Next Page >>
guests
inadvertently increasing their risk due to a bug that makes standard
Windows anti-exploitation mechanisms ineffective.
A vulnerability found in the memory management of the Virtual Machine
Monitor makes memory pages mapped above the 2GB available with read or
read/write access to user-space programs running in a Guest operating
system. By leveraging this vulnerability it is possible to bypass
security mechanisms of the operating system such as Data Execution
Prevention (DEP) [1], Safe Structured Error Handling (SafeSEH) [2] and
Address Space Layout Randomization (ASLR) [3] designed to prevent
exploitation of security bugs in applications running on Windows
I have run across a design issue in VMware's scripting automation API that
diminishes VM guest/host isolation in such a manner to facilitate privilege
escalation, spreading of malware, and compromise of guest operating systems.
VMware's scripting API allows a malicious script on the host machine to
execute programs, open URLs, and perform other privileged operations on any
guest operating system open at the console, without requiring any
credentials on the guest operating system. Furthermore, the script can
execute programs even if you lock the desktop of the guest OS.
run the client utilities, but even if it affects 10% of the people out
there, it is still an issue. Remember the MSBlaster worm? At it's peak it
had only infected about 150,000 systems--a very small percentage of Windows
machines.
2. This issue is not about a user on the host compromising a virtual guest.
It is about a *non-privileged* user on the host being logged in to guest
machines as an administrator, and a worm--running in the context of that
non-privileged user on the host--being able to access the admin-level
context of the guest machines without knowing those administrator
credentials. Also remember that since I am talking about a non-privileged
reasonable security practices were employed. I have been saying that for
years.
Because it does not apply to your particular environment doesn't invalidate
the issue. There are many, many situations where someone would want to
access a vmware guest via the console and not allow any network access at
all. One that comes to mind is an offline root CA that you can only fire up
only when you need it--a virtual offline machine. Another situation for
myself is I keep all my hacking/pen-testing tools on a vm that I can use
when I need them, and quickly move to any vm host I need to run them on. I
don't necessarily want to make that virtual machine accessible from the
Users should plan to upgrade to ESX 3.0.3 and preferably to
the newest release available.
3. Problem Description
a. Denial of service guest to host vulnerability in a virtual device
A vulnerability in a guest virtual device driver, could allow a
guest operating system to crash the host and consequently any
virtual machines on that host.
more maintainable hardware systems.
Among the many reasons that promote the adoption virtualization
technologies, one of the most commons today is the promise of an improved
information security posture due to the implied isolation between multiple
virtualized systems (referred as Guest systems) and the non-virtualized
systems controlling the virtualization hardware and software (the Host
system) [1].
Consequently, software bugs that could allow potential attackers to
invalidate the premise of effective isolation between Host and Guest
-----Original Message-----
From: Arthur Corliss [mailto:corliss@digitalmages.com]
Sent: Thursday, August 23, 2007 11:49 AM
To: M. Burnett
Cc: bugtraq@securityfocus.com
Subject: Re: VMWare poor guest isolation design
On Wed, 22 Aug 2007, M. Burnett wrote:
> I have run across a design issue in VMware's scripting automation API
that
===============
II. The Finding
===============
Three separate issues have been identified:
1. Unauthenticated Guest Access
-------------------------------
It is possible for unauthenticated users to access certain pages with guest
privileges (according to Oracle's security representative - this is a
standard functionality of this component). While some pages may not be
directly accessible as a guest in this manner, this can be bypassed by
-----Original Message-----
From: Arthur Corliss [mailto:corliss@digitalmages.com]
Sent: Thursday, August 23, 2007 12:49 PM
To: M. Burnett
Cc: bugtraq@securityfocus.com
Subject: Re: VMWare poor guest isolation design
On Wed, 22 Aug 2007, M. Burnett wrote:
> I have run across a design issue in VMware's scripting automation API that
> diminishes VM guest/host isolation in such a manner to facilitate
On 8/23/07, Arthur Corliss <corliss@digitalmages.com> wrote:
> On Wed, 22 Aug 2007, M. Burnett wrote:
>
> > I have run across a design issue in VMware's scripting automation API that
> > diminishes VM guest/host isolation in such a manner to facilitate privilege
> > escalation, spreading of malware, and compromise of guest operating systems.
> >
> > VMware's scripting API allows a malicious script on the host machine to
> > execute programs, open URLs, and perform other privileged operations on any
> > guest operating system open at the console, without requiring any
to at least 2.5.5 and preferably the newest release available before
the end of extended support.
3. Problem description:
a. VMware Tools Local Privilege Escalation on Windows-based guest OS
The VMware Tools Package provides support required for shared folders
(HGFS) and other features.
An input validation error is present in the Windows-based VMware
On Wed, 22 Aug 2007, M. Burnett wrote:
> I have run across a design issue in VMware's scripting automation API that
> diminishes VM guest/host isolation in such a manner to facilitate privilege
> escalation, spreading of malware, and compromise of guest operating systems.
>
> VMware's scripting API allows a malicious script on the host machine to
> execute programs, open URLs, and perform other privileged operations on any
> guest operating system open at the console, without requiring any
> credentials on the guest operating system. Furthermore, the script can
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco Network Access Control Guest Server
System Software Authentication Bypass Vulnerability
Advisory ID: cisco-sa-20110330-nac
Revison 1.0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco Network Access Control Guest Server
System Software Authentication Bypass Vulnerability
Advisory ID: cisco-sa-20110330-nac
Revison 1.0
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: VMware Tools Multiple Vulnerabilities
Release Date: 2011-06-03
Application: VMware Guest Tools
Severity: High
Author: Dan Rosenberg <drosenberg (at) vsecurity.com>
Vendor Status: Patch Released [2]
CVE Candidate: CVE-2011-1787, CVE-2011-2145, CVE-2011-2146
Reference: http://www.vsecurity.com/resources/advisory/20110603-1/
saying I have introduced a spectacular new attack vector. I would categorize
this threat standing on its own as medium to low, depending on your
environment. But the fact is that this thing bypasses normal OS security
mechanisms and we simply cannot imagine how that might be used by an
attacker in the future. Some of you keep trying to point out that owning the
host always means owning the guests, but that isn't always the case,
especially if you are not a full administrator on the host machine.
I know that for a lot of years people have been saying that once someone can
access the physical box, there's nothing more you can do. Well, that's just
not true anymore. You very well can protect a physical machine and you
Amen.
> Because it does not apply to your particular environment doesn't invalidate
> the issue. There are many, many situations where someone would want to
> access a vmware guest via the console and not allow any network access at
> all. One that comes to mind is an offline root CA that you can only fire up
> only when you need it--a virtual offline machine. Another situation for
> myself is I keep all my hacking/pen-testing tools on a vm that I can use
> when I need them, and quickly move to any vm host I need to run them on. I
> don't necessarily want to make that virtual machine accessible from the
Hash: SHA256
*Summary*
VMware VIX API 1.1 supports an option that allows users with privileges
on the host machine to execute programs on a guest operating system
under the identity of a user currently logged into the guest. For
example, if user A powers on a virtual machine (VM) and logs into the
guest operating system, then a user B who has privilege on the host
machine to connect to that VM can also write scripts that will
anonymously run programs in the VM guest operating system as user A.
A security vulnerability was found in the driver 'vmswitch.sys',
associated to the Windows Hypervisor subsystem, allowing an
authenticated local DoS. The vulnerability could allow denial of service
if a specially crafted packet is sent to the VMBus by an authenticated
user in one of the guest virtual machines hosted by the Hyper-V server.
The impact is all guests on that host became non-responsive.
An attacker must have valid logon credentials and be able to send
specially crafted content from a guest virtual machine to exploit this
vulnerability. As a result, an attacker logged with admin privileges on
CVE-2008-3113 CVE-2008-3114 CVE-2008-3115
- ------------------------------------------------------------------------
1. Summary
VMware addresses a in-guest privilege escalation on 64-bit guest
operating systems in ESX, ESXi, and previously released versions of
our hosted product line. Updated VMware VirtualCenter Update 3
addresses potential information disclosure and updates Java JRE
packages.
On 26.10.2009 18:58, Pavel Machek wrote:
>>>>> guest certianly does not have permission to ptrace() pavel's
>>>>> processes, so...
>>>>
>>>> But guest has permissions to ptrace() his own processes. If we
>>>> remember your original report, he abuses input redirection of bash
>>>> run by himself. So again, there's no real security hole here.
>>>
>>> guest abuses ptrace permissions on his own processes to write to
>>> pavel's files... no, that obviously is not security hole :-).
I. BACKGROUND
VMware is a software virtualization system which allows multiple virtual
computers to run on a single system. VMware Tools provides drivers and
utilities to enhance and optimize the experience within a guest
operating system running under VMware. For more information visit the
vendor's site at the following URL.
http://www.vmware.com/
Hash: SHA256
*Summary*
VMware VIX API 1.1 supports an option that allows users with privileges
on the host machine to execute programs on a guest operating system
under the identity of a user currently logged into the guest. For
example, if user A powers on a virtual machine (VM) and logs into the
guest operating system, then a user B who has privilege on the host
machine to connect to that VM can also write scripts that will
anonymously run programs in the VM guest operating system as user A.
> >>>guest certianly does not have permission to ptrace() pavel's
> >>>processes, so...
> >>
> >>But guest has permissions to ptrace() his own processes. If we
> >>remember your original report, he abuses input redirection of bash
> >>run by himself. So again, there's no real security hole here.
> >
> >guest abuses ptrace permissions on his own processes to write to
> >pavel's files... no, that obviously is not security hole :-).
> >
Invalid #PF Exception Code in VMware can result in Guest Privilege Escalation
-----------------------------------------------------------------------------
In protected mode, cpl is usually equal to the two least significant bits of
the cs register. However, there is an exception: in Virtual-8086 mode, the
cpl is always 3 (least privileged), regardless of the value of the cs
register.
When the processor raises a #PF (page fault) exception, an exception code is
pushed onto the stack containing flags used by the operating system to
http://CACTIHOST/graph.php?action=zoom&local_graph_id=1&graph_end=1%27%20style=visibility:hidden%3E%3Cscript%3Ealert(1)%3C/script%3E%3Cx%20y=%27
This vulnerability is only exploitable if the victim is allowed to view
graphs. This will be true if the victim has previously authenticated
against Cacti or if both the guest user has been activated (default:
disabled) and the graph view permission was set to 'guest' (default:
'No User').
This vulnerability was tested with Firefox 3.0.6.
a. Windows-based VMware Tools Unsafe Library Loading vulnerability
A vulnerability in the way VMware libraries are referenced allows
for arbitrary code execution in the context of the logged on user.
This vulnerability is present only on Windows Guest Operating
Systems.
In order for an attacker to exploit the vulnerability, the attacker
would need to lure the user that is logged on a Windows Guest
Operating System to click on the attacker's file on a network
> 2. This issue is not about a user on the host compromising a virtual guest.
> It is about a *non-privileged* user on the host being logged in to guest
> machines as an administrator, and a worm--running in the context of that
> non-privileged user on the host--being able to access the admin-level
> context of the guest machines without knowing those administrator
> credentials. Also remember that since I am talking about a non-privileged
> user on the host, there will be limits on what this user could do to
> accomplish some of the other attacks mentioned.
Your position seems to be that an easy automated scripting interface is a
Imagen:
- a house surrounded with a fence with all doors unlocked (file with
perm 0666)
- a drive-way leads to the gate in the fence and the gate is unlocked
(dir with perms 777)
- next we put a lock on the gate and don't give guest the key (dir
with perms 700)
- guest cannot access the house because he can't pass the gate
- now we take an airplane and parachute guest straight into the
perimeter of the fence (/proc access)
- guest can access the house (write the file), because the house has
~ VMware Server 1.0.4 and earlier
~ VMware Fusion 1.1 and earlier
3. Problem description:
~ a. Host to guest shared folder (HGFS) traversal vulnerability
~ On Windows hosts, if you have configured a VMware host to guest
~ shared folder (HGFS), it is possible for a program running in the
~ guest to gain access to the host's file system and create or modify
~ executable files in sensitive locations.
Next Page>>
|
