OVERVIEW
In this the third technical article from Orthus that summarises much of the platform focused industry research that has taken place as regards issues associated with the security of virtualisation platforms, we outline the second of three categories of virtualised platform specific vulnerabilities, namely that of virtual machine environment protection bypasses.
CONCERNS OVER ISOLATIONISM…
The detection of virtual machine environments (see previous article) is merely one weapon in the attackers’ armoury, and there exists a number of mechanisms for bypassing the supposed isolation between guest and host operating systems and processes. In the same presentation in which Ed Skoudis and Tom Liston discussed potential remote virtual machine environment detection, a number of utilities were highlighted that can bypass the isolation supposedly inherent in platform virtualisation technologies, particularly VMware. The utilities discussed were operable in VMware Workstation 4 and 5 (and may well be applicable to VMware Workstation 6). VMware Worsktation has an inbuilt communications channel that allows host and guest operating system instances to communicate (commonly referred to as a backdoor). By exploiting this functionality as well as DLL injection it was possible to generate a suite of tools designed to circumvent the isolation of partitions and platforms. As highlighted these tools have not been publicly disclosed as of the time of writing (this may be in no small part due to the fact that much of the research conducted by Ed Skoudis and Tom Liston is formerly sponsored by the United States Department of Homeland Security), however publicly released tools are available for both the attacker and legitimate researchers to utilise. Most notable amongst these is the VM Back suite of tools developed by Ken Kato[i] and other contributors. The VM Back suite of utilities exploits the Backdoor / IO functionality that forms part of many VMware binary distributions. This backdoor is used by the binary distribution to configure deployments of VMware during application runtime (interestingly, the official VMware Tools utilise this backdoor). At the time of writing there are twenty known commands that can be issued via this backdoor functionality and impact upon VMware products for both Windows and Linux hosts, namely:
Command Number
Description
01h
Get Processor Speed
02h
Invoke APM function on virtual machine
04h
Get mouse pointer position
05h
Set mouse pointer position
06h
Get text length from clipboard
07h
Get text from clipboard
08h
Set text length to clipboard
09h
Set text to clipboard
0Ah
Get VMware version information
0Bh
Get device information
0Ch
Connect / Disconnect a device
0Dh
Get GUI options setting
0Eh
Set GUI options setting
0Fh
Get Host screen size
11h
Get virtual hardware version
12h
Popup “OS Not Found” dialog
13h
Get BIOS UUID
14h
Get Memory size
17h
Get Host system time
1Eh
Enhanced RPC
TOOLING & EXPOLITATION
By exploiting the functionality of Backdoor/IO operations, Ken Kato (and others) have been able to create a number of utilities that can be used to bypass the supposed isolation between guest and host operating systems operating in a virtual machine environment. Indeed in February 2008, security research group Core Labs, utilised one such application VMFTP to help exploit a vulnerability within VMware shared folders functionality (which was enabled by default) that allowed for users of a guest OS to obtain read and write access to the host OS.
NEXT TIME…
In our next article we will discuss final category of virtualised platform specific vulnerability, namely that of virtual machine environment destruction.
Sean Bennett is Commercial Director at Orthus, a leading professional services firm focused on helping organisations globally to secure their technical evironments and manage risk. For advice or support in securing your virualization deployment or virtualized environment contact Orthus (EMEA) on +44 (0)203 170 8955 or visit www.orthus.com
Comments on this entry are closed.