Cloud computing may not be as secure as you would like to believe…Vulnerabilities in Azure Part 1

What is “Cloud Computing” you may ask… That is simple, it is using other people’s hardware!

You are renting space on their servers, using their internet connection, using their switches. There is nothing amazing about “The Cloud”, other than you do not own the equipment, you cannot control the physical servers, switches, etc.. Your “Cloud” is only as secure as the company you are hosting your servers/software/services with.

I forewarn you, this post is long. The first part of this article is about a white paper that I wrote about Azure possibly being susceptible to MITM/DOS attacks. The second part will show you how insecure Azure is… in the fact that You can see Virtual Machine Names, IP address and more, using common, easily obtained software…(SEE Part 2!)

Utilizing two free software programs, I was able to get information that anyone with time and inclination could use to do other attacks, not just the MITM / DOS attacks listed below.

How it all started…

Microsoft was giving away free 30 day trial of Windows Azure. I decided I would check Azure for vulnerabilities, so I ran a few test before my trial was up, and this is what I found.

The following white paper I sent to Microsoft at the end of June 2013. After almost two months, Microsoft emailed me back on 8-21-13 and stated “The team came back to me and confirmed that they have DHCP guards in place for v6 and v4 and confirmed that their IPv4 filtering prevents MiTM attacks started from arp spoofing.

So Windows Azure is NOT vulnerable to Man in the Middle attacks nor Denial of Service Attacks… WELL there Is another problem, which you will see in Part 2

___________________________________________The Paper _______________________________________________

Concept by:  Daniel Stinson                                    Date: 6-27-2013                               

Windows Azure may be susceptible to Man in the Middle attacks as well as IPv4/ IPv6 Denial of Service attacks from a Virtual Machine residing inside of Azure.

Please note that these attacks were not tested against any machines in Azure, I am showing that from within a virtual machine residing on Azure that it may be possible. No exploits have been run so this is merely a concept paper. This paper is to show that it may be possible, the attack is untested.

I created a clean Microsoft Server 2008R2 virtual machine using a 30 day Windows Azure trial. I installed free software called Evil Foca – 0.1.2.0 on this virtual machine, to check to see if the program was able to see other servers in proximity to the new virtual machine.

I ran the software to see if there were any “Neighbors”, and I was amazed at how many connections that were discovered. The program showed other servers and routers (with IP & MAC address’) that were located near the virtual machine.

I DID NOT run the exploits, however I am certain that MITM (Man in the Middle) and IPv4 & IPv6 DoS (Denial of Service) attacks could be run against these other connections in Azure.

vulnerability in Azure

The below image shows active connections close to the virtual machine that were discovered. (full list is presented on the last page)

vulnerability in Azure5vulnerability in Azure6

As you can see in the above screenshot, other connections were discovered. If you add targets in any of the attacks, you are given the option to select your target from the list.

 Types of attacks that could be run against target connections:

 vulnerability in Azure1

 

MITM IPv6

-Neighbor Advertisement Spoofing

The attacker sends to their victims fake ICMPv6 Advertisement packets in order to cause that any traffice goes through your IP address.

-SLAAC

The attacker sends to their victims fake ICMPv6 Advertisement packets in order to cause that any traffice goes through your IP address.

-DHCPv6

-The computer acts as a rogue DHCPv6 server, configuring IP Address and DNS Server from clients.

vulnerability in Azure2

 

MITM IPv4

The attacker sends to their victims fake ARP packets in order to cause that any traffic goes through your IP address.

 

-DHCP ACK Injection

The computer acts as a rogue DHCP Server, configuring the clients to connect to your IP address as gateway.

 vulnerability in Azure3

  

DoS IPv6

-SLAAC DoS

It consumes 100% of CPU creating network adapters through SLAAC protocol unit the computer is completely frozen

 vulnerability in Azure4

  

DoS IPv4

-Invalid MAC Spoofing

It assigns an invalid MAC address to an IP poisoning his ARP cashe, so the target will lose connection with any arbitrary computer

 

DNS hijacking or DNS redirection

Is the practice of redirecting the resolution of the Domain Name System names to other DNS servers.

Used in conjunction with MITM attack.

  

Connections discovered in Windows Azure from a freshly made clean Virtual Machine:

(MAC and IP Address)

00155D36C783 00155D36C78F 00155D36C79B 00155D36C7A9 008CFA0BA734
100.86.166.3 100.86.166.16 100.86.166.29 100.86.166.45 100.86.166.170
00155D36C782 00155D36C790 00155D36C79C 00155D36C7AC 008CFA0BCB42
100.86.166.2 100.86.166.17 100.86.166.31 100.86.166.48 100.86.166.180
A44C11350741 008CFA0BA0AC 00155D36C79D 008CFA0BC1E6 008CFA0BD456
100.86.166.1 100.86.166.20 100.86.166.32 100.86.166.50 100.86.166.190
00155D36C784 00155D36C791 00155D36C79F 008CFA0BEA18 008CFA0BDE8E
100.86.166.4 100.86.166.18 100.86.166.34 100.86.166.60 100.86.166.200
fe80::fc4e:cb8e:311b:3fff
00155D36C785 00155D36C792 008CFA0BE584 008CFA0BD46A
100.86.166.5 100.86.166.19 00155D36C79E 100.86.166.70 100.86.166.210
100.86.166.33
00155D36C787 00155D36C793 008CFA0BC1F4 008CFA0BB28E
100.86.166.7 100.86.166.21 00155D36C7A0 100.86.166.80 100.86.166.220
100.86.166.35
00155D36C788 00155D36C795 008CFA0BD0AE 008CFA0BA0A0
100.86.166.8 100.86.166.23 00155D36C7A2 100.86.166.90 100.86.166.230
100.86.166.37
00155D36C786 00155D36C794 008CFA0BBEBC 00155D36C7A3
100.86.166.6 100.86.166.22 00155D36C7A1 100.86.166.100 fe80::8df1:61e7:666a:4236
100.86.166.36 100.86.166.38
00155D36C789 00155D36C796 008CFA0BC440
100.86.166.9 100.86.166.24 00155D36C7A4 100.86.166.110 00155D36C7AA
100.86.166.39 fe80::99fb:133b:3fea:dd97
008CFA0BAD5C 00155D36C797 008CFA0BE0F0 100.86.166.46
100.86.166.10 100.86.166.25 008CFA0BD8A8 100.86.166.120
100.86.166.40
00155D36C78A 00155D36C798 008CFA0BDCD8
100.86.166.11 100.86.166.26 00155D36C7A5 100.86.166.130
100.86.166.41
00155D36C78C 00155D36C79A 008CFA0BDAD2 Routers
100.86.166.13 100.86.166.28 00155D36C7A6 100.86.166.140 A44C11350741
100.86.166.42 100.86.166.1
00155D36C78D 00155D36C799 008CFA0BE1EE
100.86.166.14 100.86.166.27 00155D36C7A7 100.86.166.150
100.86.166.43
00155D36C78E 008CFA0BB872 00155D36C7A8 008CFA0BC33C
100.86.166.15 100.86.166.30 100.86.166.44 100.86.166.160

__________________________________________END_______________________________________________________

Now I did not run these exploits, as I did not want to disrupt any Microsoft services, nor did I want a visit from any law enforcement agencies.

Was Windows Azure susceptible to these attacks? I’ll never know for certain, as the ticket was open for a almost 2 months… That was plenty of time to fix the issue.

Was I paid a “bounty” by Microsoft? Nope.

Would I let Microsoft know about another vulnerability if I found one? Probably not…

Would I put my companies data in Windows Azure? Probably not…

Would I use Azure for testing and penetration testing? YES, Yes I would…

See Part 2 for more about Windows Azure and “Cloud” computing…

Advertisements
Comments
  1. Phil Owens says:

    I tried your method, with similar results, great writeup!

  2. rttxaxkn8 says:

    I’m a d-bag comment spammer my IP is 198.204.241.75

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s