The goal of this document is to enlighten security issues on third party tools that come from some features of the Amazon EC2 console. We are going to explain two security threats, a XSS (cross site scripting), and a command injection, using a second party tool as injection’s vector.
Taking our own product Elastic Detector as an example
First of all, let’s describe the context of our application. Then we will have a closer look at the security issues introduced using the Amazon EC2 console.
Elastic Detector is complementary to the Amazon EC2 console (or other management console). It retrieves security group information by the EC2 API and it helps users to have a global security overview of their infrastructure on Amazon EC2. In addition it performs analysis of potential security threats.
Amazon EC2 API supports broad characters in the Security Group name. If for example, we define the following Name: <script>alert(“Hello World!!”)</script>
A third party product that displays this Security Group Name without sanitizing the data, it will result on a nice Hello World !! alert popup when browsing this Security Group.
Due to the broad character support in Amazon EC2 in Security Group name, we could define the following Name: `cp /etc/passwd /tmp`
So, once this security group is stored in a database without sanitizing, a third party product using shell commands such as eval, exec, mail or printf, could potentially execute the injected command. So a new file name passwd would be added to the /tmp directory in the product as a simple example.
NB: This could also be done using Amazon EC2 Security Instance Tags, in fact every field supports broad characters in Amazon EC2.
These two security issues are examples that illustrate the fact that a third-party tool MUST check and sanitize user’s input (like all software), but also check and sanitize any data coming from other tools or service SaaS.
We would like to thank the Amazon Security Team that fully collaborated and confirmed that broad character support is a feature of Amazon Web Services (especially Don Bailey) and the Certilience Team that helped us as an external auditor of our code.