This is a post about an old vulnerability that I finally found the time to blog about. It dates back to 2014, but from a technical point of view it is nevertheless interesting: An XML parser that tries to fix structural errors in a document caused a DoS problem.
All previous posts of this series focused on XSS. This time, we present a vulnerability which is connected another Cloud Management Platform: OpenNebula. This Infrastructure-as-a-Service platform started as a research project in 2005. It is used by information technology companies like IBM, Dell and Akamai as well as academic institutions and the European Space Administrations (ESA). By relying on standard Linux tools as far as possible, OpenNebula reaches a high level of customizability and flexibility in hypervisors, storage systems, and network infrastructures. OpenNebula is distributed using the Apache-2 license.
OpenNebula offers a broad variety of interfaces to control a cloud. This post focuses on Sunstone, OpenNebula's web interface (see Figure 1).
Before OpenNebula 4.6.2, Sunstone had no Cross-Site Request Forgery (CSRF) protection. This is a severe problem. Consider an attacker who lures a victim into clicking on a malicious link while being logged in at a private cloud. This enables the attacker to send arbitrary requests to the private cloud through the victims browser. However, we could find other bugs in OpenNebula that allowed us to perform much more sophisticated attacks.
OpenNebula saves the incorrectly generated XML document in a database. The next time the OpenNebula core retrieves information about that particular VM from the database the XML parser is mixed up and runs into an error because it only expects a string as name, not an XML tree. As a result, Sunstone cannot be used to control the VM anymore. The Denial-of-Service attack can only be reverted from the command line interface of OpenNebula.
This bug can be triggered by a CSRF-attack, which means that it is a valid attack against a private cloud: By luring a victim onto a maliciously crafted website while logged in into Sunstone, an attacker can make all the victim's VMs uncontrollable via Sunstone. A video of the attack can be seen here:
This bug has been fixed in OpenNebula 4.6.2.
This result is a collaborative work together with Mario Heiderich. It has been published at ACM CCSW 2015. The paper can be found here.
Related newsAll previous posts of this series focused on XSS. This time, we present a vulnerability which is connected another Cloud Management Platform: OpenNebula. This Infrastructure-as-a-Service platform started as a research project in 2005. It is used by information technology companies like IBM, Dell and Akamai as well as academic institutions and the European Space Administrations (ESA). By relying on standard Linux tools as far as possible, OpenNebula reaches a high level of customizability and flexibility in hypervisors, storage systems, and network infrastructures. OpenNebula is distributed using the Apache-2 license.
OpenNebula offers a broad variety of interfaces to control a cloud. This post focuses on Sunstone, OpenNebula's web interface (see Figure 1).
 |
| Figure 1: OpenNebula's Sunstone Interface displaying a VM's control interface |
Before OpenNebula 4.6.2, Sunstone had no Cross-Site Request Forgery (CSRF) protection. This is a severe problem. Consider an attacker who lures a victim into clicking on a malicious link while being logged in at a private cloud. This enables the attacker to send arbitrary requests to the private cloud through the victims browser. However, we could find other bugs in OpenNebula that allowed us to perform much more sophisticated attacks.
Denial-of-Service on OpenNebula-VM
At its backend, OpenNebula manages VMs with XML documents. A sample for such an XML document looks like this:<VM>OpenNebula 4.6.1 contains a bug in the sanitization of input for these XML documents: Whenever a VM's name contains an opening XML tag (but no corresponding closing one), an XML generator at the backend automatically inserts the corresponding closing tag to ensure well-formedness of the resulting document. However, the generator outputs an XML document that does not comply with the XML schema OpenNebula expects. The listing below shows the structure that is created after renaming the VM to 'My <x> VM':
<ID>0</ID>
<NAME>My VM</NAME>
<PERMISSIONS>...</PERMISSIONS>
<MEMORY>512</MEMORY>
<CPU>1</CPU>
...
</VM>
<VM>The generator closes the <x> tag, but not the <NAME> tag. At the end of the document, the generator closes all opened tags including <NAME>.
<ID>0</ID>
<NAME>My <x> VM</x>
<PERMISSIONS>...</PERMISSIONS>
<MEMORY>512</MEMORY>
<CPU>1</CPU>
...
</NAME>
</VM>
OpenNebula saves the incorrectly generated XML document in a database. The next time the OpenNebula core retrieves information about that particular VM from the database the XML parser is mixed up and runs into an error because it only expects a string as name, not an XML tree. As a result, Sunstone cannot be used to control the VM anymore. The Denial-of-Service attack can only be reverted from the command line interface of OpenNebula.
