Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can Help White and Black Hat Vulnerability Research
0 likes37 views
This document discusses how cloud service provider marketplaces can help with white hat and black hat vulnerability research. It provides examples of analyzing images from AWS Marketplace, Azure Marketplace, and Google Cloud Marketplace. The key findings are that AWS Marketplace most strongly protects seller intellectual property, while Azure and GCP Marketplaces have advantages for security researchers by allowing low-cost access and analysis of listed products with few restrictions. The document cautions that legal risks must be considered before conducting any security research activities.
![AWS Marketplace
Trying to run an instance with a Marketplace AMI without a subscription:
$ aws –region us-east-1 ec2 run-instances --image-id ami-0ceb5feceacf87c44 --subnet-id
subnet-<redacted>
An error occurred (OptInRequired) when calling the RunInstances operation: In order to
use this AWS Marketplace product you need to accept terms and subscribe. To do so please
visit https://aws.amazon.com/marketplace/pp?sku=
f2ew2wrz425a1jagnifd02u5t
After launching an instance through the Marketplace and subscribing:
$ aws ec2 describe-instances --instance-id i-<redacted> | jq
'.Reservations[].Instances[] | .ProductCodes'
[
{
"ProductCodeId": "
6njl1pau431dv1qxipg63mvah",
"ProductCodeType": "marketplace"
}
]](https://image.slidesharecdn.com/shoppingforvulnerabilities-220813151301-a9c76b89/85/Shopping-for-Vulnerabilities-How-Cloud-Service-Provider-Marketplaces-can-Help-White-and-Black-Hat-Vulnerability-Research-7-320.jpg)
![AWS Marketplace
Boot volume seems normal under "aws ec2 describe-volumes", no product
codes. Let's try to mount at as a secondary disk on a new analysis instance to
rummage through it:
1. Detach from Marketplace instance: ✅
2. Create new Linux instance and stop it: ✅
3. Attach volume as secondary disk on the analysis instance: 🛑
$ aws ec2 attach-volume --device xvdb --instance-id
i-<redacted> --volume-id vol-<redacted>
An error occurred (OperationNotPermitted) when calling the
AttachVolume operation: One or more of
[6njl1pau431dv1qxipg63mvah] are not allowed as secondary volume
xvdb](https://image.slidesharecdn.com/shoppingforvulnerabilities-220813151301-a9c76b89/85/Shopping-for-Vulnerabilities-How-Cloud-Service-Provider-Marketplaces-can-Help-White-and-Black-Hat-Vulnerability-Research-8-320.jpg)
![AWS Marketplace
Only visible association to the original AMI and the Marketplace is through
the snapshot it was created from. So let's try:
1. Create a new snapshot of the volume: ✅
2. Create a new volume from this snapshot: ✅
3. Attach newly created volume as secondary disk on the analysis
instance: 🛑
$ aws ec2 attach-volume --device xvdb --instance-id
i-<redacted> --volume-id vol-<redacted>
An error occurred (OperationNotPermitted) when calling the
AttachVolume operation: One or more of
[6njl1pau431dv1qxipg63mvah] are not allowed as secondary
volume xvdb](https://image.slidesharecdn.com/shoppingforvulnerabilities-220813151301-a9c76b89/85/Shopping-for-Vulnerabilities-How-Cloud-Service-Provider-Marketplaces-can-Help-White-and-Black-Hat-Vulnerability-Research-9-320.jpg)
![AWS Marketplace
Maybe the association is via the AMI? So let's try this:
1. Create an AMI from the Marketplace instance: ✅
2. Create a new instance from that AMI: ✅
3. Detach the boot volume from new instance: ✅
4. Attach volume as secondary disk on the new instance: 🛑
$ | => aws ec2 attach-volume --device xvdb --instance-id
i-02f09c8ee2628f46e --volume-id vol-09db9337b82217687
An error occurred (OperationNotPermitted) when calling the
AttachVolume operation: One or more of
[6njl1pau431dv1qxipg63mvah] are not allowed as secondary
volume xvdb](https://image.slidesharecdn.com/shoppingforvulnerabilities-220813151301-a9c76b89/85/Shopping-for-Vulnerabilities-How-Cloud-Service-Provider-Marketplaces-can-Help-White-and-Black-Hat-Vulnerability-Research-10-320.jpg)
![Azure Marketplace
You can attach a marketplace boot disk as a secondary disk in another VM!
