My friends at Enomaly have been beating up on Amazon Web Services (AWS) over the XML signature element wrapping vulnerability currently being overhyped by the press, which is ironic given their security track record and unfortunate given I rather like what Amazon have achieved.
Back in March I reported multiple vulnerabilities in SpotCloud (including their having copied Amazon's vulnerable signatures years after they were reported and fixed) and I was told I was unethical and my report that they "may not validate incoming web and/or API requests and if so, may be vulnerable to cross-site request forgery in which an attacker could make unauthorised management requests on behalf of a user" was "unactionably vague".
To demonstrate the severity of the outstanding vulnerability go grab yourself a SpotCloud account, charge it up (ignoring PCI-DSS for a second given they're collecting credit card numbers via App Engine) and click the image below. I'll silently create an instance for you using a hidden IFRAME, but you're welcome to experiment with more destructive experiments like deleting existing instances and uploading malicious workloads.
Update: If you look at the code you'll see the hourly rate is passed to the client as "cost" and presumably trusted on return (if not, why is it there?). I haven't seen a price manipulation vulnerability in over a decade, but I'm not tinkering with it because I don't fancy being accused of stealing from them or their providers.
Update: While the consumer API now uses OAuth, the provider API still uses Amazon's vulnerable signatures for authentication:
This may have been safe over SSL were it not for the fact that client libraries (including python) typically don't validate the certificate chain by default.
Update: Wells Fargo reports "CHECK CRD PURCHASE SPOT CLOUD ETOBICOKE CD" as "Unusual Activity" in emailed alert… canceling card, requesting re-issue. Should have used a virtual card. Wonder if Google know their App Engine poster child is using it to collect credit card details?
Update: It is believed that Private SpotCloud and Enomaly Elastic Computing Platform (ECP) are also vulnerable to cross-site request forgery, but without access to the software I have no way to verify.
Update: This is how Enomaly deals with security researchers:
Back in March I reported multiple vulnerabilities in SpotCloud (including their having copied Amazon's vulnerable signatures years after they were reported and fixed) and I was told I was unethical and my report that they "may not validate incoming web and/or API requests and if so, may be vulnerable to cross-site request forgery in which an attacker could make unauthorised management requests on behalf of a user" was "unactionably vague".
To demonstrate the severity of the outstanding vulnerability go grab yourself a SpotCloud account, charge it up (ignoring PCI-DSS for a second given they're collecting credit card numbers via App Engine) and click the image below. I'll silently create an instance for you using a hidden IFRAME, but you're welcome to experiment with more destructive experiments like deleting existing instances and uploading malicious workloads.
Update: If you look at the code you'll see the hourly rate is passed to the client as "cost" and presumably trusted on return (if not, why is it there?). I haven't seen a price manipulation vulnerability in over a decade, but I'm not tinkering with it because I don't fancy being accused of stealing from them or their providers.
Update: While the consumer API now uses OAuth, the provider API still uses Amazon's vulnerable signatures for authentication:
#sorts by key.lowercase(). ie A b c Dee e ffFf
sorted_keys = sorted(parameters.keys(), key=lambda k: k.lower())
#concatenates key,value pairs. a=1,b=2,C=32 becomes "a1b2C32"
data = ’’.join(key + parameters[key] for key in sorted_keys)
#Data is now: ecp_usernamespotcloudusernameparamAvalueTimestamp2006-12-08T07:48:03Z
digest = hmac.new(’spotcloudpassword’, data, sha).digest()This may have been safe over SSL were it not for the fact that client libraries (including python) typically don't validate the certificate chain by default.
Update: Wells Fargo reports "CHECK CRD PURCHASE SPOT CLOUD ETOBICOKE CD" as "Unusual Activity" in emailed alert… canceling card, requesting re-issue. Should have used a virtual card. Wonder if Google know their App Engine poster child is using it to collect credit card details?
Update: It is believed that Private SpotCloud and Enomaly Elastic Computing Platform (ECP) are also vulnerable to cross-site request forgery, but without access to the software I have no way to verify.
Update: This is how Enomaly deals with security researchers:
0 comments:
Post a Comment