Re: VMWare poor guest isolation design

To: "Arthur Corliss" <corliss@xxxxxxxxxxxxxxxx>
Subject: Re: VMWare poor guest isolation design
From: "Jonathan Yu" <jonathan.i.yu@xxxxxxxxx>
Date: Thu, 23 Aug 2007 21:06:36 -0400
Cc: "M. Burnett" <mb@xxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=moT9aq+QlZ7hoGJem+0QTM2ApDmJKnNbbyCDJzjbmiZ2Ivz/Rghad570upSX4w+qdbJs/QUMIvD6m+iV/WvVHHmxeHzsSsWqYp8RWQRO3uGMdCT/PMx8L+5Q25YLOh1qqDdaHBAgMbZrs9TxJ4VjSvjujK8/jCLOJufNWBiyvX0=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=fk0bYzfxDfJKykAbrG1xn91Wy9ka1FA+isiJKo7XVHAQHa1nhfYyPyfbDRS5ICjFDcTystqs3Kz4TcBETK456Vi3XQ/x7EmNFpiNIg9zhKJ97bvk2Ouz8A1YPTUQR1ccOlZ87ifAe4btcAm/YiGmm001zF2v0o5MG5CQAdfr+Vo=
In-reply-to: <Pine.LNX.4.64.0708230834211.13100@xxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <008001c7e534$e4b84490$ae28cdb0$@net> <Pine.LNX.4.64.0708230834211.13100@xxxxxxxxxxxxxxxxxxxxxxxx>

Hi there,

First of all - please forgive me, I'm not a developer and I don't use
the automation API. However, I use VMware a lot for development. I
have a Windows XP host machine and I use VMware to develop Linux code
(Debian Etch, Linux 2.6).

On 8/23/07, Arthur Corliss <corliss@xxxxxxxxxxxxxxxx> wrote:
> On Wed, 22 Aug 2007, M. Burnett wrote:
>
> > I have run across a design issue in VMware's scripting automation API that
> > diminishes VM guest/host isolation in such a manner to facilitate privilege
> > escalation, spreading of malware, and compromise of guest operating systems.
> >
> > VMware's scripting API allows a malicious script on the host machine to
> > execute programs, open URLs, and perform other privileged operations on any
> > guest operating system open at the console, without requiring any
> > credentials on the guest operating system. Furthermore, the script can
> > execute programs even if you lock the desktop of the guest OS.
> >
> > For example, if a non-admin user is logged in at the vm host, but logged in
> > to guest operating systems as an administrator, the script running as a
> > non-admin on the host can still execute admin-level scripts on the guests.
> >
> > I obviously did not discover this issue--the API developers provided it as a
> > feature-I am simply pointing out the potential danger, that it was a poor
> > design decision, and that there is a need to establish best practices for
> > virtual machine guest and host isolation.
>
> I don't see this as a serious problem.  This is the virtual equivalent of no
> physical security.  If the host OS (or an account within it) is compromised,
> of course all bets are off when it comes to a virtual machine running within
> it.
It is worse than this because according to the original e-mail, you
can queue up commands to be executed upon the next login. That is
where it gets dangerous, whereas it wouldn't have been an issue with
"no physical security" alone.

However, I propose an alternate attack scenario: if the host system is
compromised, then the program is able to write to the VMware Disk
files or the physical partition that the virtual machines are
installed in. This means that you can write arbitrary things to it or
change files around, so you can have the same effect if you, say, add
a command to the root user's crontab...
>
> Furthermore, this attack only works if you are running the vmware guest
> utilities *and* you are currently logged into a GUI desktop running the
> vmware userland process.
Many people are in this situation.
>
> I personally look at this as an issue for Windows.  I personally don't
> install the vmware guest software for my Linux VMs, nor would I log into a
> GUI as root.  For that matter, if you are merely hosting the guest VMs why
> would you need to ever use the vmware console after installation?  Use a
> network-based access method, making the need for the vmware guest utilities
> unnecessary.  That should be sufficient for all OS'es.
>
I have all the guest tools installed. Why? It is useful - besides the
hgfs ("Shared Folders") support, there is also the vmmemctl module,
which returns unused memory pages back to the host OS, which allows
overcommitting if necessary (on my system it just ensures that I can
use as much of the RAM as possible).
> In (not so) short, this attack vector is virtually worthless if reasonable
> security practices are employed.
>
>         --Arthur Corliss
>           Live Free or Die
>

Follow-Ups:
- Re: VMWare poor guest isolation design
  - From: Arthur Corliss

References:
- VMWare poor guest isolation design
  - From: M. Burnett
- Re: VMWare poor guest isolation design
  - From: Arthur Corliss

Prev by Date: RE: VMWare poor guest isolation design
Next by Date: The Korean Hacking & Security Conference "POC 2007" call for papers
Previous by thread: RE: VMWare poor guest isolation design
Next by thread: Re: VMWare poor guest isolation design
Index(es):
- Date
- Thread