Dailydave mailing list archives
CVE-2013-5892: hypervisor exploitation and stuff
From: Bas Alberts <bas.alberts () immunityinc com>
Date: Fri, 7 Feb 2014 11:34:25 -0500
Hi list, So the ORACLE VirtualBox hypervisor vulnerability has been turning a few heads today after Matthew Daley's full disclosure post about the bugs he killed. Hypervisor exploitation is always interesting because you don't know what's at the end of the yellow brick road when you're popping out of the guest. Something we see a lot is people making the assumption of network connectivity on the host side of things, but in reality the only assumption of connectivity you can make is your established route into the guest. So one thing we generally spend a lot of time on when doing hypervisor work is to ensure that the payload can tunnel your shell from host to guest. Generally the easiest way to do that is to use some shared memory segment between the host and the guest and run a simple protocol over that to tunnel your connectivity. This e.g. is what we did for the CLOUDBURST project (in a more convoluted form through direct3d APIs). This is also what we ended doing for our work on what is now CVE-2013-5892. The exploitation route we ended up taking does not require an LKM (you can use libpciaccess for that stuff, and all you need is io port access and pci access, which can just do as root). Anyhow, we have a full research paper and working/reliable Linux to Linux guest/host exploit up on our CEU subscription feed. It's an interesting piece of exploit engineering and a neat example of real world hypervisor attacks (i.e. you're far from done once you get code execution). For the CEU folks you can find it at: https://www.immunityinc.com/ceu-index.shtml Love, Bas
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- CVE-2013-5892: hypervisor exploitation and stuff Bas Alberts (Feb 07)