Virtualisation Security – The How To Guide – Part 3
OVERVIEW
In this the third technical article from Orthus that summarises much of the platform focused industry research that has taken place as regards issues associated with the security of virtualisation platforms, we outline the second of three categories of virtualised platform specific vulnerabilities, namely that of virtual machine environment protection bypasses.
CONCERNS OVER ISOLATIONISM…
The detection of virtual machine environments (see previous article) is merely one weapon in the attackers’ armoury, and there exists a number of mechanisms for bypassing the supposed isolation between guest and host operating systems and processes. In the same presentation in which Ed Skoudis and Tom Liston discussed potential remote virtual machine environment detection, a number of utilities were highlighted that can bypass the isolation supposedly inherent in platform virtualisation technologies, particularly VMware. The utilities discussed were operable in VMware Workstation 4 and 5 (and may well be applicable to VMware Workstation 6). VMware Worsktation has an inbuilt communications channel that allows host and guest operating system instances to communicate (commonly referred to as a backdoor). By exploiting this functionality as well as DLL injection it was possible to generate a suite of tools designed to circumvent the isolation of partitions and platforms. As highlighted these tools have not been publicly disclosed as of the time of writing (this may be in no small part due to the fact that much of the research conducted by Ed Skoudis and Tom Liston is formerly sponsored by the United States Department of Homeland Security), however publicly released tools are available for both the attacker and legitimate researchers to utilise. Most notable amongst these is the VM Back suite of tools developed by Ken Kato[i] and other contributors. The VM Back suite of utilities exploits the Backdoor / IO functionality that forms part of many VMware binary distributions. This backdoor is used by the binary distribution to configure deployments of VMware during application runtime (interestingly, the official VMware Tools utilise this backdoor). At the time of writing there are twenty known commands that can be issued via this backdoor functionality and impact upon VMware products for both Windows and Linux hosts, namely:
Command Number
Description
01h
Get Processor Speed
02h
Invoke APM function on virtual machine
04h
Get mouse pointer position
05h
Set mouse pointer position
06h
Get text length from clipboard
07h
Get text from clipboard
08h
Set text length to clipboard
09h
Set text to clipboard
0Ah
Get VMware version information
0Bh
Get device information
0Ch
Connect / Disconnect a device
0Dh
Get GUI options setting
0Eh
Set GUI options setting
0Fh
Get Host screen size
11h
Get virtual hardware version
12h
Popup “OS Not Found” dialog
13h
Get BIOS UUID
14h
Get Memory size
17h
Get Host system time
1Eh
Enhanced RPC
TOOLING & EXPOLITATION
By exploiting the functionality of Backdoor/IO operations, Ken Kato (and others) have been able to create a number of utilities that can be used to bypass the supposed isolation between guest and host operating systems operating in a virtual machine environment. Indeed in February 2008, security research group Core Labs, utilised one such application VMFTP to help exploit a vulnerability within VMware shared folders functionality (which was enabled by default) that allowed for users of a guest OS to obtain read and write access to the host OS.
NEXT TIME…
In our next article we will discuss final category of virtualised platform specific vulnerability, namely that of virtual machine environment destruction.
Sean Bennett is Commercial Director at Orthus, a leading professional services firm focused on helping organisations globally to secure their technical evironments and manage risk. For advice or support in securing your virualization deployment or virtualized environment contact Orthus (EMEA) on +44 (0)203 170 8955 or visit www.orthus.com Article Source:http://www.articlesbase.com/security-articles/virtualisation-security-the-how-to-guide-part-3-1117239.html
Welcome back! You may want to subscribe to my RSS feed. Thanks for visiting!
If you enjoyed this post, make sure you subscribe to my RSS feed!
Related Posts - Secure Antivirus Pro – Avoid It At All Costs Secure Antivirus Pro is a rogue security program designed to scare users into believing their computer is infected with malware, viruses and security threats. Once installed on your PC, it actually installs additional malware, and is in itself and infection that needs to be removed at once. Bogus antispyware applications......
- Free or Paid Spyware and Virus Protection? This article is based on my own user experience of free and paid Internet security software. The free software I used consists of Sygate firewall, AVG antivirus, Ad-Aware Free Edition, Spyware Doctor and SpyBot Search & Destroy in Windows XP operating system. The paid sofware in this case is Norton......
- Security and Network Vulnerability Assessment Cyber-criminal would have to search another job, could they not rely on two big “friends”. Human nature, with its traits of trusting, negligence, credulousness, ad curiosity is surely the strongest leverage in any hacker’s arsenal. Even in a world of advanced technology, hackers will use human weakness to unveil otherwise......
- Spyware Programs Protection Spywares are software that are kept hidden, deployed secretly and executed transparently in your system. These spywares collect data from your computer, and send it to a remote database using your own Internet connection. Spyware creators are constantly changing their applications to avoid detection. Spyware can also gather information about......
- PC Anti Malware is a Rogue There are so many different areas that an average computer and Internet user must be suspicious of in their day to day use that it can seem really overwhelming. One of the most crucial of these areas is learning to identify and avoid rogue antispyware programs such as PC Anti......
Related Websites -
How Website Hosting Makes it Easy Website hosting is a necessary part of a successful website. It makes your website more professional and gives you access to several features that will help you optimize your site. With that being said, plenty of different website owners and Wordpress site owners are weary of full website hosting. Many...... - Application Virtualization with ThinApp (formerly Thinstall) I don't know why this is not getting more attention. VMware and Landesk's Thinstall (now called ThinApp) has been out for close to two years now and I continue to be surprised that it is not more widely adopted. It is a great product that really lives up to the......
- How to Run Chrome OS in a Virtual Machine go.tagjag.com - go.tagjag.com - We've seen some excellent screencasts come in from all over the community. Today, we are featuring one from Matt, who is going to show you how to run the Chrome Operating System from within a virtual machine. Don't forget that you can still submit a......
-
100 of the Best Privacy Tools and Online Resources [/caption] The Internet still remains a largely unregulated domain with no enforcement agency with any teeth to protect the privacy of citizens using the World Wide Web. Recent outrages such as the “Google Chrome Crime”, the “Facebook Fiasco” and “Whitehouse.gov – gate” have encouraged Internet users to take it into...... -
Safety for Power Tools Avoiding Accidents Whenever you are using a power tool, you need to make your main concern safety above all else. You should be paying attention to the following power tool safety rules because they may just safe your life, or your fingers, some day. Make sure that you read, completely......
« How To Secure Your Windows Computer | Home | Internet Service Providers to Change IP »
Leave a Comment