacker Sites
- Hack Tools Download
- Beginner Hacker Tools
- Tools 4 Hack
- Hacks And Tools
- Hacker Tools 2020
- Hacker Techniques Tools And Incident Handling
- Pentest Tools Bluekeep
- Kik Hack Tools
- Kik Hack Tools
- Pentest Tools Online
- Hacking Tools For Games
- Computer Hacker
- Hacking Tools Kit
- Game Hacking
- Hack App
- Pentest Tools Framework
- Best Hacking Tools 2020
- Pentest Tools Apk
- Pentest Tools Port Scanner
- Hacker Tools Github
- New Hack Tools
- Hacking Tools Pc
- Hacker Tools 2020
- Hack Tools Pc
- Hacking Tools For Windows
- Game Hacking
- Underground Hacker Sites
- Hack Tool Apk
- Hacker Techniques Tools And Incident Handling
- Pentest Tools Review
- Hacking Tools Software
- Hacking Tools Pc
- Hack Tools Download
- Hacker Tools Apk Download
- Hacking App
- Hackers Toolbox
- Hacking Tools For Beginners
- Hacker Tools Apk
- Hacker Tools Software
- Hack Tools
- Computer Hacker
- Pentest Tools Online
- Pentest Tools Apk
- Hacking Tools For Beginners
- Hack Website Online Tool
- Hacker Hardware Tools
- Computer Hacker
- Hacking Tools 2019
- Hacking Tools Mac
- Pentest Reporting Tools
- How To Hack
- Top Pentest Tools
- Hacking Tools For Windows 7
- Termux Hacking Tools 2019
- Hacking Tools Windows
- Tools For Hacker
- Termux Hacking Tools 2019
- Usb Pentest Tools
- Pentest Tools For Mac
- Pentest Tools Url Fuzzer
- Hacking Apps
- Android Hack Tools Github
- Tools Used For Hacking
- Hacker Tools Windows
- Tools For Hacker
- Pentest Tools Url Fuzzer
- Hacker Tools For Windows
- Pentest Tools Find Subdomains
- Hack Tool Apk No Root
- Hacking Apps
- Hack Tools For Ubuntu
- Hack App
- Pentest Tools List
- Hacking Tools For Pc
- Hacking Tools For Mac
- Hack Tools For Ubuntu
- Hack Tools Online
- Github Hacking Tools
- Hacking Tools 2019
- Pentest Tools Port Scanner
- Pentest Tools For Mac
- Pentest Tools Framework
- Hacker Tools Mac
- Pentest Tools List
- Nsa Hacker Tools
- Beginner Hacker Tools
- Hacking Tools Windows 10
- Pentest Tools Website Vulnerability
- Pentest Tools Open Source
- Beginner Hacker Tools
- Hacking Tools And Software
Nenhum comentário:
Postar um comentário