Next Page >>
guest
inadvertently increasing their risk due to a bug that makes standard
Windows anti-exploitation mechanisms ineffective.
A vulnerability found in the memory management of the Virtual Machine
Monitor makes memory pages mapped above the 2GB available with read or
read/write access to user-space programs running in a Guest operating
system. By leveraging this vulnerability it is possible to bypass
security mechanisms of the operating system such as Data Execution
Prevention (DEP) [1], Safe Structured Error Handling (SafeSEH) [2] and
Address Space Layout Randomization (ASLR) [3] designed to prevent
exploitation of security bugs in applications running on Windows
IMPACT
------
The vulnerability described in this document could hypothetically be
exploited by unprivileged code running in a VMware virtual machine
(guest) in order to execute code in the host VMX process, thereby
breaking out of the virtual machine; however, such exploitation has
not been proven. In the event that arbitrary code execution in the
VMX process is possible, kernel privileges can be obtained on a
Windows host by abusing the VMX process's special access to a VMware
driver, meaning the maximum possible impact of this vulnerability is
I have run across a design issue in VMware's scripting automation API that
diminishes VM guest/host isolation in such a manner to facilitate privilege
escalation, spreading of malware, and compromise of guest operating systems.
VMware's scripting API allows a malicious script on the host machine to
execute programs, open URLs, and perform other privileged operations on any
guest operating system open at the console, without requiring any
credentials on the guest operating system. Furthermore, the script can
execute programs even if you lock the desktop of the guest OS.
run the client utilities, but even if it affects 10% of the people out
there, it is still an issue. Remember the MSBlaster worm? At it's peak it
had only infected about 150,000 systems--a very small percentage of Windows
machines.
2. This issue is not about a user on the host compromising a virtual guest.
It is about a *non-privileged* user on the host being logged in to guest
machines as an administrator, and a worm--running in the context of that
non-privileged user on the host--being able to access the admin-level
context of the guest machines without knowing those administrator
credentials. Also remember that since I am talking about a non-privileged
reasonable security practices were employed. I have been saying that for
years.
Because it does not apply to your particular environment doesn't invalidate
the issue. There are many, many situations where someone would want to
access a vmware guest via the console and not allow any network access at
all. One that comes to mind is an offline root CA that you can only fire up
only when you need it--a virtual offline machine. Another situation for
myself is I keep all my hacking/pen-testing tools on a vm that I can use
when I need them, and quickly move to any vm host I need to run them on. I
don't necessarily want to make that virtual machine accessible from the
Users should plan to upgrade to ESX 3.0.3 and preferably to
the newest release available.
3. Problem Description
a. Denial of service guest to host vulnerability in a virtual device
A vulnerability in a guest virtual device driver, could allow a
guest operating system to crash the host and consequently any
virtual machines on that host.
more maintainable hardware systems.
Among the many reasons that promote the adoption virtualization
technologies, one of the most commons today is the promise of an improved
information security posture due to the implied isolation between multiple
virtualized systems (referred as Guest systems) and the non-virtualized
systems controlling the virtualization hardware and software (the Host
system) [1].
Consequently, software bugs that could allow potential attackers to
invalidate the premise of effective isolation between Host and Guest
===============
II. The Finding
===============
Three separate issues have been identified:
1. Unauthenticated Guest Access
-------------------------------
It is possible for unauthenticated users to access certain pages with guest
privileges (according to Oracle's security representative - this is a
standard functionality of this component). While some pages may not be
directly accessible as a guest in this manner, this can be bypassed by
-----Original Message-----
From: Arthur Corliss [mailto:corliss@digitalmages.com]
Sent: Thursday, August 23, 2007 12:49 PM
To: M. Burnett
Cc: bugtraq@securityfocus.com
Subject: Re: VMWare poor guest isolation design
On Wed, 22 Aug 2007, M. Burnett wrote:
> I have run across a design issue in VMware's scripting automation API that
> diminishes VM guest/host isolation in such a manner to facilitate
-----Original Message-----
From: Arthur Corliss [mailto:corliss@digitalmages.com]
Sent: Thursday, August 23, 2007 11:49 AM
To: M. Burnett
Cc: bugtraq@securityfocus.com
Subject: Re: VMWare poor guest isolation design
On Wed, 22 Aug 2007, M. Burnett wrote:
> I have run across a design issue in VMware's scripting automation API
that
On 8/23/07, Arthur Corliss <corliss@digitalmages.com> wrote:
> On Wed, 22 Aug 2007, M. Burnett wrote:
>
> > I have run across a design issue in VMware's scripting automation API that
> > diminishes VM guest/host isolation in such a manner to facilitate privilege
> > escalation, spreading of malware, and compromise of guest operating systems.
