Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Windows Flaw That Cracks Amazon Web Services

Posted by Unknown on from the you're-doing-it-wrong dept.

Nerval's Lobster writes "Developer and editor Jeff Cogswell decided to poke around the security of Amazon Web Services, and found a potential loophole that could theoretically allow anyone — a developer, an unscrupulous Amazon employee, the NSA — to access and copy data volumes stored on the system, using a slightly modified version of the popular 'chntwp' password tool. In this article, he breaks down how he did it, and suggests some ways for those who use cloud-hosting services to keep their data a little more secure in the future. 'The key here, of course, is that an unscrupulous employee might be able to make a copy of any existing Windows volume, and go to work on it without the customer ever knowing that it happened,' he writes. 'Now let's be clear: I'm not accusing anyone of having done this; in fact, I doubt anybody has, considering I was unable to find a working copy of chntpw until I modified it.' It's a security concern, and one that's particularly insidious to patch."

22 of 114 comments (clear)

  1. Vulnerable? by cyberpocalypse · · Score: 5, Funny

    You had me at Windows

    1. Re:Vulnerable? by chuckinator · · Score: 5, Insightful

      chntpw has been in the wild since 1997. It's wonderful that the researcher just realized that it works on cloud volumes just as well as physical volumes, but this it flat out not news. It's also mitigated by deploying an Active Directory domain controller if you want to stick with windows or rolling one yourself with krb5/ldap/samba/etc. if you want your backend servers running unix of whatever variant you like.

    2. Re:Vulnerable? by BitZtream · · Score: 2

      Too bad it applies just as equally to Linux and every other OS.

      They have 'physical access' to the machine. You've lost already, regardless of OS. They don't need your passwords.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    3. Re:Vulnerable? by ron_ivi · · Score: 4, Insightful

      And this isn't even a vulnerability.

      The ability to share disks by copying or moving them from one machine to another is an AWS feature.

      It's common that you'd launch a high-CPU compute node (which might be windows) to prepare a set of data on a disk; and then kill that expensive high-CPU node when the data's ready; and move the disk to another machine (which might be running Linux).

      Isn't that exactly what the author described?

    4. Re:Vulnerable? by gl4ss · · Score: 2

      what the fuck does any of this matter though if you have a copy(and potential to change the original as well) of the system volume?

      the "newsflash" is really that hosted services are accessible to people hosting it...

      --
      world was created 5 seconds before this post as it is.
  2. And security goes on by minstrelmike · · Score: 3, Funny

    The cloud just gets more and more secure all the time. Maybe this is how Dilbert broke into the NSA servers and got all his company's data back.

  3. This just in by Anonymous Coward · · Score: 5, Informative

    People with access to your data are able to access your data.

    1. Re:This just in by Cro+Magnon · · Score: 3, Funny

      Including you!

      I consider that a major security hole that needs to be fixed!

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
  4. So stupid. by MindStalker · · Score: 4, Insightful

    If you mount your Windows harddrive in Linux without using Encryption you can access all your Data?

    Not news at all. You can do this on any operating system of any type assuming your not using an encrypted system.

    1. Re:So stupid. by tgd · · Score: 4, Insightful

      If you mount your Windows harddrive in Linux without using Encryption you can access all your Data?

      Not news at all. You can do this on any operating system of any type assuming your not using an encrypted system.

      Or dupe your Linux virtual harddrive in Linux... or Windows ... or OSX... and do the same thing.

      Its a stupid flamebait article. Shame after all this time we still can't moderate the articles themselves on /.

  5. Not actually a problem with AWS. by solafide · · Score: 5, Informative

    This is no different than booting a LiveCD and changing the Windows password from a Linux LiveCD running with access to the same storage device. This is not a flaw in AWS in any fashion, other than illustrating the trust you place in AWS having access to your physical devices. Why is this news? This is a standard if-you-have-access-to-hardware-you-can-have-complete-control-over-everything-on-it-not-encrypted problem.

    1. Re:Not actually a problem with AWS. by h4rr4r · · Score: 2

      To be fair no different than changing the password on a linux machine by booting a linux live cd either.

      Yeah, does not look like anything really surprising to me either.

  6. Not a new problem by Imagix · · Score: 4, Insightful

    Oh look, it's yet another case of "If you have physical access to the server, all bets are off.". If you can clone the volume, you effectively have physical access to the server. This isn't a new vulnerability. Just another case of "It's on the webz, it must a a completely novel thing!".

    1. Re:Not a new problem by MightyMartian · · Score: 2

      Not sure what the surprise here is. I had a Server 2003 guest go nuts on my KVM server and become pretty much unbootable. I mounted the raw image file via loop back and ntfs3g and happily copied all the data off of the virtual hd. I've done the same thing with Linux and BSD raw images, partitions and physical drives.

      If I wanted real security I would use disk encryption like TrueCrypt on the vm volume, so that even if someone could gain access to the VM host, they would be confronted with an encrypted volume, and without the pass code or key, they're hooped. Mind you, because I'm using some cloud service, if they are nefarious (or the NSA has backdoor access), they've already got my key and/or password, in which case whether or not the volume on the cloud VM is encrypted or not, they've been happily vacuuming up my data anyways.

