<< Previous Next >>
virtual machine
it as a
> feature-I am simply pointing out the potential danger, that it was a
poor
> design decision, and that there is a need to establish best practices
for
> virtual machine guest and host isolation.
I don't see this as a serious problem. This is the virtual equivalent
of no
physical security. If the host OS (or an account within it) is
compromised,
VMware has issued a security bulletin [1] and published remediated
versions of VMware Workstation, Player, ACE, Server and Fusion, and
patches for ESX and ESXi that fix this issue.
Warning: It is not enough to install the new version or the patch; it is
also necessary to upgrade VMware Tools in each affected virtual machine.
On VMware Workstation, Player, ACE, Server and Fusion, the user will be
automatically prompted to upgrade, while there will be no such prompt on
ESX and ESXi. The upgrade of VMware Tools requires a subsequent reboot of
the virtual machine.
======
2) Bug
======
DOSBox acts as a virtual machine in which the filesystem is limited to
the folders that the user decides to mount as virtual drives and any
instruction is emulated within DOSBox without accessing the external
resources and memory.
So practically the emulated DOS program can work only inside this
"cage" (that's also why is possible to run viruses and malware without
III. ANALYSIS
Exploitation of this vulnerability allows an unprivileged local user to
patch and execute arbitrary code within the kernel of a Windows guest
operating system. In order to exploit the vulnerability, an attacker
needs to be able to login to the target VMware guest virtual machine
and execute a specially crafted executable.
IV. DETECTION
iDefense confirmed the existence of this vulnerability in hgfs.sys as
untrusted code (including applets) to elevate its privileges.
CVE-2011-0864
Hotspot, the just-in-time compiler in OpenJDK, mishandled
certain byte code instructions, allowing untrusted code
(including applets) to crash the virtual machine.
CVE-2011-0865
A race condition in signed object deserialization could
allow untrusted code to modify signed content, apparently
leaving its signature intact.
> non-admin on the host can still execute admin-level scripts on the guests.
>
> I obviously did not discover this issue--the API developers provided it as a
> feature-I am simply pointing out the potential danger, that it was a poor
> design decision, and that there is a need to establish best practices for
> virtual machine guest and host isolation.
I don't see this as a serious problem. This is the virtual equivalent of no
physical security. If the host OS (or an account within it) is compromised,
of course all bets are off when it comes to a virtual machine running within
it.
a qemu disk to determine its format and did not require that the format be
declared in the XML. This is considered a security problem in most
deployments and this version of libvirt will default to the 'raw' format
when the format is not specified in the XML. As a result, non-raw disks
without a specified disk format will no longer be available in existing
virtual machines.
The libvirt-migrate-qemu-disks tool is provided to aid in transitioning
virtual machine definitions to the new required format. In essence, it will
check all domains for affected virtual machines, probe the affected disks
and update the domain definition accordingly. This command will be run
============================================================
WORKSHOPS
* Assurable and Usable Security Configuration
* Digital Rights Management
* Virtual Machine Security
* Security and Artificial Intelligence
* Secure Execution of Untrusted Code
* Privacy in the Electronic Society
* Cloud Computing Security
* Digital Identity Management
Potential security vulnerabilities have been identified in HP Insight Control Power Management for Windows. The vulnerabilities could be exploited remotely resulting in cross site scripting (XSS) or cross site request forgery (CSRF).
References: CVE-2010-4023 (XSS), CVE-2010-4024 (CSRF)
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Insight Control virtual machine management prior to v6.2
Note: HP BladeSystem Matrix Infrastructure also supplies HP Insight Software. HP Insight Control Power Management is available as part of HP Insight Software.
BACKGROUND
IMPACT
------
The vulnerability described in this document could hypothetically be
exploited by unprivileged code running in a VMware virtual machine
(guest) in order to execute code in the host VMX process, thereby
breaking out of the virtual machine; however, such exploitation has
not been proven.
access the physical box, there's nothing more you can do. Well, that's just
not true anymore. You very well can protect a physical machine and you
should be able to protect a virtual guest from its host. There's no way a
non-admin user is going to be able to modify the RAM of a vm. And in Windows
Vista, if not already blocked, even as an administrator I would have to
explicitly allow a worm to access the RAM or disk of a virtual machine. No
worm is going to access a vm's resources without a UAC prompt coming up.
