Dailydave mailing list archives

Re: POC 2007 notes v 2

From: Dave Aitel <dave () immunityinc com>
Date: Fri, 16 Nov 2007 15:12:18 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joanna Rutkowska wrote:

Dave Aitel wrote:

Likewise the talk on Bios and VMWare vulnerabilities was interesting.
 Sun Bing had one demo where he got local Administrator on an XP SP2 
guest by using a VMWare vulnerability (unreleased).


On a *guest*? Are you saying it was a host->guest "attack"? If so, there
are like millions of ways to do that, and niether of them requires any
vulnerability in a VMM... It's just, that in case of any type II VMM, if
you're on the host, you can do anything you want with the guest, no big
deal. Or am I missing something?


I think an unprivileged guest user attack against VM's running under the
root user would be somewhat interesting , but that's not what he was
doing here. He ran XP SP2 as a VMWare Guest. Then inside that VM, he had
a user "unpriv" which was not in the administrators group. Then he ran
"VMexp.exe" as unpriv and all of a sudden unpriv was in the
administrators group.

According to the slides this bug is exploitable remotely via SMB as
well. So there must be some sort of RPC or mailbox or file endpoint you
get to touch.

The Bios tricks were interesting as well - essentially
they were documentation on how to install useful Bios rootkits or
perform a really annoying DoS by flipping one of the hardware bits
(would require complete power drain to reset).


Can you elaborate more on this and how that relates to what John Heasman
showed at BH Federal in 2006?


According to his talk you flip the TOP_SWAP bit (using his
SetTopSwap.exe as Admin) . This causes the Intel south bridge to do
memory mapping on the Bios memory area differently, and (among other
things) means that if you reboot, the Bios will be "invalid" until the
CMOS battery powers all the way down, which will reset the bit. Or
something. Next time you need to come to Power Of Community so you won't
have to see the talks through my befuddled jet lagged mind.

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHPfmitehAhL0gheoRApohAJ4wW4UwkUN00H2RrhjPjCrVXhL1PgCdGFPH
n+44trBQZhMCfrZc0sbgggY=
=W2VV
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

POC 2007 notes v 2 Dave Aitel (Nov 16)
- Re: POC 2007 notes v 2 Joanna Rutkowska (Nov 16)
  - Re: POC 2007 notes v 2 Dave Aitel (Nov 16)
- <Possible follow-ups>
- Re: POC 2007 notes v 2 Rodrigo Rubira Branco (BSDaemon) (Nov 17)