Guest Stealing...The VMware Way

SSID: FYRM URL: http://172.16.254.1

STEALING GUESTS...
THE VMWARE WAY
Justin Morehouse & Tony Flick
ShmooCon 2010


DISCLAIMER
Standard disclaimer verbiage...

•Everything said, showed, implied, etc. is not the
opinion of our employers, friends, dogs, VMware,
ShmooCon, etc.

•This disclaimer is not endorsed by our lawyers.


ABOUT US
Justin Morehouse

• Assessment Lead @ Large Retailer in Southeast USA
• Controls 58.2% of the MacBook Pro ﬂipping market on Craigslist

Tony Flick

• Principal @ FYRM Associates
• Has never mistaken Hunts ketchup for Heinz ketchup...EVER!


WARNING
What this presentation IS NOT:

• 0 day release - worked w/ VMware
• A demonstration of rocket science

What this presentation IS:

• A reminder of the security implications of virtualization
• The culmination of ‘sanity’ projects


TIMELINE
• Vulnerability identiﬁed on 5/14/09
• Reported to VMware on 5/15/09
• VMware responded on 5/21/09
• CVE-2009-3733 reserved on 10/20/09
• VMSA-2009-0015 released on 10/27/09
• ‘b. Directory Traversal vulnerability’


IDENTIFICATION
• Originally identiﬁed on VMware Server 2.0.1 build 156745
(on Ubuntu 8.04)

• Thought to be localized to inside of NAT interface of Host (8307/tcp)
• Can steal VMs from within other VMs... if NAT’d
• Kinda cool, not really practical
• What we originally reported to VMware & submitted to ShmooCon

but......


DOES THIS LOOK FAMILIAR?


HOW ABOUT THIS?


VULNERABILITY
•Web Access web servers also vulnerable
•Server (default ports 8222/8333) - ../ x 6
•ESX/ESXi (default ports 80/443) - %2E%2E/ x 6
•No longer requires NAT mode / Remotely exploitable
•Not as straightforward as originally thought
•Still trivial to exploit because...


IT’S GOOD TO BE ROOT
•Web servers are running as root = complete access
•ESX/ESXi

•Server


HOW IT WORKS ON SERVER
•Proxy used to redirect requests based on URL
•/etc/vmware/hostd/proxy.xml (includes mappings)
•/sdk = 8307/tcp
•/ui = 8308/tcp


HOW IT WORKS ON SERVER
•Web server on 8308/tcp is vulnerable, but will only serve
certain filetypes (xml, html, images, etc.)

•Web server on 8307/tcp is also vulnerable, but serves ALL
filetypes

•Simply append /sdk to our URL request and we’ve got
complete access to Host filesystem (including other Virtual
Machines)

•ESX/ESXi - ALL web servers return ALL filetypes (no /sdk)


VULNERABLE VERSIONS
Server
• VMware Server 2.x < 2.0.2 build 203138 (Linux)
• VMware Server 1.x < 1.0.10 build 203137 (Linux)

ESX/ESXi
• ESX 3.5 w/o ESX350-200901401-SG
• ESX 3.0.3 w/o ESX303-200812406-BG
• ESXi 3.5 w/o ESXe350-200901401-I-SG


GUESTSTEALER
•Perl script remotely ‘steals’ virtual machines from vulnerable
hosts

•Supports Server, ESX, ESXi
•Allows attacker to select which Guest to ‘steal’
•Utilizes VMware configuration files to identify available
Guests and determine associated files


VMINVENTORY.XML
•/etc/vmware/hostd/vmInventory.xml (default location)
•Gives us Guest inventory & location information


GUEST .VMX & .VMDK
• .vmx gives us Guest conﬁg and ﬁle locations

•.vmdk (disk image) can point to other .vmdk images


LIVE DEMO


MITIGATION STRATEGIES
• Patch, patch, patch
• Hosts are an attractive target (compromise one = access many)

• Better yet...Segment, segment, segment
• Segment management interfaces
• Segment systems of different security levels
• Don’t share physical NICs between different security levels

• Virtualization is not always the ‘best answer’


QUESTIONS?

GuestStealer available for download @

www.fyrmassociates.com

Guest Stealing...The VMware Way

More Related Content

Similar to Guest Stealing...The VMware Way (20)

More from SecurityTube.Net (15)

Guest Stealing...The VMware Way