The argument that owning a physical machine automatically means game over
just isn't true. We should be able to say the same thing about a VM.
awards [3] for which a Software Development Kit (SDK) was made available
in November 2007.
The Android Software Development Kit includes a fully functional
operating system, a set of core libraries, application development
frameworks, a virtual machine for executing application and a phone
emulator based on the QEMU emulator [4]. Public reports as of February
27th, 2008 state that the Android SDK has been downloaded 750,000 times
since November 2007 [5].
Several vulnerabilities have been found in Android's core libraries for
Background:
==========
ActionScript code is compiled into ActionScript Byte Code segments,
loaded by AVM2 (ActionScript Virtual Machine 2).
These segments are described by the abcFile structure:
abcFile
{
u16 minor_version
u16 major_version
=
=
=
=
========================================================================
Workshop on Virtual Machine Security (VMSec 2009)
http://csis.gmu.edu/VMSec09/
This workshop, the first of its kind to deal exclusively with virtual
machine security, will tackle the important research topics in
virtualization security. This workshop aims to bring together leading
buffer. The calculation contains an off-by-one error, which can result
in a heap overflow.
The second vulnerability occurs when parsing TrueType Font (TTF) font
files. TrueType font files contain "font programs" that are executed in
a TrueType virtual machine. One of the instructions in the instruction
set is 'SHC', which is used to shift a contour in the font by a
specified value. When parsing this instruction, the code doesn't
correctly validate an array index, which leads to an off-by-one heap
overflow.
Buffer overflow in the ASN.1 BER dissector in Wireshark 0.10.13 through
1.0.13 and 1.2.0 through 1.2.8 has unknown impact and remote attack
vectors (CVE-2010-2284).
Buffer overflow in the SigComp Universal Decompressor Virtual Machine
dissector in Wireshark 0.10.8 through 1.0.13 and 1.2.0 through 1.2.8
has unknown impact and remote attack vectors (CVE-2010-2287).
_______________________________________________________________________
References:
Problem Description:
Qemu 0.9.1 and earlier does not perform range checks for block
device read or write requests, which allows guest host users with
root privileges to access arbitrary memory and escape the virtual
machine. (CVE-2008-0928)
The updated packages have been patched to prevent this.
_______________________________________________________________________
References:
The vulnerability described above allows attackers to access the content
of the following pages without being authenticated:
. Log Viewer: 'http://<GlassFish_IP>:4848/common/logViewer/logViewer.jsf'
. Information about the Java Virtual Machine installed on the server:
'http://<GlassFish_IP>:4848/common/appServer/jvmReport.jsf'
. Installed components:
'http://<GlassFish_IP>:4848/updateCenter/installed.jsf'
. Properties of an existing JDBC connection pool, including DB
password:
> accomplish some of the other attacks mentioned.
Your position seems to be that an easy automated scripting interface is a
lot more dangerous than a slightly harder indirect attack method. The
truth is that they are both scriptable and reliable. Techniques for
attacking virtual machines from the host are certainly no harder to code
than the average remote exploit that worms used to propogate. Do you
really think a worm writer who wants to compromise VMWare guests would
take advantage of a scripting interface but shy away from the task if he
had to write custom code to break into the guest?
Advisory URL: https://www.isecpartners.com/advisories/2008-01-flash.txt
Vendor Advisory URL: http://www.adobe.com/support/security/bulletins/apsb08-22.html
Summary:
--------
iSEC applied targeted fuzzing to the ActionScript 2 virtual machine used
by the Adobe Flash player, and identified several issues which could
lead to denial of service, information disclosure or code execution
when parsing a malicious SWF file. The majority of testing occurred
during 120 hours of automated SWF-specific fault injection testing
in which several hundred unique control paths were identified that
IMPACT
------
By exploiting either of the VMware flaws described in this document,
user-mode code executing in a virtual machine may gain kernel
privileges within the virtual machine, dependent upon the guest
operating system. The flaws have been proven exploitable on x64
versions of Windows, and they have produced potentially exploitable
crashes on x64 versions of *BSD. The Linux kernel does not allow
exploitation of these flaws on x64 versions of Linux.
