Cloud Maturity Model: A Guide to Measuring Your Cloud Posture

The adoption of cloud computing has become increasingly widespread over the last decade. Many organizations now use cloud services to host their applications, store their data, and deliver their services. However, while cloud adoption has many benefits, it also presents unique challenges related to security, governance, compliance, and cost management. To help organizations measure and improve their cloud posture, the Cloud Maturity Model (CMM) was created.

What is the Cloud Maturity Model?

The Cloud Maturity Model is a framework for measuring an organization's cloud adoption and maturity. The model consists of five levels, each representing a higher cloud adoption and maturity level. The five levels are as follows:

1. Ad hoc: At this level, the organization has just started experimenting with cloud services but has yet to develop a formal cloud strategy or implement any standardized processes.
2. Opportunistic: At this level, the organization uses cloud services more structured way, but each team or department is still working independently, without any coordination or central governance.
3. Repeatable: At this level, the organization has established formal cloud processes and governance and uses cloud services more strategically across the entire organization.
4. Managed: At this level, the organization has implemented advanced cloud management and optimization practices, such as automation, cost optimization, and performance monitoring.
5. Optimized: At this level, the organization is continuously improving its cloud operations and is using cloud services to drive innovation, digital transformation, and business growth.

How to Calculate Your Cloud Maturity

To calculate your cloud maturity, you can conduct a self-assessment against the CMM framework. Here are the steps you can follow:

Step 1: Define Your Assessment Criteria

The first step is to define your assessment criteria, which should be based on the CMM framework. Depending on your organization's specific needs and goals, you can use a predefined set of criteria or develop your own. Some common assessment criteria include:

• Cloud strategy: Does your organization have a formal cloud strategy, and is it aligned with your business objectives?
• Governance: Have you established clear roles and responsibilities for cloud management, and do you have a centralized cloud governance model?
• Security: Have you implemented the appropriate security controls to protect your cloud assets and data?
• Architecture: Have you designed your cloud architecture to meet your application and workload requirements?
• Operations: Can you manage and monitor your cloud resources effectively, and do you have the necessary skills and tools?
• Business alignment: Are you using cloud services to drive innovation, digital transformation, and business growth?

Step 2: Assess Your Cloud Posture

Once you have defined your assessment criteria, the next step is to assess your cloud posture. This can be done through interviews with stakeholders, surveys, documentation review, and other means. You should gather data on your current cloud practices and capabilities and rate them against the five levels of the CMM framework.

Step 3: Analyze Your Results

After you have completed your assessment, the next step is to analyze your results. You should identify the gaps between your current cloud posture and the desired level of maturity and prioritize the areas that need improvement.

Step 4: Develop an Action Plan

The final step is to develop an action plan to improve your cloud maturity. This plan should include specific, measurable, and achievable goals, a timeline, and an allocation of resources. You should also establish a system to monitor and track your progress and regularly revisit and update your cloud maturity assessment.

Conclusion

The Cloud Maturity Model provides a structured and comprehensive framework for organizations to measure and improve their cloud posture. By conducting a self-assessment and analyzing the results, organizations can identify the areas that need

RCE in Ubiquiti Networks AirController 1.4.2

On March 31st, 2016, I found and reported a remote code execution in Ubiquiti networks Aircontroller version 1.4.2 which was downloadable from http://community.ubnt.com/. The AirController version was pretty old, so there wasn't any significant risk as users were already using updated version.

After I configured AirController 1.4.2 on my Ubuntu machine, I started playing around with the web app. The UI was very old and unimpressive. I thought of running nmap service banner grabbing on target where AirController is installed, and found JBoss Seam running on port 9080, I Googled immediately for existing exploits in JBoss Seam.

JBoss Seam was vulnerable to RCE and CVE-2010-1871 was assigned to it. I landed up on this blog which had clear instructions of which function was vulnerable and how to exploit the vulnerability. To execute the OS commands one has to find indexes for java.lang.Process and public static java.lang.Runtime java.lang.Runtime.getRuntime() methods. I had no idea where to start with finding an index, I tried finding if there is a metasploit module to do so and yet again metasploit came to rescue. 

