http://www.foolmoon.net/cgi-bin/blog/index.cgi Fool Moon Software and Security Blog en-us Copyright 2006-2007 Monty McDougal. All Rights Reserved. http://www.foolmoon.net/cgi-bin/blog/index.cgi?mode=viewone&blog=1185593255 Anyone in the know on VMware security knows that Ed Skoudis, Tom Liston and “crew” from Intelguardians (and some close researchers) have been researching VMware escapes for the last couple years for an US government customer. At SANSfire 2006, they presented some of this research to include how malware might detect the fact it was running under virtualization and hinted that there were possible exploits (http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf). Tonight at SANSfire 2007 some of these were revealed and the world saw the first public display of this capability. The information presented below represents my takeaway from this presentation given tonight (7/27/2007). The presentation is not expected to be made publicly available (other than via paper tomorrow) so hopefully this will be of interest to anyone not in attendance. I am sure this will also hit some of the main-stream press sites in the next day or so. Any errors and misstatements in this are my own. VMchat – interesting little application that communicates across the ComChannel (what VMware refers to the backdoor) between a client OS and host OS. An application is run on the client OS which allocates a known memory buffer string. A DLL injection attack is performed against VMware on the host OS which gives an application running on the host access to the memory of the client VMware machine. Once this is achieved, the memory buffer is used as a communications channel between the client and host machines as a shared buffer. Each can read and write data from this area. This was used to implement a simple chat program. While not a total VM escape, this clearly shows the potential for abuse of any boundary separation between such hosts. Therefore, VMware is clearly unsuitable for separation of virtual machines with differing levels of data sensitivity. This capability exists regardless of if VMware tools is actually installed. VMcat – essentially extended the above idea to provide a netcat equivalent across client and host OSes. The implication is of course any arbitrary file can be moved or a shell can be shoveled just like with netcat. This a larger more real world abuse of the above exploit. VMdrag-n-hack – one of the capabilities of VMware allows file and other communications between host and client OSes. The method by which this communication occurs is across the communications channel previously indicated. Using memory debuggers they were able to determine where data was read and written in these transfers. This allowed running code in the client OS that would allow a file being drag-n-dropped to be replaced with another arbitrary file. This of course relies on the user to do a drag-n-drop between the client and host OS. VMdrag-n-sploit – Extends the concept of VMdrag-n-hack. If the user then executed this file on the host OS, it essentially would provide the two execution points used to ... http://www.foolmoon.net/cgi-bin/blog/index.cgi?mode=viewone&blog=1150954681 I finally could not take it anymore and had to end my blog envy of my friend Don Weber’s blog at http://www.cutawaysecurity.com. This is going to include allot of topics which will probably vary widely over time. I suspect it will mostly be things I find interesting out there in the big bad world of security. It will have links to programs and things I find useful and probably a few rants as well. Hopefully it will be useful to people over time, but we will have to see how that works out. For now consider this a preview of things to come as I have more time.