IMPACT
------
By exploiting the VMware flaw described in this document, user-mode
code executing in a virtual machine may gain kernel privileges within
the virtual machine, dependent upon the guest operating system. The
flaw has been proven exploitable on x64 versions of Windows, and it
has produced potentially exploitable crashes on x64 versions of *BSD.
The Linux kernel does not allow exploitation of the flaws on x64
versions of Linux.
+ Accepted Talks
- Sticky Fingers & KBC Custom Shop by Alexandre Gazet of Sogeti/ESEC & Metasm
- Designing a minimal operating system to emulate 32/64bits x86 code snippets, shellcode or malware in Bochs by Elias Bachaalany of Hex-Ray
- Practical C++ decompilation by Igor Skochinsky of Hex-Ray
- RFID Hacking by Milosch Meriac of Bitmanufaktur & OpenPCD
- AndBug -- A Scriptable Debugger for Android's Dalvik Virtual Machine by Scott Dunlop of IOActive
- Memory Eye by Yoann Guillot of Sogeti/ESEC & Metasm
+ Training
- Binary Literacy: Static Reverse Engineering by Rolf Rolles
- Windows Internals for Reverse Engineers by Alex Ionescu
flaws.
Background
==========
VMware Workstation is a virtual machine for developers and system
administrators. VMware Player is a freeware virtualization software
that can run guests produced by other VMware products.
Affected packages
=================
~ VMware Player 1.0 upgrade to version 1.0.6 (Build# 80404)
~ VMware Server 1.0 upgrade to version 1.0.5 (Build# 80187)
~ VMware ACE 2.0 upgrade to version 2.0.1 (Build# 80004)
~ VMware ACE 1.0 upgrade to version 1.0.5 (Build# 79846)
~ i. Virtual Machine Communication Interface (VMCI) memory corruption
~ resulting in denial of service
~ VMCI was introduced in VMware Workstation 6.0, VMware Player 2.0,
~ and VMware ACE 2.0. It is an experimental, optional feature and
~ it may be possible to crash the host system by making specially
Debian-specific: no
CVE Id(s) : CVE-2010-2994 CVE-2010-2995
Several implementation errors in the dissector of the Wireshark network
traffic analyzer for the ASN.1 BER protocol and in the SigComp Universal
Decompressor Virtual Machine may lead to the execution of arbitrary code.
For the stable distribution (lenny), these problems have been fixed in
version 1.0.2-3+lenny10.
For the unstable distribution (sid), these problems have been fixed in
- Philippe Langlois (France)
Building Hackerspaces Everywhere
- Philippe Langlois (France)
Virtual Machines (in)security and rootkits
- Nguyen Anh Quynh (Japan)
Memory forensic and incident response for live virtual machine (VM)
- Nguyen Anh Quynh (Japan)
a. Loading a corrupt delta disk may cause ESX to crash
If the VMDK delta disk of a snapshot is corrupt, an ESX host might
crash when the corrupted disk is loaded. VMDK delta files exist
for virtual machines with one or more snapshots. This change ensures
that a corrupt VMDK delta file cannot be used to crash ESX hosts.
A corrupt VMDK delta disk, or virtual machine would have to be loaded
by an administrator.
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of Adobe Flash Player. User interaction is
required in that a target must visit a malicious web page.
The specific vulnerability exists within the parsing of an undocumented
opcode within Adobe's ActionScript Virtual Machine 2 bytecode. The
operand to this opcode is used as an offset to a structure and if set to
a malicious value can be pointed to attacker controlled data. The
structure contains a function pointer that is later called. If an
attacker modifies the controlled data pointed to by the invalid offset,
this function pointer can be set to point to malicious code thus gaining
interaction is required to exploit this vulnerability in that the target
must visit a malicious page.
The specific flaw exists in the handling of NTLM authentication
requested generated in the context of the Java Runtime. The Java Virtual
Machine will ignore browser policies and respond to WWW-Authenticate
requests from the Internet zone resulting in the leakage of NTLM
authentication hashes to attackers.
-- Vendor Response:
Oracle has issued an update to correct this vulnerability. More
<<Previous Next>>
|
