Dailydave mailing list archives
Re: POC 2007 notes v 2
From: Dave Aitel <dave () immunityinc com>
Date: Fri, 16 Nov 2007 15:12:18 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joanna Rutkowska wrote:
Dave Aitel wrote:Likewise the talk on Bios and VMWare vulnerabilities was interesting. Sun Bing had one demo where he got local Administrator on an XP SP2 guest by using a VMWare vulnerability (unreleased).On a *guest*? Are you saying it was a host->guest "attack"? If so, there are like millions of ways to do that, and niether of them requires any vulnerability in a VMM... It's just, that in case of any type II VMM, if you're on the host, you can do anything you want with the guest, no big deal. Or am I missing something?
I think an unprivileged guest user attack against VM's running under the root user would be somewhat interesting , but that's not what he was doing here. He ran XP SP2 as a VMWare Guest. Then inside that VM, he had a user "unpriv" which was not in the administrators group. Then he ran "VMexp.exe" as unpriv and all of a sudden unpriv was in the administrators group. According to the slides this bug is exploitable remotely via SMB as well. So there must be some sort of RPC or mailbox or file endpoint you get to touch.
The Bios tricks were interesting as well - essentially they were documentation on how to install useful Bios rootkits or perform a really annoying DoS by flipping one of the hardware bits (would require complete power drain to reset).Can you elaborate more on this and how that relates to what John Heasman showed at BH Federal in 2006?
According to his talk you flip the TOP_SWAP bit (using his SetTopSwap.exe as Admin) . This causes the Intel south bridge to do memory mapping on the Bios memory area differently, and (among other things) means that if you reboot, the Bios will be "invalid" until the CMOS battery powers all the way down, which will reset the bit. Or something. Next time you need to come to Power Of Community so you won't have to see the talks through my befuddled jet lagged mind. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHPfmitehAhL0gheoRApohAJ4wW4UwkUN00H2RrhjPjCrVXhL1PgCdGFPH n+44trBQZhMCfrZc0sbgggY= =W2VV -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- POC 2007 notes v 2 Dave Aitel (Nov 16)
- Re: POC 2007 notes v 2 Joanna Rutkowska (Nov 16)
- Re: POC 2007 notes v 2 Dave Aitel (Nov 16)
- <Possible follow-ups>
- Re: POC 2007 notes v 2 Rodrigo Rubira Branco (BSDaemon) (Nov 17)
- Re: POC 2007 notes v 2 Joanna Rutkowska (Nov 16)