My trip in Poland has been very interesting: I've met a lot of people, got back in touch with Ikki and got some weird flu which taught me that giving a presentation when you've got high fever might not be the brightest idea.
This is presentation I gave at Confidence 0902, with an overview on various attack paths against virtualization technologies. One of the most interesting things, I think, is the mitm to remote code execution attack against Virtual Infrastructure Client. I've also announced VASTO, a project we're working on at Secure Network.
Any comment is warmly welcome, but please if you were at confidence do not ask me how many coffee I had before the presentation (10 people already asked).
Monday, November 23, 2009
Friday, November 6, 2009
Virtual Appliances forensic - Part1
In the last months I've been most busy exploring virtualization security issues, which anyway I'm going to present at CONFidence and IT Underground Warsaw in a couple of weeks. However, I wanted to share with you an interesting piece of information I've uncovered while exploring some common virtual appliances.
As you surely know, it's really, really hard to make sure that a file is gone from your file system. You have to remove every reference, every tiny bit of information, or it might be uncovered: data structures, actual data left on the disk, backups of the data structures and so on. File System forensics is concerned with precisely this matter, and forensic software are capable of doing wonders when it comes to recovering deleted that from disks.
Well, the same is true for virtual appliances. While some vendors might decide that it's worth cleaning up and shrinking the disk before shipping virtual appliances, most will not. As a result, you can find gold inside those disks: setup scripts, configuration and installation stuff and all sort of "backend knowledge". This is quite hard to extract from actual machines, which are often disk-imaged and quite hard to reach with traditional tools (some are missing cd roms, for instance, and vendors do not really like you opening up their boxes). However, with virtual appliances it's really really easy to do so.
An example? VMware Studio virtual appliance, the virtual appliance which should be used to build other virtual appliances, has got references of the internal deb repository used to install the - custom - VMware Studio software on it, and traces of the actual debian packages as well.
More data on VA security in the near future, likely after my talk!
As you surely know, it's really, really hard to make sure that a file is gone from your file system. You have to remove every reference, every tiny bit of information, or it might be uncovered: data structures, actual data left on the disk, backups of the data structures and so on. File System forensics is concerned with precisely this matter, and forensic software are capable of doing wonders when it comes to recovering deleted that from disks.
Well, the same is true for virtual appliances. While some vendors might decide that it's worth cleaning up and shrinking the disk before shipping virtual appliances, most will not. As a result, you can find gold inside those disks: setup scripts, configuration and installation stuff and all sort of "backend knowledge". This is quite hard to extract from actual machines, which are often disk-imaged and quite hard to reach with traditional tools (some are missing cd roms, for instance, and vendors do not really like you opening up their boxes). However, with virtual appliances it's really really easy to do so.
An example? VMware Studio virtual appliance, the virtual appliance which should be used to build other virtual appliances, has got references of the internal deb repository used to install the - custom - VMware Studio software on it, and traces of the actual debian packages as well.
More data on VA security in the near future, likely after my talk!
Sunday, November 1, 2009
HPP @SEaCURE.it
Back from a short trip to SEaCURE.it, the first international security conference ever held in Italy. Together with Stefano@Minded, I gave a presentation on HTTP Parameter Pollution (HPP).
Cutting the crap, we have added a few slides regarding possible detection techniques, information leakage in Python via HPP vectors, PayPal NVP API abuse and a theoretical bypass of anti tampering HMAC.
What else?
Our interview, recorded during OWASP AppSec EU 2009, is finally online. Check the "OWASP Podcast 46, interview with Luca Carettoni & Stefano Di Paola (HTTP Parameter Pollution)"
Cheers,
Ikki
Cutting the crap, we have added a few slides regarding possible detection techniques, information leakage in Python via HPP vectors, PayPal NVP API abuse and a theoretical bypass of anti tampering HMAC.
What else?
Our interview, recorded during OWASP AppSec EU 2009, is finally online. Check the "OWASP Podcast 46, interview with Luca Carettoni & Stefano Di Paola (HTTP Parameter Pollution)"
Cheers,
Ikki