RE: VMWare poor guest isolation design



This may be far off course but with all the discussions of VMWare as a safe
sandbox that has broad security value it seems we have to pay attention to
the assumptions. IF the virtual machine is operating properly, it can
provide a level of sandboxing and restrict session privileges for that
instance of the machine. However, the most common exploit in software
continues to be memory leakages or buffer overflows.

It seems to me that the code that can be injected through the most common
attack vector (buffer overflows) executes with full privileges of the real
hosting machine, there would be little benefit to the virtualization. Am I
missing something here?

Is there a way that the arbitrary code injected through a buffer overflow
can be constrained in the logical machine? It seems to me the VM can't
provide this protection???

KWK



-----Original Message-----
From: Arthur Corliss [mailto:corliss@xxxxxxxxxxxxxxxx]
Sent: Thursday, August 23, 2007 12:49 PM
To: M. Burnett
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: VMWare poor guest isolation design

On Wed, 22 Aug 2007, M. Burnett wrote:

I have run across a design issue in VMware's scripting automation API that
diminishes VM guest/host isolation in such a manner to facilitate
privilege
escalation, spreading of malware, and compromise of guest operating
systems.

VMware's scripting API allows a malicious script on the host machine to
execute programs, open URLs, and perform other privileged operations on
any
guest operating system open at the console, without requiring any
credentials on the guest operating system. Furthermore, the script can
execute programs even if you lock the desktop of the guest OS.

For example, if a non-admin user is logged in at the vm host, but logged
in
to guest operating systems as an administrator, the script running as a
non-admin on the host can still execute admin-level scripts on the guests.

I obviously did not discover this issue--the API developers provided it as
a
feature-I am simply pointing out the potential danger, that it was a poor
design decision, and that there is a need to establish best practices for
virtual machine guest and host isolation.

I don't see this as a serious problem. This is the virtual equivalent of no
physical security. If the host OS (or an account within it) is compromised,
of course all bets are off when it comes to a virtual machine running within
it.

Furthermore, this attack only works if you are running the vmware guest
utilities *and* you are currently logged into a GUI desktop running the
vmware userland process.

I personally look at this as an issue for Windows. I personally don't
install the vmware guest software for my Linux VMs, nor would I log into a
GUI as root. For that matter, if you are merely hosting the guest VMs why
would you need to ever use the vmware console after installation? Use a
network-based access method, making the need for the vmware guest utilities
unnecessary. That should be sufficient for all OS'es.

In (not so) short, this attack vector is virtually worthless if reasonable
security practices are employed.

--Arthur Corliss
Live Free or Die



Relevant Pages

  • RE: Suggested lab materials/systems/setup?
    ... VMWare guest Linux OS under Windows XP host. ... VMWare Oses running on a linux host may get different mileage. ...
    (Pen-Test)
  • RE: Suggested lab materials/systems/setup?
    ... or planned, as they do not play well with if0:1 kids of seetings, iptables ... The Host OS will not do any modifying of packets ... > each guest if you had multiple network cards. ... > is how Vmware handles socket connections. ...
    (Pen-Test)
  • Re: VMware file movement - how?
    ... computer to your Virtual machine and make them persistant under options ... I had to start VMware as root to get access to the ... And then I couldn't start VMware as user. ... Might be that you have to creat a shared host folder first, ...
    (Ubuntu)
  • Vmare workstation guest isolation weaknesses (clipboard transfer)
    ... installation of "VMware tools" of the same version on the guest OS). ... Guest and Host OS: Windows XP Pro with SP2 and all the latest operational ... The clipboard copy operation can transfer only text, ...
    (Bugtraq)
  • [Full-disclosure] Vmare workstation guest isolation weaknesses (clipboard transfer)
    ... installation of "VMware tools" of the same version on the guest OS). ... Guest and Host OS: Windows XP Pro with SP2 and all the latest operational ... The clipboard copy operation can transfer only text, ...
    (Full-Disclosure)