1) First find the Publisher.Offer part of the URL:
https://azuremarketplace.microsoft.com/en-us/marketplace/apps/tidalmediainc.tinyproxy-easy-ub
untu?tab=Overview
2) Obtain the SKU name:
$ az vm image list-skus -l brazilsouth -p tidalmediainc -f tinyproxy-easy-ubuntu | jq
.[].name
"tinyproxy-easy-ubuntu"
3) Obtain the URN of the images:
$ az vm image list -p tidalmediainc -s tinyproxy-easy-ubuntu --all | jq .[].urn
"tidalmediainc:tinyproxy-easy-proxy-server-ubuntu:tinyproxy-easy-ubuntu-server:1.0.1"
"tidalmediainc:tinyproxy-easy-ubuntu:tinyproxy-easy-ubuntu:1.0.0"](https://image.slidesharecdn.com/shoppingforvulnerabilities-220813151301-a9c76b89/85/Shopping-for-Vulnerabilities-How-Cloud-Service-Provider-Marketplaces-can-Help-White-and-Black-Hat-Vulnerability-Research-14-320.jpg)
More Related Content
Similar to Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can Help White and Black Hat Vulnerability Research (20)
![[Partner TechShift 2017] AWS 마켓플레이스를 통한 글로벌 소프트웨어 판매하기](https://cdn.slidesharecdn.com/ss_thumbnails/9-171101053704-thumbnail.jpg?width=560&fit=bounds)
Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can Help White and Black Hat Vulnerability Research
- 1. Shopping for Vulnerabilities How Cloud Service Provider Marketplaces can Help White and Black Hat Vulnerability Research VULNS
- 2. sts:GetCallerIdentity arn:aws:iam:sa-east-1:*:user/GlayssonTomaz Cloud Security Researcher @ Tenchi Security arn:aws:iam:sa-east-1:*:user/AlexandreSieira Co-Founder and CTO @ Tenchi Security > 25+ years in cybersecurity - old_man_yells_at_cloud.gif > Co-founder & CTO @ Cipher (acquired by Prosegur) > Co-founder & CTO @ Niddel (acquired by Verizon) > Global Head of Detection & Response products @ Verizon > AWS Certified Security - Specialty > 12+ years of experience in Cybersecurity > Security researcher in AppSec, IoT, Cloud arn:aws:iam:sa-east-1:*:user/MarceloLima Cloud Security Consultant @ Tenchi Security > 25+ years of experience in Infrastructure and security > Cloud Infrastructure Manager @ Claro > GCP Professional Cloud Security Engineerl [email protected] @AlexandreSieira [email protected] https://github.com/s4dhulabs [email protected]
- 3. Why should you care? https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama- papers-of-ransomware.html Black hats are looking for a way in: ● Access brokers want to exploit Internet-facing products; ● Malware developers want to bypass your detection and prevention security products; ● Perimeter security appliances are a double whammy! White hats want the fun and the profit: ● Evaluate product security; ● Profit from bug bounties; ● Create logos and name vulnerabilities.
- 4. Why should you care? A few notable examples: Data collected August 3rd, 2022
- 5. AWS Marketplace Product codes (a.k.a. offer IDs) != product IDs. Seem designed to ensure software isn't executed on instances not created by AWS Marketplace (https://docs.aws.amazon.com/marketplace/latest/userguide/best-practices-fo r-building-your-amis.html#verifying-ami-runtime) Shown to buyers in at least four places: ● the marketplace wizard; ● notification e-mail; ● instance identity document of EC2 instances; ● ec2:DescribeInstances. Console calls undocumented APIs at discovery.marketplace.us-east-1.amazonaws.com and "offerId" is used to return the product code.
- 6. AWS Marketplace Product code has potential uses for defenders (asset management) and attackers (recon). If you visit https://aws.amazon.com/marketplace/pp/ref=bill_eml_2?sku=<product code> you can manually discover the seller and product of a product code. List all instances with a Marketplace product code: aws ec2 describe-instances --filters Name=product-code.type,Values=marketplace List all instances with a specified Marketplace product code: aws ec2 describe-instances --filters Name=product-code,Values=<product code> List all public AMIs associated with a specified Marketplace product code: aws ec2 describe-images --filters Name=product-code,Values=<product code>
- 7. AWS Marketplace Trying to run an instance with a Marketplace AMI without a subscription: $ aws –region us-east-1 ec2 run-instances --image-id ami-0ceb5feceacf87c44 --subnet-id subnet-<redacted> An error occurred (OptInRequired) when calling the RunInstances operation: In order to use this AWS Marketplace product you need to accept terms and subscribe. To do so please visit https://aws.amazon.com/marketplace/pp?sku= f2ew2wrz425a1jagnifd02u5t After launching an instance through the Marketplace and subscribing: $ aws ec2 describe-instances --instance-id i-<redacted> | jq '.Reservations[].Instances[] | .ProductCodes' [ { "ProductCodeId": " 6njl1pau431dv1qxipg63mvah", "ProductCodeType": "marketplace" } ]
- 8. AWS Marketplace Boot volume seems normal under "aws ec2 describe-volumes", no product codes. Let's try to mount at as a secondary disk on a new analysis instance to rummage through it: 1. Detach from Marketplace instance: ✅ 2. Create new Linux instance and stop it: ✅ 3. Attach volume as secondary disk on the analysis instance: 🛑 $ aws ec2 attach-volume --device xvdb --instance-id i-<redacted> --volume-id vol-<redacted> An error occurred (OperationNotPermitted) when calling the AttachVolume operation: One or more of [6njl1pau431dv1qxipg63mvah] are not allowed as secondary volume xvdb
- 9. AWS Marketplace Only visible association to the original AMI and the Marketplace is through the snapshot it was created from. So let's try: 1. Create a new snapshot of the volume: ✅ 2. Create a new volume from this snapshot: ✅ 3. Attach newly created volume as secondary disk on the analysis instance: 🛑 $ aws ec2 attach-volume --device xvdb --instance-id i-<redacted> --volume-id vol-<redacted> An error occurred (OperationNotPermitted) when calling the AttachVolume operation: One or more of [6njl1pau431dv1qxipg63mvah] are not allowed as secondary volume xvdb
- 10. AWS Marketplace Maybe the association is via the AMI? So let's try this: 1. Create an AMI from the Marketplace instance: ✅ 2. Create a new instance from that AMI: ✅ 3. Detach the boot volume from new instance: ✅ 4. Attach volume as secondary disk on the new instance: 🛑 $ | => aws ec2 attach-volume --device xvdb --instance-id i-02f09c8ee2628f46e --volume-id vol-09db9337b82217687 An error occurred (OperationNotPermitted) when calling the AttachVolume operation: One or more of [6njl1pau431dv1qxipg63mvah] are not allowed as secondary volume xvdb
- 11. AWS Marketplace Found an old mailing list post mentioning a workaround (https://www.mail-archive.com/[email protected]/msg04649. html): 1. Create an AMI from the Marketplace instance: ✅ 2. Share it with another account: ✅ 3. Create an instance at other account using the shared AMI: 🛑 ec2:DescribeImages still shows the product codes associated with the new AMI, so AWS closed that loophole at some point. Also tried copying a snapshot to S3 and using direct access APIs. All blocked.
- 12. AWS Marketplace No KYC, domain, URL or logo validation required to become a seller eligible to publish free products. KYC is required to sell paid products to EMEA, apparently, though T&Cs allows them across the board. AWS purports to do regular scanning of images to check for vulnerabilities, and provides on-demand scanning to sellers. Defines security standards for images, such as: ● no known vulnerabilities; ● no hardcoded passwords; ● no remote access by seller.
