There's no place like 169.254.169.254 - (Ab)using cloud metadata URLs

Title: There's no place like 169.254.169.254 - (Ab)using cloud metadata URLs Presenter: Brennon Thomas (@opsdisk) Track: In The Weeds 05 Time: 1400 BSides San Antonio 2019 June 08 at St. Mary's University, San Antonio, Texas Abstract: Most Information Technology professionals are familiar with the IP addresses 127.0.0.1, but what about 169.254.169.254? Cloud computing providers like Amazon Web Services and Microsoft Azure provide the URL of http://169.254.169.254 to query for instance metadata. This talk first explores how the metadata URLs are supposed to be used and the type of data they contain. It then explores how they can be abused by misconfigured servers to expose sensitive data. Research and data about a specific attack vector is presented for the major cloud providers. Mitigation strategies are provided to protect assets and systems in these cloud environments. Speaker Bio: Brennon works as a Vulnerability Analyst and Penetration Tester for Rackspace identifying and reducing risks and threats to Rackspace's computer networks. Prior to Rackspace, Brennon worked for the Air Force, in both active duty and civilian roles, and for the private sector. He is the author of the "The Cyber Plumber's Handbook", the definitive guide to SSH tunneling, which is free for students. He dabbles in bug bounties as part of the Synack Red Team and is developing a phishing prevention platform called PhishBarrel.