Penetration Testing mailing list archives
Re: RE: how an hacker can bypass a chrooted environement ?
From: john.fellers () gmail com
Date: 18 May 2006 16:59:33 -0000
I have read some articles about this in the past. Here is an excerpt from one of those: VMware has its own "backdoor" port, to communicate between internal (emulated) and exernal (emulating) code. There are some functions, which allows you (under emulation) to enable/disable different virtual devices, send internal messages, and do other things. Here is how these functions are called (you should use exception handling for this code): mov ecx, 0Ah ; CX=function# (0Ah=get_version) mov eax, 'VMXh' ; EAX=magic mov dx, 'VX' ; DX=magic in eax, dx ; specially processed io cmd ; output: EAX/EBX/ECX = data cmp ebx, 'VMXh' ; also eax/ecx modified (maybe vmw/os ver?) je under_VMware VMware registry keys are HKLM\Software\VMware, Inc.\VMware for Windows NT -- real HKLM\Software\VMWare, Inc.\VMware Tools\ -- virtual VMware executables directory is C:\Program Files\VMware -- both real and virtual There can be many different methods to detect if you're under virtual OS, such as incorrectly emulated ports, predetermined hardware info, special drivers and other things. I have not tried this, but the capability exists. It would not be hard to write a detection mechanism to test if you are in a virtual OS and write routines and functions to essentially "break out" of the virtual environment. You would simply have to know where the virtual OS is hooking into the actual operating system and bypass those. ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Re: how an hacker can bypass a chrooted environement ?, (continued)
- Re: how an hacker can bypass a chrooted environement ? alan (May 12)
- Re: how an hacker can bypass a chrooted environement ? Justin Ferguson (May 12)
- Re: how an hacker can bypass a chrooted environement ? Peter Kosinar (May 12)
- Re: how an hacker can bypass a chrooted environement ? Rob (May 12)
- Re: how an hacker can bypass a chrooted environement ? Tonnerre Lombard (May 12)
- Re: how an hacker can bypass a chrooted environement ? Norbert François (May 14)
- Re: how an hacker can bypass a chrooted environement ? Marco Ivaldi (May 16)
- RE: how an hacker can bypass a chrooted environement ? David M. Zendzian (May 17)
- Re: how an hacker can bypass a chrooted environement ? Chris Byrd (May 18)
- Re: how an hacker can bypass a chrooted environement ? Marco Ivaldi (May 17)
- Re: RE: how an hacker can bypass a chrooted environement ? john . fellers (May 18)
- Re: how an hacker can bypass a chrooted environement ? alan (May 12)