~ 10 min read

An Attacker's Approach to Pentesting IBM Cloud - fwdcloudsec 2021

A walkthrough of the slides presented during the fwdcloudsec 2021 conference with details of findings and observations across different resources within the IBM cloud platform.

Table of Contents

‍

Background
Why attack IBM cloud?
IBM cloud attacker vantage points
What was my approach?
GitHub repo
Interesting Observations

Public OSINT and identifying IBM cloud things
IBM Cloud Storage
IBM Cloud Shell
IBM Cloud CLI
IBM Cloud Functions
IBM Cloud Virtual Server for Classic
IBM Cloud Databases
Conclusion

‍

Background

‍

The idea for the talk came from an absence of enough resources on the Internet when attempting to pentest resources running on the IBM cloud. Like a lot of cloud providers out there, IBM cloud also has a standard set of services across compute, storage, databases and networking.

These services can be targeted based on their default configurations and customer exposed attack surfaces. Primarily, the objective of the talk was to answer the following questions:

  1. What services does IBM cloud provide that have an external attack surface?
  2. How well are default configurations documented within IBM cloud?
  3. Could vulnerabilities that plague AWS, GCP and Azure thematically also affect IBM cloud?
  4. Are there any low hanging fruits like open buckets or compute instances running custom IBM specific services that can be hacked from the outside?

The entire exploration of the IBM cloud and services within was from an attacker perspective to identify any weaknesses that can be documented.

Here are all the slides from the conference presented virtually on 14th September 2021

‍

‍

This slide and the content generated is also on the GitHub repo at https://github.com/Kloudle/pentesting-ibm-cloud. This blog post takes you through the slides and expands on the topics covered in the talk along with additional commentary around the content.

‍

Why attack IBM cloud?

‍

Apart from the novelty of attacking a cloud provider that did not happen to have too many hacker friendly resources listed, I also had credits to IBM cloud that I was using to set up a CTF level for the CloudVillage.

‍

Why attack the IBM Cloud?‍

While setting up the CTF challenge, I faced difficulties with some of the documentation that led me to poke around the services a bit more to gauge which attacker friendly configurations were in place.

‍

IBM cloud attacker vantage points

‍

To be able to attack any cloud provider for that matter, you can be placed in one of these 3 locations, obviously barring the cloud provider being the attacker themselves.

  • External attack surface
  • Internal attack surface
  • Cloud specific attack surface

‍

IBM cloud attacker vantage points‍

Each of these locations provide various services and resources that can be attacked or leveraged to further your access.

‍

What was my approach?

‍

I followed a very exploratory approach with IBM cloud. With the free credits that I had I set up an IB cloud account, I set up the CLI and then poked around different services.

What was my approach?In all the cases, I looked at the resources from both a β€œthis is a new technology” as well as β€œif this was on AWS/GCP what vulnerabilities would it have” approach.

Majorly, I started a service, checked if insecure defaults were at play, what authentication was used, public DNS and IP information and for each of the services, identified what kind of environment they were running.

‍

GitHub repo

‍

All work has been released via Github at https://github.com/Kloudle/pentesting-ibm-cloud

‍

GitHub repo for ongoing work‍

This is an ongoing research project and will likely expand with additional inputs from the community and our work.

‍

Interesting Observations

‍

This section is about what were my most interesting observations during the poking and prodding of IBM cloud.

‍

Public OSINT and identifying IBM cloud things

‍

I started by looking at what public objects are exposed by customers who use IBM cloud or as an extension of different services. 

‍

Public OSINT and identifying IBM cloud things‍

Weirdly, I was unable to find the public IP ranges for the IBM cloud as this would be one of the first things attackers would want to enumerate and scan. AWS, GCP and Azure all publish these ranges within their documentation.

The only documentation I found was not the public range for IBM services. I figured walking backwards might be useful, so I created a Floating IP, looked at the public IP neighbourhood and gathered IP ranges from there using the Hurricane Electric BGP site.

Public OSINT and identifying IBM cloud things‍

The IP address ranges belong to an ASN called SoftLayer Technologies, Inc, which was incidentally acquired by IBM in 2013 

Public OSINT and identifying IBM cloud things‍

Following this across different regions within IBM Cloud, I created a list of IP ranges that would be useful for additional OSINT.

Public OSINT and identifying IBM cloud things‍

Censys or Shodan are good services to start with to see what’s running without sending a single packet to the target.

I made a list of things to do so that all IP ranges can be uncovered for IBM.

‍

Public OSINT and identifying IBM cloud things- to do‍

IBM Cloud Storage

‍

The first service I started poking around was the IBM Cloud Storage service. Very similar to the AWS S3, IBM Cloud storage also uses similar terminologies.

IBM Cloud Storage‍

A cool feature of IBM Cloud storage is the integration it provides with IBM Cloud SQL Query. You can run SQL queries on uploaded data if it is JSON or CSV for example.