This bug can be triggered by a CSRF-attack, which means that it is a valid attack against a private cloud: By luring a victim onto a maliciously crafted website while logged in into Sunstone, an attacker can make all the victim's VMs uncontrollable via Sunstone. A video of the attack can be seen here:
This bug has been fixed in OpenNebula 4.6.2.
This result is a collaborative work together with Mario Heiderich. It has been published at ACM CCSW 2015. The paper can be found here.
- Hack Tools Github
- Hacker Tools Github
- Pentest Tools For Windows
- Pentest Tools For Ubuntu
- Pentest Reporting Tools
- Hacking Tools Mac
- Hacker Tools Free Download
- Hacking Tools Name
- Best Pentesting Tools 2018
- Nsa Hack Tools
- How To Hack
- Ethical Hacker Tools
- Hacker Tools 2019
- Wifi Hacker Tools For Windows
- Best Pentesting Tools 2018
- Hack Tool Apk No Root
- Best Pentesting Tools 2018
- Nsa Hack Tools
- Hacker Security Tools
- Pentest Tools Review
- Hack Tools For Ubuntu
- Hack Rom Tools
- Hacker Tools Free Download
- Pentest Tools Free
- Hacker Tools Online
- Top Pentest Tools
- Nsa Hacker Tools
- Pentest Reporting Tools
- Hacking Tools Name
- Pentest Recon Tools
- Termux Hacking Tools 2019
- Hack App
- Hacker Tools Apk Download
- Hacking Tools Download
- Best Hacking Tools 2020
- Hack Tools For Mac
- Pentest Tools Find Subdomains
- Pentest Tools Online
- Pentest Tools Alternative
- Hacking Tools Kit
- Nsa Hacker Tools
- Tools Used For Hacking
- Hacking App
- Hacking Apps
- Nsa Hack Tools Download
- Hacker Tools For Ios
- Pentest Tools Linux
- What Is Hacking Tools
- Pentest Tools For Android
- Install Pentest Tools Ubuntu
- Hacker Tools Free Download
- Pentest Tools For Windows
- Install Pentest Tools Ubuntu
- Hackers Toolbox
- Hacker Tools For Pc
- How To Install Pentest Tools In Ubuntu
- Hacking Tools For Pc
- Game Hacking
- Hacking Tools 2019
- Hacker Tools Github
- Underground Hacker Sites
- Hackrf Tools
- Pentest Tools Open Source
- Pentest Tools Kali Linux
- Nsa Hack Tools
- Growth Hacker Tools
- Pentest Tools For Ubuntu
- Nsa Hack Tools Download
- Hack And Tools
- Hacking App
- Hacking Tools For Mac
- Hacking Tools For Kali Linux
- Github Hacking Tools
- What Are Hacking Tools
- Pentest Tools Alternative
- Tools For Hacker
- Blackhat Hacker Tools
- Hacker Tools Free
- Hack Tools For Pc
- Pentest Tools Apk
- Hacking Tools Software
- Pentest Tools Android
- Hacker Tools Software
- Hacker
- Pentest Tools Framework
- Pentest Tools Nmap
- Hacking Tools For Windows
- Hack Rom Tools
- Pentest Tools Find Subdomains
- Free Pentest Tools For Windows
- Hack Website Online Tool
- Pentest Tools Kali Linux
- Computer Hacker
- Hacks And Tools
- Hacker Tools Free Download
- Hack Tool Apk No Root
- Pentest Tools Review
- Hacking Tools For Windows
- Tools For Hacker
- Pentest Automation Tools
- Growth Hacker Tools
- Hacking Tools Github
- Hacker Tools Windows
- Install Pentest Tools Ubuntu
- Free Pentest Tools For Windows
- Wifi Hacker Tools For Windows
- Hack Rom Tools
- Hacker Tools Windows
- Hack Tools Pc
- Hack Tools Github
- Hack App
- Pentest Tools List
- Pentest Tools Nmap
- Pentest Tools Kali Linux
- Hacking Tools And Software
- Hackrf Tools
- Pentest Tools Kali Linux
- Hack Tools Pc
- Hacking Apps
- Nsa Hack Tools
- Hacking Tools Free Download
- Pentest Box Tools Download
- Pentest Tools Review
- Hacking Tools Kit
- Hacker Tools 2019
- What Is Hacking Tools
- Hack And Tools
- Hacker Tools Free
沒有留言:
張貼留言