CVE-2013-5892: hypervisor exploitation and stuff

[Bas Alberts <bas.alberts () immunityinc com>]

Hi list,

So the ORACLE VirtualBox hypervisor vulnerability has been turning a few
heads today after Matthew Daley's full disclosure post about the bugs
he killed.

Hypervisor exploitation is always interesting because you don't know what's 
at the end of the yellow brick road when you're popping out of the guest.

Something we see a lot is people making the assumption of network connectivity
on the host side of things, but in reality the only assumption of
connectivity you can make is your established route into the guest.

So one thing we generally spend a lot of time on when doing hypervisor
work is to ensure that the payload can tunnel your shell from host to
guest. Generally the easiest way to do that is to use some shared memory
segment between the host and the guest and run a simple protocol over
that to tunnel your connectivity. This e.g. is what we did for the 
CLOUDBURST project (in a more convoluted form through direct3d APIs).

This is also what we ended doing for our work on what is now
CVE-2013-5892. The exploitation route we ended up taking does not
require an LKM (you can use libpciaccess for that stuff, and all
you need is io port access and pci access, which can just do as root).

Anyhow, we have a full research paper and working/reliable Linux to
Linux guest/host exploit up on our CEU subscription feed. It's an
interesting piece of exploit engineering and a neat example of real
world hypervisor attacks (i.e. you're far from done once you get code
execution).

For the CEU folks you can find it at: https://www.immunityinc.com/ceu-index.shtml

Love,
Bas

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave