2. Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
console
• Amazon EC2 real vulnerabilities
– Web management console
– Amazon Web Services (AWS) portals
• Conclusions
3. Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
console
• Amazon EC2 real vulnerabilities
– Web management console
– Amazon Web Services (AWS) portals
• Conclusions
4. Recalls
• XSS (Cross-Site Scripting) vulnerability
allows an attacker to use a website to
transmit an attack (the website becomes
the vector through which attackers reach
their victims).
• XSS is today’s most widely reported
software vulnerability.
6. Recalls
• CSRF (Cross-Site Request Forgery) is an
attack which forces an end user to
execute unwanted actions on a web
application in which he/she is currently
authenticated.
• CSRF tricks the victim into loading a page
that contains a malicious request.
7. Recalls
• CSRF, a simple example:
...
<img
src=“http://truste
Trusted blog (i.e. MySpace) dblog.com/addfrien
d.php?id=12345”/>
...
Active session
User Evil Site
8. Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
console
• Amazon EC2 real vulnerabilities
– Web management console
– Amazon Web Services (AWS) portals
• Conclusions
9. Attacks against EC2
• The Amazon EC2 cloud is managed via web
services and web interface consoles.
• The web management console asks the user to
provide her Amazon.com username and
password.
• The login page is hosted on the Amazon.com
domain, making it susceptible to web
application vulnerabilities found anywhere on
the domain.
10. Attacks against EC2
• Once an attacker gains access to the EC2
user’s session, the Amazon web
management console offers a wealth of
information related to the victim’s EC2
instances (X.509 certificates, secret
tokens, ...).
11. Attacks against EC2
• If the attacker discovers an XSS
vulnerability anywhere on the
Amazon.com domain, he can use a simple
JavaScript payload to steal the EC2 user’s
Access Key ID and Secret Access Key.
12. Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
console
• Amazon EC2 real vulnerabilities
– Web management console
– Amazon Web Services (AWS) portals
• Conclusions
13. Amazon EC2 real vulnerabilities
• The security of AMI instances depends on
the web management console for
security.
• Several portions of Amazon’s web
management console were vulnerable to
cross-site request forgery (CSRF) attacks.
14. Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
console
• Amazon EC2 real vulnerabilities
– Web management console
– Amazon Web Services (AWS) portals
• Conclusions
15. Web management console vulnerabilities
• The first allows the attacker to start an
arbitrary AMI instance using the victim’s
EC2 account.
• Two parts:
– Initialize an evil AMI;
– Launch the instance under the victim’s EC2
account.
21. Web management console vulnerabilities
Merge: The browser will not
display the reply of
<html> the web server.
<body>
<iframe src="./initialize.html" height="0"
width="0"></iframe>
<iframe src="./launch.html" height="0"
width="0"></iframe>
</body>
</html>
22. Web management console vulnerabilities
• The second vulnerability terminates
arbitrary AMIs being run by the victim.
• After the attack is launched, the victim
can see that the instance was terminated
without her consent.
23. Web management console vulnerabilities
• The last vulnerability involves the
deletion of AMI key pairs.
• Using a CSRF vulnerability, an attacker
has the ability to delete arbitrary key
pairs from a victim’s EC2 session. If the
key pair is deleted, and the user has not
properly backed up the key pair, he will
have lost access to his own AMIs!
24. Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
console
• Amazon EC2 real vulnerabilities
– Web management console
– Amazon Web Services (AWS) portals
• Conclusions
25. AWS portals vulnerabilities
• AWS was the first method Amazon provided to
manage AMIs and is generally considered the
most secure option for AMI administration.
• The three most common methods of
authentication are :
– a username/password combination;
– an Access Key ID/Secret Access Key combination;
– and X.509 certificates
26. AWS portals vulnerabilities
• AWS was the first method Amazon provided to
manage AMIs and is generally considered the
most secure option for AMI administration.
• The three most common methods of
authentication are :
– a username/password combination;
– an Access Key ID/Secret Access Key combination;
– and X.509 certificates.
27. AWS portals vulnerabilities
• The first attack against AWS generates a new
access key for the EC2 user’s session.
• Access keys are used to authenticate a user to
AWS, which is used to administer and manage
the various AMIs running in a user’s account.
• The attacker can create a temporary denial of
service as the administrator must now update
all the applications utilizing access key
authentication to use the newly generated key.
28. AWS portals vulnerabilities
• This next attack forcibly deletes any
X.509 certificates previously generated
by the EC2 user.
• Once the X.509 certificates are deleted,
any application that relied on X.509
certificate authentication must be
redeployed with the newly generated
certificates.
29. Outline
• Recalls (XSS and CSRF)
• Attacks against Amazon EC2 management
console
• Amazon EC2 real vulnerabilities
– Web management console
– Amazon Web Services (AWS) portals
• Conclusions
30. Conclusions
• Cloud Computing allows organizations to
focus on their core business while
ensuring that their IT infrastructures are
flexible enough to meet the demands of
current and future users.
• But it does not magically protect
application logic from abuse or prevent
attacks against the application level.
31. Conclusions
• Uploading the most hardened virtual
machine will not prevent attacks against
the web-based management consoles
that are used to administer the virtual
machines.
• Cloud providers must fix their security
bugs and perform an incessant code
review.
32. References
• Hacking: the Next Generation
Nitesh Dhanjani, Billy Rios, and Brett Hardin. O’Reilly, 2009.
• Hacking Exposed: Web 2.0
Rich Cannings, Himanshu Dwivedi, Zane Lackey. Mc-Graw Hill, 2008
• Secure Programming with Static Analysis
Brian Chess, Jacob West. Addison-Wesley, 2007.