Lame. Sorry but, it just is. Your a lamer dude. Ill makesure to blog this for you.
On 10 November 2011 06:25, Sam Johnston <[email protected]> wrote: > Apologies for the HTML — too many inline links. > > Sam > SploitCloud: exploiting cloud brokers for fun and > profit<http://samj.net/2011/10/sploitcloud.html> > My friends at Enomaly <http://www.enomaly.com/> have been > beating<http://twitter.com/#%21/ruv/status/129928434079109121> > up <http://twitter.com/#%21/ruv/status/129929111526318081> > on<http://twitter.com/#%21/ruv/status/129934534870446080> Amazon > Web Services (AWS) <http://aws.amazon.com/> over the XML signature > element wrapping <http://dl.acm.org/citation.cfm?id=1103026> vulnerability > currently being > overhyped<http://www.theregister.co.uk/2011/10/27/cloud_security/> > by<http://www.fiercecio.com/techwatch/story/security-flaw-cloud-architectures-including-amazon-web-services/2011-10-28> > the<http://www.pcworld.com/businesscenter/article/242598/researchers_demo_cloud_security_issue_with_amazon_aws_attack.html> > press<http://www.networkworld.com/news/2011/102611-security-cloud-252406.html>, > which is ironic given their > security<http://www.securityfocus.com/archive/1/archive/1/500573/100/0/threaded> > track<http://www.securityfocus.com/archive/1/archive/1/500573/100/0/threaded> > record <http://www.securityfocus.com/archive/1/500989> and unfortunate > given I rather like what Amazon have achieved. > > Back in March I reported multiple > vulnerabilities<https://groups.google.com/group/spotcloudbuyers/browse_thread/thread/1993b3ab1643bfa2> > in SpotCloud <http://www.spotcloud.com/> (including their having copied > Amazon's > vulnerable > signatures<http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html>years > after they were reported > and > fixed<http://www.jamesmurty.com/2008/12/31/aws-query-signature-version-2/>) > and I was told I was > unethical<https://groups.google.com/group/spotcloudbuyers/msg/237ffac277ea8bbe>and > my report that they " > *may not validate incoming web and/or API requests and if so, may be > vulnerable to cross-site request forgery in which an attacker could make > unauthorised management requests on behalf of a user*" was "unactionably > vague<https://groups.google.com/group/spotcloudbuyers/browse_thread/thread/526fc1d60bfa6e95> > ". > > To demonstrate the severity of the outstanding vulnerability go grab > yourself a SpotCloud account<https://spotcloud.appspot.com/buyer/register>, > charge it up <https://spotcloud.appspot.com/buyer/balance/topup> (ignoring > PCI-DSS<http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard>for > a second given they're collecting credit card numbers via App Engine) > and click the image below. I'll silently create an instance for you using a > hidden IFRAME, but you're welcome to experiment with more destructive > experiments like deleting existing instances and uploading malicious > workloads. > > > *Update:* If you look at the code you'll see the hourly rate is passed to > the client as "*cost*" and presumably trusted on return (if not, why is > it there?). I haven't seen a price manipulation > vulnerability<http://www.symantec.com/connect/articles/common-security-vulnerabilities-e-commerce-systems>in > over a decade, but I'm not tinkering with it because I don't fancy being > accused of stealing from them or their providers. > > *Update:* While the consumer API <http://dl.enomaly.com/scbuyerapi> now > uses OAuth, the provider API <http://dl.enomaly.com/scprovider> still > uses Amazon's vulnerable > signatures<http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html>for > authentication: > > #sorts by key.lowercase(). ie A b c Dee e ffFf > sorted_keys = sorted(parameters.keys(), key=lambda k: k.lower()) > > #concatenates key,value pairs. a=1,b=2,C=32 becomes "a1b2C32" > data = ’’.join(key + parameters[key] for key in sorted_keys) > > #Data is now: > ecp_usernamespotcloudusernameparamAvalueTimestamp2006-12-08T07:48:03Z > digest = hmac.new(’spotcloudpassword’, data, sha).digest() > > > This may have been safe over SSL were it not for the fact that client > libraries (including python) typically don't validate the certificate chain > by default. > > *Update:* Wells Fargo reports "CHECK CRD PURCHASE SPOT CLOUD ETOBICOKE > CD" as "Unusual Activity" in emailed alert… canceling card, requesting > re-issue. Should have used a virtual card. Wonder if Google know their App > Engine poster > child<http://googleappengine.blogspot.com/2011/03/enomaly-chooses-google-app-engine-for.html>is > using it to collect credit card details? > > *Update:* It is believed that Private > SpotCloud<http://spotcloud.com/Private.50.0.html>and Enomaly > Elastic Computing Platform > (ECP)<http://www.enomaly.com/Product-Overview.419.0.html>are also vulnerable > to cross-site > request forgery <http://en.wikipedia.org/wiki/Cross-site_request_forgery>, > but without access to the software I have no way to verify. > > *Update:* This is how Enomaly deals with security researchers: > > <http://4.bp.blogspot.com/-XwLZ56N2Gjg/TrnalAPJ9qI/AAAAAAAAAYU/SY57-4azetI/s1600/spotcloud-suspended.png> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
