Save Your Cloud: DoS on VMs in OpenNebula 4.6.1

This is a post about an old vulnerability that I finally found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time to blog about. It dates back to 2014, but from a technical point of view it is nevercá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365less interesting: An XML parser that tries to fix structural errors in a document caused a DoS problem.

All previous posts of this series focused on XSS. This time, we present a vulnerability which is connected anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Cloud Management Platform: OpenNebula. This Infrastructure-as-a-Service platform started as a research project in 2005. It is used by information technology companies like IBM, Dell and Akamai as well as academic institutions and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 European Space Administrations (ESA). By relying on standard Linux tools as far as possible, OpenNebula reaches a high level of customizability and flexibility in hypervisors, storage systems, and network infrastructures. OpenNebula is distributed using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Apache-2 license.

XML Parser Evaluation

XML Parser Evaluation

For some time now, we've been researching in excruciating detail cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 prevalence of DTD attacks on different XML parsers.

For a quick recap which attacks are possible, see our DTD Cheat Sheet post.


In this post, we present you cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results in a nutshell.
The information presented here is based on this mastercá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365sis which covers cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 respective results in greater detail.

Test Methodology

We identified 16 test vectors, each testing a specific attack vector (e.g. XXE, various kinds of DoS, XXE parameter entity,...). We ran cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se tests against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default parser configuration and call cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore core tests.

Additional tests are based on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same test vectors, however, we executed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m against custom (modified) parser configurations, indicating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 effect of specific features of a parser.

The complete test set is available on github.

Results

We analyzed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following parsers and summarized cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 test results in Table 1. In addition, we show which attacks cannot be mitigated indicated by an asterisk.

DTD Cheat Sheet

When evaluating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security of XML based services, one should always consider DTD based attack vectors, such as XML External Entities (XXE) as,for example, our previous post XXE in SAML Interfaces demonstrates.

In this post we provide a comprehensive list of different DTD attacks.

The attacks are categorized as follows:

• Denial-of-Service Attacks
• Classic XXE
• Advanced XXE
• Server-Side Requst Forgery (SSRF)
• XInclude
• XSLT

EsPReSSO - A good morning starts with coffee!

In this posts I describe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tool, I wrote for my Bachelor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365sis at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Chair for Network and Data Security, with support of Context Information Security Ltd.. EsPReSSO is a apronym for "Extension for Recognition and Processing of Single Sing on Protocols". The basic idea behind EsPReSSO is to automate standard tasks to detect and classify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Single Sign-On (SSO) Protocols OpenID, BrowserID, SAML, OAuth, OpenID-Connect, Facebook Connect and Microsoft Account. The tool is integrate with PortSwigger's HTTP Proxy, Burp Suite. Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore EsPReSSO integrates cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WS-Attacker, to attack SAML services semi-automated or manually.

Not so Smart: On Smart TV Apps

One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 main characteristics of Smart TVs are apps. Apps extend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Smart TV behavior with various functionalities, ranging from usage of social networks or payed streaming services, to buying articles on Ebay. These actions demand usage of critical data like aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ntication tokens and passwords, and thus raise a question on new attack scenarios and general security of Smart TV apps.

These reasons make it interesting enough to do some research on smart TVs. We wrote a paper with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 title "Not so Smart: On Smart TV Apps", which will be presented in a few days at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "International Workshop on Secure Internet of Things" (SIoT 2015). In this paper, we investigate attack models for Smart TVs and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir apps, and systematically analyze security of Smart TV devices. We point out that some popular apps, including Facebook, Ebay or Watchever, send login data over unencrypted channels. Even worse, we show that an arbitrary app installed on devices of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 market share leader Samsung can gain access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 credentials of a Samsung Single Sign-On account. Therefore, such an app can hijack a complete user account including all his devices like smartphones and tablets connected with it. Based on our findings, we provide recommendations that are of general importance and applicable to areas beyond Smart TVs.

Introduction to WS-Attacker: XML Signature Wrapping (XSW) on Web services

This post introduces WS-Attacker. We start with how to build it from source. After that we setup an example Axis2 Web service and finally we perform an XSW Attack on it.