      The moral here is that unless you have custody of your data, you ought to presume the worst.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
  7. Why make it complicated? by Empiric · · Score: 4, Insightful

    1. Take a Windows server on Amazon Web Services, make a copy of the hard drive (which Amazon calls a volume),

    If you can do this, the system is already compromised in a dozen different, less-interesting, ways.

    The question is whether you can do this without already having the passwords, with EC2's existing security. I see no evidence from the article he can.

    Without that, the claim is half gratuitous cleverness, half FUD of an attention-grabbing vendor name, to my eyes.

    --
    ~ Whence do you come, slayer of men, or where are you going, conqueror of space?
  8. Use TrueCrypt by duke_cheetah2003 · · Score: 3, Interesting

    Going to need a copy of the VM's memory and some skill at finding the crypto keys in there in addition to the volume if you use TrueCrypt.

    I use AWS and I truecrypt my source code database that I store there.

    I lose automatic full reboot (I have to log in and manually mount that volume), but that's worth the additional privacy/security.

  9. New definition of "Accessibility" by Zero__Kelvin · · Score: 4, Interesting

    This can all be done simply without Linux using Windows and without chntpw. Simply add the drive to a system you own, move Magnify.exe out of the way (for later restoration), and copy command.exe to Magnify.exe then boot of the modified drive and choose to use the "Accessibility Tool". Instant command shell with full priveledge escalation. I have personally done this on Windows Server 2008. I do not know if they finally got smart and added code to prevent this in Server 2012, but I wouldn't be surprised if it works on every version of Windows that has the "Accessibility Options" on the login screen.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  10. Earth-shattering by davidbrit2 · · Score: 3, Insightful

    Unencrypted volumes can be easily modified when mounted on a different system; film at 11.

  11. About Jeff by PetiePooo · · Score: 2

    Jeff Cogswell is the author of several tech books including “C++ All-In-One Desk Reference For Dummies,” “C++ Cookbook,” and “Designing Highly Useable Software.” A software engineer for over 20 years, Jeff has written extensively on many different development topics. An expert in C++ and JavaScript, he has experience starting from low-level C development on Linux, up through modern Web development in JavaScript and jQuery, PHP, and ASP.NET MVC.

    Good job, Jeff! Welcome to the exciting world of security research!

    I applaud you for (re)discovering these techniques on your own. Your out-of-box thinking and problem solving are to be commended, but your research skills could use some polish. Please don't let the negative comments above discourage you from exploring this rewarding field of knowledge, however I would recommend you run your findings by some existing security folks before announcing your next big discovery, lest you find you're just rehashing something else that has long been known.

    Seriously; good job! I enjoyed reading how you worked your way up to your conclusions, even though I knew from the start how it would end...

    1. Re:About Jeff by cbhacking · · Score: 3, Insightful

      Really? You "enjoyed" a reading the "discoveries" of somebody who didn't even realize that psexec requires Admin, at which point the whole thing is completely moot? You want to know how else I can replace the password on the Administrator account? Computer Management (mmc.exe, as Admin please), Local Users and Groups, Users, Administrator, right-click, Reset password.

      But that doesn't let him talk about how 1337 he is for tweaking an outdated program to work on a modern Windows version... Seriously, the guy is a bit of an idiot. Calling it a Windows vuln was icing on the cake; if anything, this kind of "exploit" is actually easier on Linux.

      There's "out-of-the-box thinking and problem solving" and then there's "I don't know what the fuck I'm talking about but have you heard of this cool program that lets you totally break Windows security guys?!?" I hang out a lot in the security community, and I see this sort of shit all the time. I've never seen anybody who started out spewing this kind of idiocy ever actually amount to anything even years later, though. They never actually learn. That garbage he posted in the article? that's probably as smart as he will ever get with regard to security, because he doesn't even understand the basic concept of what user accounts or access permissions *are*. Not doesn't understand them - hell, at least on Windows, that's hardly anything unusual - he doesn't even know what they are. For example, you can access the SAM just fine without using SYSTEM at all; just use Admin privileges to modify the ACLs on the SAM registry key. He's not even aware that there *are* such things as ACLs; he just thinks it's "magic" that SYSTEM can do some things that everybody else (because he runs as Admin, because he doesn't have any idea why you wouldn't) can't do.

      --
      There's no place I could be, since I've found Serenity...
  12. Re:Cloud=magic by i+kan+reed · · Score: 2

    Only a commie-mutant-traitor would know a word like "comerade". What's your clearance citizen?

  13. Re:Windows volumes... by cbhacking · · Score: 5, Informative

    Too bad the author of TFA is a flaming idiot, and this has nothing to do with Windows at all. It's a total non-story.

    He just "discovered" that if you download a cloud machine disk volume - which is completely OS-agnostic, you could do it BeOS if you wanted to - you can mount it on your own machine and go to town on the data. Unix-like OS? Cool, go read /etc/shadow and get the password hashes (or change/add your own password and re-mount it, as he suggests doing with Windows). There's absolutely nothing here Windows-specific at all except that the idiot only *just* discovered that password resetting by modifying the user login data is possible.

    --
    There's no place I could be, since I've found Serenity...