Monday, February 25, 2008

Critical VMWare Vulnerabililty

Well, it finally happened. A critical vulnerability in VMWare that allows someone to break into the host operating system was announced today. It was only a matter of time.

Virtual machines, such as VMWare, have two levels:

1) the host operating system which runs the actual virtual machine software (the physical machine)
2) the guest operating system(s) which run within the virtual machine software (the virtual machines)

For the most part, the host and guest operating systems are separate and the guest operating system is not able to access anything on the host OS, unless specifically allowed through services offered on the host OS. Commonly, access to files on the VMWare host OS is given through "Shared Folders" - essentially the same thing that you see when you share a folder within Windows.

Up until now, the majority of attacks against virtual machines have been to detect them. This is useful for malware to do because many analysts examine malware within a virtual machine. If the malware detects a VM, it can alter its execution path or stop running altogether. (You have to wonder when malware authors are going to realize corporations are beginning to use virtualization more and they are missing a huge target base by doing this.)

The only publicly-announced success of breaking out of a virtual machine (that I am aware of) is from a presentation given by Tom Liston and Ed Skoudis on some work they performed. While they showed their programs working they did not reveal details on how they were able to break out of the guest OS.

This latest VMWare vulnerability appears to be from Core Security. There aren't many details available at this time. However, it looks like if you are running VMWare with a Windows host OS and you have Shared Folders enabled, then a directory traversal attack is possible which would allow an attacker to read or write arbitrary files on your host OS. Not good.

While these circumstances may seem unlikely, they really aren't. Shared Folders is enabled by default in many versions of VMWare, and while you still need to have at least one shared folder mapped, many VM installations do.

This could allow an attacker to arbitrarily read or write files on the host OS (although I am unsure right now if execution is possible). With this ability, an attacker could trojan or infect system executables, rewrite the VM configuration file, read the SAM database, etc. Fortunately, the workaround is to just disable Shared Folders until you patch.

VMWare Advisory
ISC SANS Diary Entry
CVE Entry - CVE-2007-1744
Core Security Advisory including Proof of Concept Exploit

No comments: