[Openstack-security] Deriving Instance UUID

Michael Still mikal at stillhq.com
Tue Dec 10 15:02:06 UTC 2013 

Hmmm.

If you know the UUID of an instance, and can assume default
configurations, then you know a bunch of information about how the
files on the hypervisor disk are laid out.

Assuming:
 - you're running an old release without patches (I'm thinking  Folsom
from memory?)
 - and have file injection turned on
 - and know the path to another instance's data
 - then that might make it possible to manipulate files in the
instance directory

This is very theoretical though, there's a lot of assumptions there.

Michael

On Mon, Dec 9, 2013 at 4:52 PM, Sriram Subramanian
<sriram at sriramhere.com> wrote:
> Thanks for the reply all.
>
> If I have the UIUD of an instance of another tenant, what more can I do with
> it? In other words, what is the impact of someone guessing/ inferring UIUID
> of an instance that they don't belong to'?
>
> RBAC would prevent controlling the state of the VM. Is there anyway one can
> get access to the VM itself?
>
> Thanks,
> -Sriram
>
>
> On Mon, Dec 9, 2013 at 1:42 PM, Brian Schott
> <brian.schott at nimbisservices.com> wrote:
>>
>> You probably have to wait about 100 years for that test ;-).  However, you
>> are right that this is system dependent.  I came across this bug in mac os x
>> when googling for the birthday problem table.  After a fork,
>> uuid_generate_random() generates the same UUID in every child!
>>
>>
>> http://stackoverflow.com/questions/2759644/python-multiprocessing-doesnt-play-nicely-with-uuid-uuid4
>> http://bugs.python.org/issue8621
>> http://openradar.appspot.com/radar?id=334401
>>
>>
>> -------------------------------------------------
>> Brian Schott, CTO
>> Nimbis Services, Inc.
>> brian.schott at nimbisservices.com
>> ph: 443-274-6064  fx: 443-274-6060
>>
>>
>>
>> On Dec 9, 2013, at 4:23 PM, Cody Bunch <cody.bunch at rackspace.com> wrote:
>>
>> Thanks! I'd replied, but seems I left the list off. The Nova sources
>> (nova/openstack/common/uuidutils.py) use Pythons uuid.uuid4() to generate
>> the uuids. The Python source for UUID4 seems to pull from a number of
>> methods, going to (u)random or pythons random module, so heavily dependent
>> on system(s) it's being run from:
>> http://hg.python.org/cpython/file/ec8d2f54dcb2/Lib/uuid.py
>>
>> I did throw up a quick test to see if I can find a match... so far I've
>> generated 20 million uuid's and not had a collision (didn't expect one, but
>> it's good to see):
>> https://gist.github.com/bunchc/7880710
>>
>> It also seems that other services may use their own UUID generation or so,
>> I've not looked into that however.
>>
>> -C
>> ________________________________
>> From: Brian Schott [brian.schott at nimbisservices.com]
>> Sent: Monday, December 09, 2013 3:16 PM
>> To: Clark, Robert Graham
>> Cc: openstack-security at lists.openstack.org
>> Subject: Re: [Openstack-security] Deriving Instance UUID
>>
>> Rob,
>>
>> That is a hard question.  The short answer is that it depends on the type
>> of UUID.  Type 1 () is mac address of the server + timestamp, so probability
>> of guessing another UUID in the system is very high.  Type 4 (random) has
>> 122 bits, so probability of collision is extremely small and is also
>> dependent on having a good random number generator.  A poor implementation
>> might be predictable.  Type 5 (namespace) has fewer bits depending on the
>> size of the namespace.
>>
>> http://en.wikipedia.org/wiki/Birthday_problem#Probability_table
>>
>> I think in general web url usage, a bare UUID as authentication mechanism
>> isn't considered good practice, but it really depends on how many elements
>> you have in the system, how it is protected from brute-force attacks, etc.
>>
>> Brian
>>
>> -------------------------------------------------
>> Brian Schott, CTO
>> Nimbis Services, Inc.
>> brian.schott at nimbisservices.com
>> ph: 443-274-6064  fx: 443-274-6060
>>
>>
>>
>> On Dec 9, 2013, at 3:06 PM, Clark, Robert Graham <robert.clark at hp.com>
>> wrote:
>>
>> Guys,
>>
>> Is there any way you know of to infer or guess at the UUID of a compute
>> instance belonging to another tenant?
>>
>> -Rob
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>
>>
>>
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>
>
>
>
> --
> Thanks,
> -Sriram
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>



-- 
Rackspace Australia

More information about the Openstack-security mailing list