Control over cloud infrastructure in one-two-three
A few months ago, Positive Research conducted a Citrix XenServer security review. Among other things , we studied the security of administration interfaces, and in particular the web interfaces of various system components. As a result, we were able to detect several critical vulnerabilities that allow us to gain control not only over these components, but also over the master server, and therefore over the entire cloud infrastructure. We immediately reported the found vulnerabilities to Citrix. After the gaps were closed ( [1] , [2] , [3] ), the results were presented on the Positive Hack Days forum within the FastTrack section.
So let's get down to business.
In the analysis, three components of Citrix XenServer came to our attention:
1. Web Self Service - web-based virtual machine management console;
2. vSwitch Controller - web-based virtual network management console
infrastructure;
3. License Administration Console - XenServer license management service.
The latest XenServer version (6.0.0) was tested at the time of the study.
')
This component is a web-based virtual machine management console.
As in all other modules, we found a “standard set” of web vulnerabilities:
All forms of the application were susceptible to CSRF, filtering many fields was insufficient and made possible stored XSS. In addition, on the login page, we found a very “useful” parameter that allows abuse of URL redirection and splitting of the HTTP response. The video shows an automated exploit action that receives a cookie.
administrator using the first three vulnerabilities, and then "covers the tracks."
This component was the most interesting. The following vulnerabilities have been discovered here:
The vSwitch Controller web interface uses the REST API to communicate with the server. This means that in response to each user action an HTTP request is formed. Depending on the privileges, the user is allowed or not allowed to execute the corresponding requests.
Among other things, the vSwitch controller web interface allows the administrator to create complete system configuration snapshots. These images should be available for download only to privileged users. However, as it turned out, a user with “read only” rights can also download a snapshot by manually creating a request to the REST API of the service:
Replace <snapshot-uuid> with the ID of the snapshot to download.
A list of all images and their identifiers can be obtained by sending a request:
The snapshot contains all the vSwitch controller settings, vSwitch Controller user credentials (names and password hashes), server SSL certificate along with the private key, and the credentials of the privileged user of the master server in clear text. Using these credentials, you can connect over SSH to the main XenServer server and gain control over the entire XenServer infrastructure. After such access is obtained, the attacker's capabilities are limited only by his own imagination.
The described vulnerability is in itself difficult to exploit, because it requires the privileges of a user with read-only rights. However, here comes the CSRF vulnerability, which allows you to create the necessary account with a known password (we need to force the administrator to follow the phishing link) imperceptibly to the victim administrator.
This component is designed to manage licenses and relies on the free license manager lmadmin from Flexera Software. We managed to detect the following vulnerabilities:
After wandering through the links, you can find that the home page of the site has an interesting GET-parameter admin, which defines the address of the link leading to the administrative section. The value is filtered in such a way that a full-fledged XSS attack is impossible, but there is nothing to "slip" the link to an arbitrary resource. Denial of service can be done by sending a single HTTP request, in
where one of the parameters is transmitted as an array, for example:
In this case, the attacker is not required to be authorized in the system. The reason is an unhandled exception in the case of passing an array as a script parameter. Therefore, it was not possible to achieve the execution of arbitrary code by exploiting this vulnerability.
It is worth noting that in the last at the time of the study version of lmadmin
these vulnerabilities were gone.
Summing up, we can conclude: one should not ignore non-critical vulnerabilities according to the degree of risk. In practice, when using several simple vulnerabilities in the aggregate, it is possible to conduct an attack, as a result of which an attacker will gain complete control over the system. Such scenarios were successfully implemented far more than once (including during penetration tests).
No product is immune from errors; vulnerabilities have always been and will not disappear anywhere. And it’s good if manufacturers quickly respond to reports of vulnerabilities and promptly release corrections, as happened in this case - but, unfortunately, this is not always the case.
However, risks can always be minimized. Almost all of these gaps can be eliminated by taking additional measures to restrict access to the XenServer administration interfaces. In addition, the trigger for many of these vulnerabilities may be the simplest CSRF attack. As it is sung in one famous song: “Watch for yourself, be careful,” especially when it comes to suspicious links.
So let's get down to business.
In the analysis, three components of Citrix XenServer came to our attention:
1. Web Self Service - web-based virtual machine management console;
2. vSwitch Controller - web-based virtual network management console
infrastructure;
3. License Administration Console - XenServer license management service.
The latest XenServer version (6.0.0) was tested at the time of the study.
