Plenty of vulnerable default welcome pages can be found on a cloud attack surface. Software engineers who understand AWS cloud characteristics or users who have encountered AWS’ default welcome pages can detect neglected systems in a default welcome page state using Open Source Intelligence (OSINT) searches. Furthermore, it is not necessary to know specific product names to find AWS assets on a cloud attack surface.

This article is the second part to Default welcome page exposure: A Significant Security Risk, so it is heavily recommended that readers view the previous article first.

Using Neglected AWS Assets to Detect a Cloud Attack Surface

It is easy to find default AWS systems by searching “Instance data”, mainly because cloud storage are prone to using Virtual Machine (VM) instances.

https://www.criminalip.io/asset/search?query=%22Instance%20data%22

“Instance data”

Vulnerable AWS cloud attack surfaces found using the "Instance data" keyword

Vulnerable AWS cloud attack surfaces found using the “Instance data” keyword

As seen in the screenshot below, the default welcome page of this Instance data webpage contains sensitive information such as VM instance ID, Private IP address, AWS Region, and even Relational Database Service (RDS) information.

Sensitive information exposed to AWS main page found with the "Instance data" keyword

Sensitive information exposed to AWS main page found with the “Instance data” keyword

Searching with the string “class=VmInfo”, shows plenty of system IP addresses associated with VM servers. In particular, there are search results where HTML Title is displayed as “Document” as shown in the image below. Accessing the webpage revealed that this web application contained VM information of cloud services such as AWS and Azure.

https://www.criminalip.io/asset/search?query=%22class%3DVmInfo%22

“class=VmInfo”

Search results of "class=VmInfo" on Criminal IP Asset Search

Search results of “class=VmInfo” on Criminal IP Asset Search

This web application access screen contains AWS VM information.

This web application access screen contains AWS VM information.

Security Vulnerabilities in AWS CloudFormation

Cloud attack surfaces can also be detected in AWS services. Among them, CloudFormation has their fair share of default welcome pages and therefore, faced with increased security vulnerabilities. AWS CloudFormation is a service that analyzes AWS resources written in template files and creates said resources. CloudFormation, therefore, makes it easy for modelling, provisioning and managing AWS and third party resources. This is due to the fact that infrastructure is automated by processing them with software code.

https://www.criminalip.io/asset/search?query=title:%22AWS%20CloudFormation%20PHP%20Sample%22

title:”AWS CloudFormation PHP Sample”

Search results shown for title:"AWS CloudFormation"

Search results shown for title:”AWS CloudFormation”

Neglecting security issues of this convenient automation system can allow hackers to access it for exploitation on their end. This screenshot, sourced from Criminal IP Asset Search (https://www.criminalip.io/asset), is the results page of searching with “title:AWS CloudFormation PHP Sample” .

The results show a total of 824 IP addresses associated with CloudFormation default welcome pages. Accessing just one of these myriad results revealed critical information such as Server information, EC2 Instance information, Database information, and PHP Information, which turned out to be the result of phpinfo() left running on this web server. Although this particular server only had one particular command executed, this template can store any kind of extension text file such as json, .yaml, .template, or .txt. This would mean that hackers who find a default welcome page with more access can commit to additional action and potentially wreak havoc.

CloudFormation default welcome page with exposed Server, EC2 instance, Database information and PHP information leaked as a result of phpinfo() left running on the server

CloudFormation default welcome page with exposed Server, EC2 instance, Database information and PHP information leaked as a result of phpinfo() left running on the server

Cloud Attack Surface Detection for Amazon AWS Elastic Compute Cloud (EC2)

By using the keyword “Amazon EC2 Instance”, users can find attack surface assets on Amazon AWS Elastic Compute Cloud (EC2). Search results reveal default welcome pages containing EC2 Instance ID information results.

https://www.criminalip.io/asset/search?query=amazon%20EC2%20Instance

Amazon EC2 Instance”

Search results shown for "Amazon EC2 Instance" as found on Criminal IP Asset Search

Search results shown for “Amazon EC2 Instance” as found on Criminal IP Asset Search

Default welcome page exposing Amazon EC2 Instance ID

Default welcome page exposing Amazon EC2 Instance ID

Finding AWS Parallel Cluster’s Default Welcome Pages

AWS Parallel Cluster is an open source cluster management tool that enables users to deploy and manage AWS High Performance Computing (HPC) clusters, and helps in automatically setting up required resources and shared file systems. Search results with the keyword “AWS ParallelCluster” shows a total of 185 exposed attack surface assets.

https://www.criminalip.io/asset/search?query=AWS%20ParallelCluster

AWS ParallelCluster

Search results for default welcome pages shown for "AWS ParallelCluster" on Criminal IP Asset Search

Search results for default welcome pages shown for “AWS ParallelCluster” on Criminal IP Asset Search

IP address results are redirected to AWS ParallelCluster’s default page as shown below.

Screenshot of a neglected AWS Parallel Cluster Default Welcome Page

Screenshot of a neglected AWS Parallel Cluster Default Welcome Page

Why are Default State Systems left on the Attack Surface?

People would usually lay the blame at the feet of this neglectful software engineer, who left these default welcome pages to the possibility of exploitation. Unfortunately, this is not a special trait found in lazy folk, but a common mistake made by even the most particular of software engineers. Default welcome pages have always been easy attack surface targets for hackers, but recently, they have shown themselves to be vulnerable even on cloud attack surfaces, intensifying the risk they pose to IT assets.

Usually, default welcome pages are disposed of properly when systems are installed one at a time. However, cloud engineers tend to automate hundreds of system setups at the same time. This leads them to script some resources to be omitted, which also happens during resource transfer between departments.

If there is no security vulnerability like CVE issues when the web application is activated in the default state, it may be difficult to detect vulnerabilities in a typical security check or an ordinary Attack Surface Management (ASM) system. Therefore, teams running large systems must manage their attack surfaces based on precise threat intelligence. ensuring that the system is up and running in the default page state.


Source : Criminal IP (https://www.criminalip.io)

Related Article: