July 12, 2012

Gaining Control Over Cloud Infrastructure. Easy as One, Two, Three

Several months ago the Positive Research Center analyzed security of Citrix XenServer. Among other things, we studied the security of administration interfaces, and web interfaces of various system components in particular. As a result, we managed to find several critical vulnerabilities, which allow obtaining control not only over these components but over the master server as well, that is over the whole cloud infrastructure. The Citrix company was immediately notified of the detected vulnerabilities. After the issues had been fixed ([1], [2], [3]), the results were disclosed at the Positive Hack Days forum as part of the FastTrack section.

So let's get down to business.
While analyzing, we focused on three components of Citrix XenServer:

  1. Web Self Service — a web based virtual machine management console.
  2. vSwitch Controller — a web console for virtual network infrastructure management.
  3. License Administration Console — XenServer license management service.

We tested the latest (at the moment of the research) version of XenServer (6.0.0).

Web Self Service


This component is a web based virtual machine management console.
As in all other modules, we detected a common set of web vulnerabilities:

  • Cross-site request forgery (CSRF);
  • Cross-site scripting (stored XSS);
  • URL redirector abuse;
  • HTTP response splitting.

All forms of the application were exposed to CSRF, a lot of fields were not properly filtered, what made stored XSS possible. Moreover, on the system logon page, we detected a very "useful" parameter, allowing URL redirector abuse and HTTP response splitting. The video demonstrates the automated exploit in action. The exploit obtains an administrator cookie via the first three vulnerabilities and then covers its tracks.
  1. At first we redirect the administrator to a specially crafted page using URL redirector abuse.
  2. The page script via CSRF creates a new system account. The user name field contains a stored XSS vulnerability. We inject useful JavaScript load to the page with a user list by exploiting the vulnerability and redirect the administrator there.
  3. The injected JavaScript code sends the administrator cookie to our server and then removes the account that has just been created.


vSwitch Controller


This component was the most interesting. The following vulnerabilities were detected in it:

  • Cross-site request forgery (CSRF);
  • URL redirector abuse;
  • HTTP response splitting;
  • Insufficient authorization.

vSwitch Controller web interface uses REST API for server communication. It means that for each user's action an HTTP request is generated. Depending on user privileges he or she is either allowed or not allowed to execute specific requests.

Moreover, the web interface of the vSwitch Controller allows an administrator to make configuration snapshots. Only privileged users should have the right to download these snapshots. However, it turned out that a user with read-only permissions also can download a snapshot, manually crafting a request to REST API.

GET /ws.v1/nox/snapshot//export

is substituted for the identifier of a snapshot that, which should be downloaded.
You can receive the list of all snapshots and their identifiers sending the following request:

GET /ws.v1/nox/snapshot/

The snapshot contains all vSwitch controller parameters, data of the vSwitch Controller users (account names and password hashes with salt), server SSL certificate together with a private key and plain-text credentials of the master server privileged user. You can connect via SSH to the main server of XenServer using these credentials and obtain control over the whole XenServer infrastructure. Once the access is gained, attackers’ possibilities are limited only by their imagination.

It is difficult to exploit this vulnerability as it is, because it requires privileges of a user with read-only permissions. However, the CSRF vulnerability comes to help. It allows an attacker to create a necessary account with a known password and stay unnoticed by the administrator (you only need to trick the administrator into following a phishing link).



License Administration Console


This component is meant for license management and based on Flexera Software's free license server manager lmadmin. We managed to detect the following vulnerabilities:

  • Content spoofing;
  • Cross-site scripting (stored XSS);
  • Cross-site request forgery (CSRF);
  • Denial of service.
Reviewing the links, you can find out that the main page of the site has an interesting GET parameter – admin, which determines the address of the link to the administrator section. The value is filtered in such a way that full XSS attack is impossible, but nothing can prevent you from slipping a link to an arbitrary resource. Denial of Service can be conducted by sending only one HTTP request, in which one of the parameters is transferred as an array, for instance:

?admin[]=blah

Besides the attacker does not need to be authorized in the system. The reason is an uncaught exception if an array is transferred as a script parameter. That is why we failed to execute arbitrary code exploiting this vulnerability.

It is worth noting that the latest (at that moment) version of lmadmin already did not contain these vulnerabilities.



Finally, the following conclusion can be made: vulnerabilities ranked according to their severity as not critical should not be ignored. When applied together, several simple vulnerabilities can be exploited for conducting an attack, in the result of which an attacker will get full control over the system. Such scenarios have been successfully implemented many times (including pentesting).

No product is secured against defects; vulnerabilities have always existed and will never disappear. And it is great if vendors quickly address security issues and provide patches promptly as it happened this time, but, unfortunately, this case is not a rule.

However, risks can be mitigated. Almost all abovementioned flaws can be eliminated, if additional measures to limit access to the XenServer administration interfaces are taken. Moreover, a lot of these vulnerabilities can be triggered off by a simple CSRF attack. Increase your vigilance, especially dealing with suspicious links.

Author: Maxim Tsoy, Positive Research

4 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete