host machine
I have run across a design issue in VMware's scripting automation API that
diminishes VM guest/host isolation in such a manner to facilitate privilege
escalation, spreading of malware, and compromise of guest operating systems.
VMware's scripting API allows a malicious script on the host machine to
execute programs, open URLs, and perform other privileged operations on any
guest operating system open at the console, without requiring any
credentials on the guest operating system. Furthermore, the script can
execute programs even if you lock the desktop of the guest OS.
Hi there,
First of all - please forgive me, I'm not a developer and I don't use
the automation API. However, I use VMware a lot for development. I
have a Windows XP host machine and I use VMware to develop Linux code
(Debian Etch, Linux 2.6).
On 8/23/07, Arthur Corliss <corliss@digitalmages.com> wrote:
> On Wed, 22 Aug 2007, M. Burnett wrote:
>
>
> > Hi there,
> >
> > First of all - please forgive me, I'm not a developer and I don't use
> > the automation API. However, I use VMware a lot for development. I
> > have a Windows XP host machine and I use VMware to develop Linux code
> > (Debian Etch, Linux 2.6).
>
> I'm a p570 user on the server side, but I do use vmware workstation for
> development purposes as well.
>
I. BACKGROUND
VMware Inc. markets several virtualization products such as ACE, Player,
Server, and Workstation. These products include a video coder-decoder
(codec) called 'vmnc.dll', or VMware Movie Decoder, that is registered
on the host machine at installation time. This codec will be used
whenever video streams of the 'VMnc' type, such as those produced when
using VMware Workstation's "Capture Movie" feature, are encountered.
For more information, refer to the links shown below.
http://en.wikipedia.org/wiki/Codec
> attacker in the future. Some of you keep trying to point out that owning the
> host always means owning the guests, but that isn't always the case,
> especially if you are not a full administrator on the host machine.
...
> should be able to protect a virtual guest from its host. There's no way a
> non-admin user is going to be able to modify the RAM of a vm. And in Windows
> Vista, if not already blocked, even as an administrator I would have to
> explicitly allow a worm to access the RAM or disk of a virtual machine. No
> worm is going to access a vm's resources without a UAC prompt coming up.
Vendor Response:
Perforce has confirmed an issue with Windows-based operating
systems and P4Web versions 2006.2 and prior that can result
in the P4Web host machine becoming unusable due to excessive
CPU usage. This was discovered by our QA department in
February of 2007, and addressed in our 2007.2 release.
Recommendation:
Users concerned about this issue should upgrade to P4Web
Vulnerabilities and Exposures project identifies the following problems:
CVE-2010-0435
Gleb Napatov reported an issue in the KVM subsystem that allows virtual
machines to cause a denial of service of the host machine by executing mov
to/from DR instructions.
CVE-2010-3699
Keir Fraser provided a fix for an issue in the Xen subsystem. A guest can
secure but they aren't.
Finally, let me explain how I personally use virtual machines to put this
all in context of why I think this is important. I use Windows Vista as my
host machine, logged in as a non-admin user. I am typing this e-mail--also
as a non-admin user--in a Windows XP virtual machine dedicated to instant
messaging and e-mail. On another monitor I have a VM running Windows 2003 as
a domain controller (btw, you need the client utilities on domain
controllers to keep the clock correct) where I am logged in as an
administrator, but the screen saver is password-protected and I lock the
> VMware's scripting API allows a malicious script on the host machine to
> execute programs, open URLs, and perform other privileged operations on any
> guest operating system open at the console, without requiring any
> credentials on the guest operating system. Furthermore, the script can
> execute programs even if you lock the desktop of the guest OS.
As opposed to pausing the VM, editing the virtual memory image and
unpausing the VM? No scripting interface is needed. How about editing
the virtual disk image and replacing one of the cron scripts with a
shell-on-a-port? Rebooting the VM and going single user? If you control
> diminishes VM guest/host isolation in such a manner to facilitate
privilege
> escalation, spreading of malware, and compromise of guest operating
systems.
>
> VMware's scripting API allows a malicious script on the host machine to
> execute programs, open URLs, and perform other privileged operations on
any
> guest operating system open at the console, without requiring any
> credentials on the guest operating system. Furthermore, the script can
> execute programs even if you lock the desktop of the guest OS.
> I have run across a design issue in VMware's scripting automation API that
> diminishes VM guest/host isolation in such a manner to facilitate privilege
> escalation, spreading of malware, and compromise of guest operating systems.
>
> VMware's scripting API allows a malicious script on the host machine to
> execute programs, open URLs, and perform other privileged operations on any
> guest operating system open at the console, without requiring any
> credentials on the guest operating system. Furthermore, the script can
> execute programs even if you lock the desktop of the guest OS.
>
Hash: SHA256
*Summary*
VMware VIX API 1.1 supports an option that allows users with privileges
on the host machine to execute programs on a guest operating system
under the identity of a user currently logged into the guest. For
example, if user A powers on a virtual machine (VM) and logs into the
guest operating system, then a user B who has privilege on the host
machine to connect to that VM can also write scripts that will
anonymously run programs in the VM guest operating system as user A.
> this threat standing on its own as medium to low, depending on your
> environment. But the fact is that this thing bypasses normal OS security
> mechanisms and we simply cannot imagine how that might be used by an
> attacker in the future. Some of you keep trying to point out that owning the
> host always means owning the guests, but that isn't always the case,
> especially if you are not a full administrator on the host machine.
*If* you can use the API to spawn a process in a vm owned and operated by
another user *then*, and only then, do you have a legitimate vulnerability.
But you're basically complaining about being able to shoot yourself in the
foot. It is still incumbent on the host admin to prevent unauthorized
> Hi there,
>
> First of all - please forgive me, I'm not a developer and I don't use
> the automation API. However, I use VMware a lot for development. I
> have a Windows XP host machine and I use VMware to develop Linux code
> (Debian Etch, Linux 2.6).
I'm a p570 user on the server side, but I do use vmware workstation for
development purposes as well.
> diminishes VM guest/host isolation in such a manner to facilitate
privilege
> escalation, spreading of malware, and compromise of guest operating
systems.
>
> VMware's scripting API allows a malicious script on the host machine
to
> execute programs, open URLs, and perform other privileged operations
on any
> guest operating system open at the console, without requiring any
> credentials on the guest operating system. Furthermore, the script can
> > diminishes VM guest/host isolation in such a manner to facilitate
> privilege
> > escalation, spreading of malware, and compromise of guest operating
> systems.
> >
> > VMware's scripting API allows a malicious script on the host machine
> to
> > execute programs, open URLs, and perform other privileged operations
> on any
> > guest operating system open at the console, without requiring any
> > credentials on the guest operating system. Furthermore, the script
Hash: SHA256
*Summary*
VMware VIX API 1.1 supports an option that allows users with privileges
on the host machine to execute programs on a guest operating system
under the identity of a user currently logged into the guest. For
example, if user A powers on a virtual machine (VM) and logs into the
guest operating system, then a user B who has privilege on the host
machine to connect to that VM can also write scripts that will
anonymously run programs in the VM guest operating system as user A.
|