')
Web Self Service
This component is a web-based virtual machine management console.
As in all other modules, we found a “standard set” of web vulnerabilities:
- cross-site request substitution (CSRF);
- cross-site scripting (stored XSS);
- URL redirection abuse (URL redirector abuse);
- HTTP response splitting.
All forms of the application were susceptible to CSRF, filtering many fields was insufficient and made possible stored XSS. In addition, on the login page, we found a very “useful” parameter that allows abuse of URL redirection and splitting of the HTTP response. The video shows an automated exploit action that receives a cookie.
administrator using the first three vulnerabilities, and then "covers the tracks."
- First, by abusing URL redirection, we direct the administrator to the page we control.
- The script on this page, using CSRF, creates a new account in the system. In the username field there is a stored XSS vulnerability. With it, we embed a useful JavaScript-load on the page with a list of users and redirect the administrator there.
- The embedded JavaScript code sends the administrator's cookie to our server, and then deletes the newly created account.
vSwitch Controller
This component was the most interesting. The following vulnerabilities have been discovered here:
- cross-site request substitution (CSRF);
- URL redirection abuse (URL redirector abuse);
- HTTP response splitting;
- insufficient authorization (Insufficient Authorization).
The vSwitch Controller web interface uses the REST API to communicate with the server. This means that in response to each user action an HTTP request is formed. Depending on the privileges, the user is allowed or not allowed to execute the corresponding requests.
Among other things, the vSwitch controller web interface allows the administrator to create complete system configuration snapshots. These images should be available for download only to privileged users. However, as it turned out, a user with “read only” rights can also download a snapshot by manually creating a request to the REST API of the service:
GET /ws.v1/nox/snapshot/<snapshot-uuid>/export
Replace <snapshot-uuid> with the ID of the snapshot to download.
A list of all images and their identifiers can be obtained by sending a request:
GET /ws.v1/nox/snapshot/
The snapshot contains all the vSwitch controller settings, vSwitch Controller user credentials (names and password hashes), server SSL certificate along with the private key, and the credentials of the privileged user of the master server in clear text. Using these credentials, you can connect over SSH to the main XenServer server and gain control over the entire XenServer infrastructure. After such access is obtained, the attacker's capabilities are limited only by his own imagination.
The described vulnerability is in itself difficult to exploit, because it requires the privileges of a user with read-only rights. However, here comes the CSRF vulnerability, which allows you to create the necessary account with a known password (we need to force the administrator to follow the phishing link) imperceptibly to the victim administrator.
License Administration Console
This component is designed to manage licenses and relies on the free license manager lmadmin from Flexera Software. We managed to detect the following vulnerabilities:
- substitution of content (Content Spoofing);
- cross-site scripting (stored XSS);
- cross-site request substitution (CSRF);
- Denial of Service.
After wandering through the links, you can find that the home page of the site has an interesting GET-parameter admin, which defines the address of the link leading to the administrative section. The value is filtered in such a way that a full-fledged XSS attack is impossible, but there is nothing to "slip" the link to an arbitrary resource. Denial of service can be done by sending a single HTTP request, in
where one of the parameters is transmitted as an array, for example:
?admin[]=blah
In this case, the attacker is not required to be authorized in the system. The reason is an unhandled exception in the case of passing an array as a script parameter. Therefore, it was not possible to achieve the execution of arbitrary code by exploiting this vulnerability.
It is worth noting that in the last at the time of the study version of lmadmin
these vulnerabilities were gone.
Summing up, we can conclude: one should not ignore non-critical vulnerabilities according to the degree of risk. In practice, when using several simple vulnerabilities in the aggregate, it is possible to conduct an attack, as a result of which an attacker will gain complete control over the system. Such scenarios were successfully implemented far more than once (including during penetration tests).
No product is immune from errors; vulnerabilities have always been and will not disappear anywhere. And it’s good if manufacturers quickly respond to reports of vulnerabilities and promptly release corrections, as happened in this case - but, unfortunately, this is not always the case.
However, risks can always be minimized. Almost all of these gaps can be eliminated by taking additional measures to restrict access to the XenServer administration interfaces. In addition, the trigger for many of these vulnerabilities may be the simplest CSRF attack. As it is sung in one famous song: “Watch for yourself, be careful,” especially when it comes to suspicious links.
Source: https://habr.com/ru/post/147478/
All Articles