- 13. Azure Marketplace Azure is kind enough to have documented APIs and CLI commands to interact with Marketplace images! (https://docs.microsoft.com/en-us/cli/azure/vm/image?view=azure-cli-latest)
- 14. Azure Marketplace You can attach a marketplace boot disk as a secondary disk in another VM! 1) First find the Publisher.Offer part of the URL: https://azuremarketplace.microsoft.com/en-us/marketplace/apps/tidalmediainc.tinyproxy-easy-ub untu?tab=Overview 2) Obtain the SKU name: $ az vm image list-skus -l brazilsouth -p tidalmediainc -f tinyproxy-easy-ubuntu | jq .[].name "tinyproxy-easy-ubuntu" 3) Obtain the URN of the images: $ az vm image list -p tidalmediainc -s tinyproxy-easy-ubuntu --all | jq .[].urn "tidalmediainc:tinyproxy-easy-proxy-server-ubuntu:tinyproxy-easy-ubuntu-server:1.0.1" "tidalmediainc:tinyproxy-easy-ubuntu:tinyproxy-easy-ubuntu:1.0.0"
- 15. Azure Marketplace 4) Accept the terms of the license (appears to be optional): $ az vm image terms accept --urn "tidalmediainc:tinyproxy-easy-proxy-server-ubuntu:tinyproxy-easy-ubuntu-server:1.0.1" 5) Create a disk based on that image: $ az disk create -g <resource group> -n <disk name> -l brazilsouth --image-reference tidalmediainc:tinyproxy-easy-ubuntu:tinyproxy-easy-ubuntu:1.0.1 6) Attach as a secondary disk on an analysis VM: $ az vm disk attach -g <resource group> –vm-name <VM name> -n <disk name> -l brazilsouth 7) Profit!
- 16. Google Cloud Marketplace GCP provides an easy way to deploy any marketplace infrastructure with predefined deployments. You can filter for the kind of software you want, select it and the GCP will do all the rest. You can attach a marketplace boot disk as a secondary disk in another VM! 1) Open Google Cloud console and go to the Marketplace: https://console.cloud.google.com/marketplace 2) Pick up a vendor product with Virtual Machines type. Use filters to choose on 3) Deploy the application and stop the virtual machine(s). $ gcloud compute instances stop <marketplace-product-instance-name> 4) Create a snapshot from the instance you just stopped. $ gcloud compute snapshots create <snapshot-name> --zone=<zone> --source-disk=<marketplace-instance-disk>
- 17. Google Cloud Marketplace 5) Create a disk from the snapshot $ gcloud compute disks create <disk-name> --source=<snapshot-name> --zone=<zone> 6) Create a new instance and attach the new disk as a secondary disk to the VM. $ gcloud compute instances create <new-instance-name> --machine-type=<machine-type> --disk=boot=no,device-name=<disk-name>,mode=rw,name=<disk-name> --zone=<zone> 7) From the GCP console SSH to the new VM 8) Run fdisk to see the disks and mount the disk (it should be /dev/sdbX where X is the physical partition) $ sudo fdisk -l $ sudo mount /dev/sdbX /<mounting-point>
- 18. Google Cloud Marketplace 9) If the disk is not mounted it is probably because it has an invalid partition type or it is a volume group. In both cases run a logical volume scan in the physical partition and mount it. You should see something similar as /dev/sdbX/<logical-volume>. $ sudo lvscan -a $ sudo mount /dev/sdbX/<logical-volume> /<mounting-point> 10) Start digging
- 19. Final Words ● AWS Marketplace seems to offer better protection for seller intellectual property than selling hardware appliances, kudos! ○ Should have documented APIs, SDK and CLI support for buyers; ○ Beware of instance restrictions (backup, etc). ● Azure and GCP Marketplaces offers big advantages to white and black hat security researchers: ○ Low or no cost (BYOL or pay-as-you-go); ○ No pesky sanctions or logistics-related difficulties to obtaining access to products; ○ Very low barrier to entry (account with fake/stolen payment data); ○ Very amenable to automation! DevSecResearchOps FTW IANL disclaimer - don't do any of this before you are sure of the legal risks involved.
- 20. Thank you! > Alex Sieira [email protected] @AlexandreSieira