> >
> > VMware's scripting API allows a malicious script on the host machine to
> > execute programs, open URLs, and perform other privileged operations on any
> > guest operating system open at the console, without requiring any
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco Network Access Control Guest Server
System Software Authentication Bypass Vulnerability
Advisory ID: cisco-sa-20110330-nac
Revison 1.0
VMware Backdoor ghi.guest.trashFolder.state Uninitialized Memory
Potential VM Break
Derek Soeder
ds.adv.pub@gmail.com
Reported: December 5, 2011
Published: May 3, 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco Network Access Control Guest Server
System Software Authentication Bypass Vulnerability
Advisory ID: cisco-sa-20110330-nac
Revison 1.0
On Wed, 22 Aug 2007, M. Burnett wrote:
> I have run across a design issue in VMware's scripting automation API that
> diminishes VM guest/host isolation in such a manner to facilitate privilege
> escalation, spreading of malware, and compromise of guest operating systems.
>
> VMware's scripting API allows a malicious script on the host machine to
> execute programs, open URLs, and perform other privileged operations on any
> guest operating system open at the console, without requiring any
> credentials on the guest operating system. Furthermore, the script can
to at least 2.5.5 and preferably the newest release available before
the end of extended support.
3. Problem description:
a. VMware Tools Local Privilege Escalation on Windows-based guest OS
The VMware Tools Package provides support required for shared folders
(HGFS) and other features.
An input validation error is present in the Windows-based VMware
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: VMware Tools Multiple Vulnerabilities
Release Date: 2011-06-03
Application: VMware Guest Tools
Severity: High
Author: Dan Rosenberg <drosenberg (at) vsecurity.com>
Vendor Status: Patch Released [2]
CVE Candidate: CVE-2011-1787, CVE-2011-2145, CVE-2011-2146
Reference: http://www.vsecurity.com/resources/advisory/20110603-1/
On 26.10.2009 18:58, Pavel Machek wrote:
>>>>> guest certianly does not have permission to ptrace() pavel's
>>>>> processes, so...
>>>>
>>>> But guest has permissions to ptrace() his own processes. If we
>>>> remember your original report, he abuses input redirection of bash
>>>> run by himself. So again, there's no real security hole here.
>>>
>>> guest abuses ptrace permissions on his own processes to write to
>>> pavel's files... no, that obviously is not security hole :-).
CVE-2008-3113 CVE-2008-3114 CVE-2008-3115
- ------------------------------------------------------------------------
1. Summary
VMware addresses a in-guest privilege escalation on 64-bit guest
operating systems in ESX, ESXi, and previously released versions of
our hosted product line. Updated VMware VirtualCenter Update 3
addresses potential information disclosure and updates Java JRE
packages.
Hash: SHA256
*Summary*
VMware VIX API 1.1 supports an option that allows users with privileges
on the host machine to execute programs on a guest operating system
under the identity of a user currently logged into the guest. For
example, if user A powers on a virtual machine (VM) and logs into the
guest operating system, then a user B who has privilege on the host
machine to connect to that VM can also write scripts that will
anonymously run programs in the VM guest operating system as user A.
Amen.
> Because it does not apply to your particular environment doesn't invalidate
> the issue. There are many, many situations where someone would want to
> access a vmware guest via the console and not allow any network access at
> all. One that comes to mind is an offline root CA that you can only fire up
> only when you need it--a virtual offline machine. Another situation for
> myself is I keep all my hacking/pen-testing tools on a vm that I can use
> when I need them, and quickly move to any vm host I need to run them on. I
> don't necessarily want to make that virtual machine accessible from the
Hash: SHA256
*Summary*
VMware VIX API 1.1 supports an option that allows users with privileges
on the host machine to execute programs on a guest operating system
under the identity of a user currently logged into the guest. For
example, if user A powers on a virtual machine (VM) and logs into the
guest operating system, then a user B who has privilege on the host
machine to connect to that VM can also write scripts that will
anonymously run programs in the VM guest operating system as user A.
I. BACKGROUND
VMware is a software virtualization system which allows multiple virtual
computers to run on a single system. VMware Tools provides drivers and
utilities to enhance and optimize the experience within a guest
operating system running under VMware. For more information visit the
vendor's site at the following URL.
http://www.vmware.com/
On Sat, 2012-05-05 at 19:42 -0400, Jeffrey Walton wrote:
> I know there's not much new here, but I am amazed that Ubuntu, Linux
> Mint and friends ship with a Guest account present and enabled.
>
> The Guest account is surreptitiously added through a lightdm
> configuration file, and is not part of the standard user database.
> Because its not part of the standard user database, it can't be
> disabled through /etc/shadow, nor disable it through familiar tools
> such as userdel and usermod. Additionally, the damn account does not
> show up in distribution provided tools such as User Accounts applet.
> >>>guest certianly does not have permission to ptrace() pavel's
> >>>processes, so...
> >>
> >>But guest has permissions to ptrace() his own processes. If we
> >>remember your original report, he abuses input redirection of bash
> >>run by himself. So again, there's no real security hole here.
> >
> >guest abuses ptrace permissions on his own processes to write to
> >pavel's files... no, that obviously is not security hole :-).
> >
A security vulnerability was found in the driver 'vmswitch.sys',
associated to the Windows Hypervisor subsystem, allowing an
authenticated local DoS. The vulnerability could allow denial of service
if a specially crafted packet is sent to the VMBus by an authenticated
user in one of the guest virtual machines hosted by the Hyper-V server.
The impact is all guests on that host became non-responsive.
An attacker must have valid logon credentials and be able to send
specially crafted content from a guest virtual machine to exploit this
vulnerability. As a result, an attacker logged with admin privileges on
saying I have introduced a spectacular new attack vector. I would categorize
this threat standing on its own as medium to low, depending on your
environment. But the fact is that this thing bypasses normal OS security
mechanisms and we simply cannot imagine how that might be used by an
attacker in the future. Some of you keep trying to point out that owning the
host always means owning the guests, but that isn't always the case,
especially if you are not a full administrator on the host machine.
I know that for a lot of years people have been saying that once someone can
access the physical box, there's nothing more you can do. Well, that's just
not true anymore. You very well can protect a physical machine and you
a. Windows-based VMware Tools Unsafe Library Loading vulnerability
A vulnerability in the way VMware libraries are referenced allows
for arbitrary code execution in the context of the logged on user.
This vulnerability is present only on Windows Guest Operating
Systems.
In order for an attacker to exploit the vulnerability, the attacker
would need to lure the user that is logged on a Windows Guest
Operating System to click on the attacker's file on a network
I know there's not much new here, but I am amazed that Ubuntu, Linux
Mint and friends ship with a Guest account present and enabled.
The Guest account is surreptitiously added through a lightdm
configuration file, and is not part of the standard user database.
Because its not part of the standard user database, it can't be
disabled through /etc/shadow, nor disable it through familiar tools
such as userdel and usermod. Additionally, the damn account does not
show up in distribution provided tools such as User Accounts applet.
~ VMware Server 1.0.4 and earlier
~ VMware Fusion 1.1 and earlier
3. Problem description:
~ a. Host to guest shared folder (HGFS) traversal vulnerability
~ On Windows hosts, if you have configured a VMware host to guest
~ shared folder (HGFS), it is possible for a program running in the
~ guest to gain access to the host's file system and create or modify
~ executable files in sensitive locations.
Next Page>>
|
