Dailydave mailing list archives
Re: POC 2007 notes v 2
From: Joanna Rutkowska <joanna () invisiblethings org>
Date: Fri, 16 Nov 2007 12:06:15 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave Aitel wrote:
Likewise the talk on Bios and VMWare vulnerabilities was interesting. Sun Bing had one demo where he got local Administrator on an XP SP2 guest by using a VMWare vulnerability (unreleased).
On a *guest*? Are you saying it was a host->guest "attack"? If so, there are like millions of ways to do that, and niether of them requires any vulnerability in a VMM... It's just, that in case of any type II VMM, if you're on the host, you can do anything you want with the guest, no big deal. Or am I missing something?
He also had several guest->host escape techniques (VMWare dieing due to memory access failures and such) - no working PoC here, just crashes.
We saw many bugs in various VMMs -- just a couple of references: * A paper from Tavis Ormandy (Google) on how most VMMs couldn't (over the time when the paper was written) properly handle many non-standard I/Os and also properly parse some instructions (April 2007), * Two interesting bugs by Rafal Wojtczuk affecting VMWare and Virtual MS Server products that could potentially allow for guest escape (September 2007), * A bug by Joris van Rantwijk affecting Xen 3, that allows for code execution in dom0 from any other domain (September 2007). This is all very good and interesting -- it's a very valuable argument in convincing people that hypervisors (VMMs) should be extremly thin. And thin means just a few thousands of LOC, not 3MB of code (Hi 3i!). After all the industry didn't want to adapt the micro-kernel approach and we all pay the price today (all those rootkits, etc), so at least lets try not to make the same mistake again with VMMs... However, I can't really understand why people go to a conference and show a bunch of non-exploitable (by them) bugs without even giving any details of the bug itself... Is it like: "Hey, I can use I/O fuzzer!"? Or maybe I'm too conservative? (getting old and stuff)? :)
The Bios tricks were interesting as well - essentially they were documentation on how to install useful Bios rootkits or perform a really annoying DoS by flipping one of the hardware bits (would require complete power drain to reset).
Can you elaborate more on this and how that relates to what John Heasman showed at BH Federal in 2006? joanna. -----BEGIN PGP SIGNATURE----- iQEVAwUBRz15pcwG7MOLAMOlAQJWCwf/dMJfCR9OWzZctlPLOgEN1rJGsaE+2SIQ 09xDiWXMBeJYJGLFsc2OmGDO+PRK8VgdY/sr2zlzIByBHL5z41ilUJO8BjN9+vvB lD8KcP1U9uCvnp08suSE0JrsQ2CD81OAHOL/4I5bQOlS1rT65SEK9Aft8rKNriKN BrG3Ck5oF6YXJyTkX0veR7V2tmtxxJqvHX/U67PAT+QY5rAMypQTEQzvhrWIHCb3 DkQbYPvoWZqLMP+Anah/igxWxkV55KJQ2WWIIJVhgx0m5kEJ9Djl+o7L+x9wfrMx E8cUGWg+ht4fPDyO9geqwzLsQKt+1FXF2WvlS3TcnNRwtqFgucaLqQ== =D8lR -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- POC 2007 notes v 2 Dave Aitel (Nov 16)
- Re: POC 2007 notes v 2 Joanna Rutkowska (Nov 16)
- Re: POC 2007 notes v 2 Dave Aitel (Nov 16)
- <Possible follow-ups>
- Re: POC 2007 notes v 2 Rodrigo Rubira Branco (BSDaemon) (Nov 17)
- Re: POC 2007 notes v 2 Joanna Rutkowska (Nov 16)