I ran metasploit on target, found indexes and then I could exploit the vulnerability successfully after sending the below crafted request to server;

/seam-booking/home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[19].invoke(expressions.getClass().forName('java.lang.R
untime').getDeclaredMethods()[7].invoke(null), 'mkdir /tmp/PWNED')}


I made a POC video of the attack.

Timeline:

March 31st, 2016 - Report Sent

March 31st, 2016 - Bug triaged

April 1st, 2016 - Resolved and Bounty Rewarded

Bounty was fairly low as the bug was in old version. Thanks for reading! Comments and suggestions are welcome.

Delete Project Owner's Account Google Pixate

I don't have any idea how Google calculates ranking in their VRP, but this was the only bug which I reported to Google ever and secured #74 on https://bughunter.withgoogle.com/.

Pixate was acquired by Google back in July 2015, it is a next-generation mobile interaction design service aimed at helping designers create complex animations and interactions without writing code. The platform generates 100% native mobile prototypes as they’re being designed, enabling you to refine unique experiences and communicate interactive ideas to stakeholders and team members. (Copied from http://help.pixate.com/knowledgebase/articles/461798-1-introduction)

On one bright day of June I was browsing Facebook and I saw people posting status of invitation they got for BountyCraft 2016 at Defcon. BountyCraft is an event co-sponsored by Google, Microsoft & Facebook, where they meet Bug Hunters from different countries, socialize, eat and have drinks. I had seen similar posts last year on my Facebook wall and wanted to be there, but I was lazy enough to not try and find a bug. And even if I had found one, I could not have been able to sponsor my trip to Vegas. Now as I had planned to attend Blackhat as well as Defcon this year, I wanted to attend this event. So here is the story explaining how I found that issue in Pixate. 

As it is tough to find bugs on main domain I started looking at Google acquisitions list. It is fairly easy to find bugs on acquisitions as it is developed by whole different team. I started to look for CSRF, XSS & session related flaws and wasted almost 3 hours as application was pretty secure. I stopped and thought why don't I start working with application's logic. Here is what I analyzed and did;

"A low privileged admin user can delete project owner's account"

Steps to reproduce:

1. Login to your account on app.pixate.com in chrome

2. Create a cloud project and invite a user on his email to collaborate

3. User accepts invitation, and creates account in firefox

4. Now project owner can see that the collaborator has joined the team

5. Project owner makes the collaborator admin of project in chrome

6. The collaborator can be removed from team only if a) owner removes him or b) the collaborator leave team by himself

7. Collaborator can see the userId of owner by clicking on the owner's name on team page

8. Collaborator clicks on remove account button and intercepts the request on proxy, changes the userId in query string to that of project owner's

9. As soon as all the requests and responses are forwarded from collaborator, owner's account gets deleted

10. Owner can no longer login to his account

I created a video proof of concept which can be seen below.

Timeline:

June 15th, 2016 - Report sent, automated response received

June 15th, 2016 - Bug Triaged

June 15th, 2016 - Bug Filed

July 12th, 2016 - Fixed and Bounty rewarded

Finally I got invitation from Google Security team for BountyCraft 2016. Thanks for reading, comments and suggestions are welcome. 

Stored XSS in Zengine

I was working on Zengine's bug bounty program on Cobalt.io back in July 2015. As this was an an old program, most of the low hanging fruits were already reported. I didn't expect to find a XSS when I saw Shashank on top of the list.  

Zengine is a cloud-based platform that empowers a non-technical person to quickly build custom business applications, while also allowing developers to extend the application by adding integrations and complex functionality.

It all started with creating a test account on Zengine and writing an XSS payload in new plugin name. After you create a plugin it gets listed on marketplace. I was not sure if I'll find something in the application as data validation protection was intact. After navigating to all pages manually, I was kind of bored and I clicked browse plugins in the marketplace (don't remember exactly how I reached there as I lost the POC video from dropbox). To my surprise I saw a cute little prompt from payload which I wrote earlier in my new plugin. Zengine Security team patched the issue in less than 24 hours.

Zengine rewarded me $1200 for the finding with appreciation.

Timeline:

July 9th, 2015 - Report Sent

July 10th, 2015 - Bug Patched, Bounty Rewarded

Thanks for Reading! Comments and suggestions are welcome.