
From VNC to reverse shell - benjojo12
https://blog.benjojo.co.uk/post/qemu-monitor-socket-rce-vnc
======
sverhagen
>Once again, the world of security is complex and surprise features can often
be fatal

This. And for me, as an application developer, who is now (willingly) ushered
into being a DevOps engineer on the side, it is scary that the tools in the
DevOps world are so easily exposing me to security risks, whereas a seemingly
much smaller set of best practices on the application side seemed to have been
_fine_ when that was all there was to my world.

~~~
tetha
In my book, the biggest difference between a sysop/devops guy, and an
application developer is a broad scope vs a deep scope.

So, as a developer with an application with a simple internal security model,
yeah. There's going to be a couple of guidelines, and those will setup a
pretty hard surface for that application. For our internal application, well.
That security model is hell - I don't understand it and try to avoid it. And
we got some picky enterprise customers, that's where the simple guidelines
don't work anymore. :)

On the operations side, you can impact each application less, but you have so
much more stuff to individually deal with in a quantitative sense. For our
SaaS clusters we have to secure 15 - 20 different applications. And for a lot
of these applications, we're the one and only line of security - you just have
to operate a mysql/postgresql database properly, these systems are pretty
secure on their own.

And that's just data security. How many developers do think about backups or
disaster recovery for all of this mess. Not saying this is bad - this isn't a
job for developers, because it's a lot of work. It's mostly a point against
the notion of NoOps.

~~~
vajrabum
Just remember that NoOps isn't actually no operations. That's the cargo cult
version of NoOps. Instead it's outsourcing operations and relying that the
outsource vendors operations team will do a better and more accountable job
than any internal team you could build.

So, a database service instead of a locally managed database and a reliance on
the service vendor to back things up, keep the code up to date and manage
reliability. That's not a bad choice but you still want someone with the
judgement to evaluate vendor claims, performance, exceptions and the like.

------
Rjevski
In this case what I would recommend is to put the entire server off the
internet, on a separate network segment where it can only talk to a proxy for
VNC & web sockets or whatever is needed to make the functionality work.

That way even if the machine does get rooted, it's very unlikely that any
damage can be done (it would have to then try and compromise the proxy - all
over VNC because you can't even get a reverse shell yet - just to be able to
gain unrestricted outbound network access).

~~~
TheDong
The service being offered is a VM which can let people do nostalgia trips..
including running IE6 on windows 98.

It would be much less fun if the server didn't have network access.

------
yjftsjthsd-h
If author is reading here, there's a typo: "While looked for the code
repository so I could fix it," is missing a word between "While looked"

------
henkdevries
I wonder if this works at kvm vps providers like Digital Ocean or Vultr. Or
the smaller hosting providers with a solusvm and whmcs setup...

