ORACLE CLOUD. An unprivileged user can query information about all cloud service (with ids, admin emails, public ssh keys...) without any policy allowing it and NO WAY to block it.
An unprivileged user can use OCI to query any information about the cloud without any policy allowing it. Oracle let it happen by default and after almost 2 weeks talking with their support they are not considering this as a security problem.
Whats your opinion?
How to:
$ oci --auth instance_principal oci iam compartment list --all
$ oci --auth instance_principal iam compartment list --compartment-id ocid1.compartment.oc1..XXXXXXXXX
(you can get information about resources outside the vm's compartment too)
Using OCI you can get information about ANY resource in the cloud, just using "--auth instance_principal" without any policy allowing or any way to block it.
You can get information about the machine too with the metadata API:
$ wget http://169.254.169.254/opc/v1/instance/
Any request made by your service can be used to get the admin email, public ssh key and other information about the instance.
If you upgrade the metadata api version to V2, you can block it on Ubuntu, however it can still works with Oracle Linux. But, no proper way to block it.
[link] [comments]
from hacking: security in practice https://ift.tt/wk8VpaK
Comments
Post a Comment