Plenty of vulnerable default welcome pages can be found on a cloud attack surface. Software engineers who understand AWS cloud characteristics or users who have encountered AWS’ default welcome pages can detect neglected systems in a default welcome page state using Open Source Intelligence (OSINT) searches. Furthermore, it is not necessary to know specific product names to find AWS assets on a cloud attack surface.
This article is the second part of Default welcome page exposure: A Significant Security Risk, so it is highly recommended that readers read the previous article first.
Using Neglected AWS Assets to Detect a Cloud Attack Surface
It is easy to find default AWS systems by searching for “Instance data,” mainly because cloud storage is prone to using Virtual Machine (VM) instances.
https://www.criminalip.io/asset/search?query=%22Instance%20data%22

Vulnerable AWS cloud attack surfaces found using the keyword “Instance data”
As seen in the screenshot below, the default welcome page of this Instance data webpage contains sensitive information such as VM instance ID, Private IP address, AWS Region, and even Relational Database Service (RDS) information.

Sensitive information found with the keyword “Instance data” exposed on the AWS main page
Searching with the string “class=VmInfo”, shows plenty of system IP addresses associated with VM servers. In particular, there are search results where the HTML title is displayed as “Document,” as shown in the image below. Accessing the webpage revealed that this web application contained VM information of cloud services such as AWS and Azure.
https://www.criminalip.io/asset/search?query=%22class%3DVmInfo%22

Search results of “class=VmInfo” on Criminal IP Asset Search

This web application access screen contains AWS VM information.
Security Vulnerabilities in AWS CloudFormation
Cloud attack surfaces can also be detected in AWS services. CloudFormation faces increased security vulnerabilities due to default page exposure issues. AWS CloudFormation is a service that analyzes AWS resources written in template files and creates said resources. Cloud Formation allows you to automate your infrastructure by processing it as software code, making it easy to model, provision, and manage AWS and third-party resources.
https://www.criminalip.io/asset/search?query=title:%22AWS%20CloudFormation%20PHP%20Sample%22

Search results for title:”AWS CloudFormation PHP Sample” on Criminal IP Asset Search
Neglecting security issues of this convenient automation system can allow hackers to access it for exploitation on their end. The screenshot above is from searching for “title:AWS CloudFormation PHP Sample” in Criminal IP Asset Search (https://www.criminalip.io/asset).
The results show a total of 824 IP addresses associated with CloudFormation default welcome pages. Accessing just one of these myriad results revealed critical information such as Server information, EC2 Instance information, Database information, and PHP Information, which turned out to be the result of phpinfo() left running on this web server. Currently, it is just a phpinfo() screen, but CloudFormation templates can save files as text files with any extension, such as .json, .yaml, .template, or .txt, so if a hacker finds a default page with more access, they can take additional actions with data extraction.

CloudFormation default welcome page with exposed Server, EC2 instance, Database information and PHP information leaked as a result of phpinfo() left running on the server
Cloud Attack Surface Detection for Amazon AWS Elastic Compute Cloud (EC2)
By using the keyword “Amazon EC2 Instance”, users can find attack surface assets on Amazon AWS Elastic Compute Cloud (EC2). The results show default pages that contain EC2 instance ID information.
https://www.criminalip.io/asset/search?query=amazon%20EC2%20Instance

Search results shown for “Amazon EC2 Instance” as found on Criminal IP Asset Search

Default welcome page exposing Amazon EC2 Instance ID
Finding AWS Parallel Cluster’s Default Welcome Pages
AWS Parallel Cluster is an open source cluster management tool that enables users to deploy and manage AWS High Performance Computing (HPC) clusters, and helps in automatically setting up required resources and shared file systems. Search results with the keyword “AWS ParallelCluster” shows a total of 185 exposed attack surface assets.
https://www.criminalip.io/asset/search?query=AWS%20ParallelCluster

Search results for AWS ParallelCluster on Criminal IP Asset Search
The retrieved IP addresses will take you to a site like an image below, which is the default page of the AWS Parallel Cluster.

Screenshot of a neglected AWS Parallel Cluster Default Welcome Page
Why are Default State Systems left on the Attack Surface?
It is common to think, “Is there an engineer who leaves without completing the setup after installing or initializing the system?” However, countless systems on the internet are left in the default state. Default pages have become a problem not only for traditional web applications but also as a cloud attack surface point in recent years.
It is rare to have a default page that does not finish setting if installing only one system at a time, but nowadays, cloud engineers often script and automate hundreds of systems simultaneously to finalize the setup. In such cases, some resources are missing, like holes, and others are missing when resources are transferred to other departments.
Suppose there is no security vulnerability, such as CVE, when the web application is enabled by default. In that case, it may be difficult to detect with general security checks or ordinary attack surface management systems. Therefore, teams operating large systems must perform attack surface management based on precise intelligence to ensure the system is not running in the default page state.
Source : Criminal IP (https://www.criminalip.io)
Related Article:
[…] Cloud Attack Surfaces: Detecting Active AWS Assets Left Unattendedby Criminal IP on August 30, 2022 at 11:48 am […]