‍

IBM Cloud Storage‍

Looking at the HTTP response headers and body when accessing an IBM storage bucket, shows that the implementation is of Cleversafe, a storage company that IBM acquired in November 2015. Searching for β€œServer: Cleversafe” on Shodan shows promising results.

‍

IBM Cloud Storage‍

I documented the steps needed for CLI access to interact with Object Storage. The steps were far too many considering that AWS or similar storage services require minimal access steps.

‍

IBM Cloud Storage‍

Using the information we have so far, we can search the Internet for public IBM buckets. 

IBM Cloud Storage‍

Both Google searches using the DNS naming convention and subdomain enumeration tools work well and I was able to get a decent size list of bucket names.

‍

IBM Cloud Storage‍

For future work, made a note of access policies for IBM buckets and to enumerate other storage type services namely disk snapshots and compute volumes.

IBM Cloud Storage‍

IBM Cloud Shell

‍

IBM Cloud shell is an interactive shell environment that gives you a quick terminal to work with your IBM account on the CLI

‍

IBM Cloud Shell‍

The IBM Cloud Shell environment is a Bluemix container based on Kubernetes as seen by the output of cat /proc/1/cgroup and mount commands.

IBM Cloud Shell‍

IBM Cloud Shell‍

The Bluemix config json contains an IAM Token that can be used with IBM REST APIs.

IBM Cloud Shell‍

I was able to make requests to IBM API endpoints with the IAM token to fetch a list of storage buckets within the account.

‍

IBM Cloud Shell‍

Additional investigation is required to identify if the IBM Cloud shell has internal IBM network access and if container escape is possible.

IBM Cloud Shell‍

IBM Cloud CLI

‍

From an attacker perspective, knowing what the CLI configures on the client is very useful in terms of a wider attack surface.

The IBM Cloud CLI offers multiple ways of logging in. I used the β€œOne Time Passcode” method as this was the most convenient.

‍

IBM Cloud CLI‍

Just like in AWS we have the aws sts get-caller-identity, we have ibmcloud account show on IBM

IBM Cloud CLI‍

After you have logged in, the CLI token is saved in the ~/.bluemix/config.json as IAMToken. This is the same token that the IBM Cloud shell container uses when a cloud shell is invoked.

‍

IBM Cloud CLI‍

The IBM Cloud CLI can also be logged in via API key on the cli or REST API using the API Key to obtain the IAM token.

‍

IBM Cloud CLI‍

IBM Cloud Functions

‍

IBM Cloud functions are based on OpenWhisk. A simple python function was set up that would give me reverse shell access to the OpenWhisk container.

IBM Cloud Functions‍

The reverse shell can be kept alive for 600 seconds as that is the maximum time of execution to wait for the container before it is killed.

‍

IBM Cloud Functions‍

Previously disclosed security weaknesses like CVE-2018-11756 and CVE-2018-11757 were allowed for overwriting of the function code. These have been fixed now.

‍

IBM Cloud Functions‍

Future work with IBM Cloud functions is to get container capabilities and see if OpenWhisk has other security flaws.

IBM Cloud Functions‍

IBM Cloud Virtual Server for Classic

‍

IBM Cloud Virtual Server for Classic is the previous generation of virtual machines service. This has support for End of Life operating systems including Ubuntu 16.04 LTS.

‍

IBM Cloud Virtual Server for Classic‍

While setting up the machine, I noticed that the service stores the login password for root and allows a user to retrieve the password in plain text. No private key required to decrypt.

The interface is like a password manager and you can use this to store other passwords as well, none of them requiring any additional keys to decrypt them.

‍

IBM Cloud Virtual Server for Classic‍

IBM Cloud Databases

‍

IBM Cloud Databases include about 21 different types of managed DB services. I started poking around the first in the list - Cloudant JSON.

Cloudant JSON is a JSON document DB and provides a HTTPS endpoint post creation which has no authentication by default!

‍

IBM Cloud Databases‍

Using the unique headers that the HTTPS endpoint has, it was trivial to find Cloudant JSON databases exposed to the Internet using Shodan.

‍

IBM Cloud Databases‍

Future work will be to see how other database services are configured within IBM and what information they leak. We will also be able to tell how IAM fits into authentication for these database services.

IBM Cloud Databases‍

Conclusion

‍

This presentation was a means to get started with documenting offensive insights into how IBM Cloud can be set up by devs, what misconfigurations can exist and how attackers can abuse these.

Future work will be around updating the documentation and maintaining it, continuing documentation around misconfigurations and insecure defaults, building reliable tooling to automate some of the misconfiguration detection work and to explore the services that I did not see during the creation of this presentation.

Community support is important to keep this project alive! Pull requests are welcome at https://github.com/Kloudle/pentesting-ibm-cloud.

‍

Future Work‍

Thank you.

‍

Thank you‍

***

‍

This article is brought to you by Kloudle Academy, a free e-resource compilation, created and curated by Kloudle. Kloudle is a cloud security management platform that uses the power of automation and simplifies human requirements in cloud security. If you wish to give your feedback on this article, you can write to us here.

;