Re: POC 2007 notes v 2

[Joanna Rutkowska <joanna () invisiblethings org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave Aitel wrote:
> Likewise the talk on Bios and VMWare vulnerabilities was interesting.
>  Sun Bing had one demo where he got local Administrator on an XP SP2 
> guest by using a VMWare vulnerability (unreleased).

On a *guest*? Are you saying it was a host->guest "attack"? If so, there
are like millions of ways to do that, and niether of them requires any
vulnerability in a VMM... It's just, that in case of any type II VMM, if
you're on the host, you can do anything you want with the guest, no big
deal. Or am I missing something?

> He also had several guest->host escape techniques (VMWare dieing due
> to memory access failures and such) - no working PoC here, just
> crashes. 

We saw many bugs in various VMMs -- just a couple of references:

* A paper from Tavis Ormandy (Google) on how most VMMs couldn't (over
the time when the paper was written) properly handle many non-standard
I/Os and also properly parse some instructions (April 2007),

* Two interesting bugs by Rafal Wojtczuk affecting VMWare and Virtual MS
Server products that could potentially allow for guest escape (September
2007),

* A bug by Joris van Rantwijk affecting Xen 3, that allows for code
execution in dom0 from any other domain (September 2007).

This is all very good and interesting -- it's a very valuable argument
in convincing people that hypervisors (VMMs) should be extremly thin.
And thin means just a few thousands of LOC, not 3MB of code (Hi 3i!).

After all the industry didn't want to adapt the micro-kernel approach
and we all pay the price today (all those rootkits, etc), so at least
lets try not to make the same mistake again with VMMs...

However, I can't really understand why people go to a conference and
show a bunch of non-exploitable (by them) bugs without even giving any
details of the bug itself... Is it like: "Hey, I can use I/O fuzzer!"?
Or maybe I'm too conservative? (getting old and stuff)? :)

> The Bios tricks were interesting as well - essentially
> they were documentation on how to install useful Bios rootkits or
> perform a really annoying DoS by flipping one of the hardware bits
> (would require complete power drain to reset).

Can you elaborate more on this and how that relates to what John Heasman
showed at BH Federal in 2006?

joanna.
-----BEGIN PGP SIGNATURE-----

iQEVAwUBRz15pcwG7MOLAMOlAQJWCwf/dMJfCR9OWzZctlPLOgEN1rJGsaE+2SIQ
09xDiWXMBeJYJGLFsc2OmGDO+PRK8VgdY/sr2zlzIByBHL5z41ilUJO8BjN9+vvB
lD8KcP1U9uCvnp08suSE0JrsQ2CD81OAHOL/4I5bQOlS1rT65SEK9Aft8rKNriKN
BrG3Ck5oF6YXJyTkX0veR7V2tmtxxJqvHX/U67PAT+QY5rAMypQTEQzvhrWIHCb3
DkQbYPvoWZqLMP+Anah/igxWxkV55KJQ2WWIIJVhgx0m5kEJ9Djl+o7L+x9wfrMx
E8cUGWg+ht4fPDyO9geqwzLsQKt+1FXF2WvlS3TcnNRwtqFgucaLqQ==
=D8lR
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave