State of virtualisation -- 2012

Hypervisors and Virtual Machines
(VM)
State Of The Art
By Jonathan Sinclair
(nX)

Story Line
• Background
• Which path to take
• Available attack space
• What’s available
• Review
• A new path

The Cloud – a quick history lesson
• Memo sent from J.C.R. Licklider to his colleagues in 1963 titled:
“MEMORANDUM FOR: Members and Affiliates of the Intergalactic
Computer Network”
– Set foundations for the concepts we find in the Internet and Cloud
computing
• Popek and Goldberg were talking about in 1974 - "Formal
Requirements for Virtualisable Third Generation Architectures"
– Defined virtualisation requirements : Equivalence, Resource Control,
Efficiency
1998
VMware
founded
1999
Salesforce
online
2002
Amazon
Web
Service
available
2003
Public
release of
Xen
2006
Amazon
EC2 born
2008
Microsoft
Hyper-V

What does it mean
• To the oldies (those that remember the 60’s and
70’s): Isn’t this just time-share computing?
• To the youth (those who don’t know what
assembler is and can’t remember, BBS’s, Monkey
Island or Elite): Everything is shared everywhere
and accessible anywhere. Why didn’t it always
work this way?
• To the hacker: Thankfully I now only have to
attack one platform.....perhaps

Cloud perspectives
• Cloud in 4D
Cloud Clients: Web
Browsers, Mobile
applications, Thin
clients
SaaS: CRM, Email,
Virtual desktops, Games
PaaS: Databases, Web servers
IaaS: Virtual Machines, Servers, Storage, Networks

Hacking at the periphery
• Socially-based cloud services: Facebook, Twitter,
iCloud, Dropbox, Skydrive, Etc.
• The now infamous Mat Honan hack, loss of his
digital life
– Accounts daisy-chained
– No two-factor authentication
– No backup’s
Out of scope for this talk. Traditional spear-phishing
methods can be utilised

Focus of this talk: IaaS
• SaaS: Leave it to the web security guys
• PaaS: Could be interesting but focuses more
on services
• IaaS:
– Combines technologies
– Attack surface is large
– Brings the most control
– Break out can lead to complete control of an
infrastructure

IaaS
• So things should be easy now we have focus
right?
– Wrong
• The IaaS world is filling with vendors*:
– Hyper-V (Microsoft)
– Virtual Box (Oracle)
– Xen (Cambridge computer lab, open src)
– VMware (EMC)
* Remind anyone of the OS world before *nix, MS and Apple took control?

Constraint 1
• What is ‘bare-metal’?
• Two principle categories for hypervisor technologies (as
defined by R.Goldberg)
– Type 1: Hypervisors that run directly on the hosts hardware
– Type 2: Hypervisors that run on top of a conventional
operating system
• It becomes a question of how the guest operating
system accesses the underlying hardware

Why does this matter?
• When considering exploitation it pays to go after
bare-metal systems
– Technology is still immature with regards to security
• Exploits utilising buffer overflows, none-sanitised
instruction breakouts and system crashes (PSOD) are still rife
– Landscape still heterogeneous (look at EMC’s recent
acquisitions in the cloud space)

Constraint 2
• As with Microsoft, it pays to go after the big
player as the rewards will be greater
– As of approx. one year ago Taneja Group recently
identified VMware as the vendor market leader in this
space
• Gartner substantiates
did I just mention that here?

Applying the constraints
• Bare-metal hypervisors:
– Hyper-V
– VMware’s ESX/ESXi
– Xen
• Global coverage:
– VMware
– Xen
– Hyper-V

VMware / IaaS
• We have a candidate:
– VMware
• It’s global coverage shows it’s still the market leader (2012)
• It offers a ‘bare metal’ installation
• It’s involvement in the Vblock* initiative allows for full, often
enterprise level, infrastructure exploitation
• It’s a Redhat hack so we can reuse existing exploitation knowledge
* Vblock is a virtualization platform from the Virtual Computing Environment
which is an initiative between EMC, VMware and Cisco to provide a fully
virtualised infrastructure

VM Penetration-Testing
• Previously hackers only had to look at
exploiting the physical layer
• Now they have to gear up to also take on the
virtual infrastructure

Ex Security
• The dimensionality of the security layer just
got elevated
Target scoping
Information
gathering
Target Discovery
Enumerating
Target
Vulnerability
mapping
Social
Engineering
Target
Exploitation
Privilege
Escalation
Maintaining
Access
Documentation
and Reporting
Physical Layer
Virtualisation
Layer

Outside looking in
1. You’re external to the system with no guest account
access
• Adopt normal attack methods, port scanning, vulnerability
identification, exploitation
• The system will always look like a normal server from the
external perspective
– An exception to this can be insecurely mapped ports (e.g.
unprotected v-sphere)
• Aim for low hanging fruit. Guest access is all you need
2. You have an account on a system but is it virtualized?
• This scenario covers an internal corporate breach. As security
experts we shouldn’t forget about attacks from the inside,
contractors, disgruntled employees

Reconnaissance
• Traditional Port Scanning Methods
– 443, 902 and 903 are good starting candidates
• Shodan HQ
• Google hacking

Hypervisor identification
• VMware Backdoor:
– Never fully disabled and can reveal a lot of system level information
• movw $0x5658, %dx; = VMware I/O port
• Mov values pased to cx: 01h (Processor speed), 0AH (Vmware version) etc.
• Linux:
– If you can install anything under the exploited account:
• Imvirt (doesn’t require root)
– Coverage: Virtual box, VMware, OpenVZ, Physical, QEMU, UML, Xen, Iguest, ArAnyM, LXC
– If you happen to have root: Virt-what (requires root)
• Coverage: KVM, Xen, QEMU, VirtualBox, Systemz, LPAR, z/VM, VMware, Hyper-V
• Windows:
– Stand alone GUI application by Elias Bachaalany
• Still relevant despite being coded in 2005
• Coverage: Virtual PC, VMware (for us this is enough)
• Other tricks:
– Dmidecode/SMBios structures, SIDT instruction identification (Red Pill)
– Mac OS X: Not tested, but SIDT tricks should still hold true

Past, Present and State-of-the-Art
• Blue Pill / SubVirt
• VMChat
• Cloudburst
• Metasploit weaponised
• Steal a VM
• VMDK Has Left the Building
• Suspended state: pass the hash
• Adaptive VM aware malware

Blue Pill / SubVirt
• Created by Joanna Rutkowska and released
publically in 2006
– The concept was to create an ultra-thin hyper-v
which installs on-the-fly and can then operate
undetected by the host OS
– Offering a way to subvert the entire OS system
and hide it’s existence
• Ref:
http://theinvisiblethings.blogspot.ch/2006/06/introduc
ing-blue-pill.html

VMChat etc.
• Ed Skoudis and Tom Liston back in 2006 created break out
applications (vmchat, vmftp, vmcat etc.) that bridged VM’s shared
memory models (ComChannel) enabling chat between the systems
as well a number of other functionalities.
• Unfortunately their work is governed under DHS therefore no
working version is available for demonstration at this moment
• Ref: “On the Cutting Edge: Thwarting Virtual Machine Detection”

Cloudburst
• Originally presented in 2009 at Black Hat, Las
Vegas, by Kostya Kortchinsky from Immunity
• Essential elements:
– Exploited ESX 3D support
– Addressed an x,y display glyph which was never
bounds checked
– Allowed for a reliable host -> guest breakout
– Bundled with Canvas for a nice price tag

Cloudburst 2
• Piotr Bania made improvements on the
original and was kind enough to release the
source code
• MS XP SP3 -> virtualised MS XP SP3 (VMware
workstation 6.5.1 build 126130) host to guest
breakout whereby the exploit can access/run
any file on the host

Metasploit weaponised
• VASTO 0.4 from Claudio Criscione now provides out of
the box modules for hypervisor technologies
– vmware_guest_stealer
– vmware_session_rider
– xen_login
– eucalyptus_poison
– vmware_autopwner
– Etc.
• Failing Metasploit installation, run the modules
manually via Ruby

Steal a VM
• ESXi 3.0
– vmware_guest_stealer
• Exploits the vulnerability CVE-2009-3733 discovered by
Morehouse & Flick
• Directory traversal attack against the host hypervisor
• Allows complete acquisition of other hosted VM’s into
the guest/attacker client
• ESXi 5.0 has been silently patched

VMDK Has Left the Building
• Work coming from the guys at ERNW GmbH :
– Matthias Luft, Daniel Mende, Enno Rey, Pascal Turbing
– Attacks the virtual machine configuration file (which is
of course stored in plain text)
– Guest -> Host data extraction via *.vmdk configuration
file modification by exploiting ‘# Extent description
RW setting’
• Demo’d complete retrieval of backed up host /etc folder
• Demo’d ability to mount the physical hard drive of the ESX
host
• Valid of ESXi version 5.0 hypervisor

Suspended state: pass the hash
• Mark Baggett instructor for SANS has presented a ‘pass
the hash’ attack method against a VM’s image file
• Methodology:
– Covert the VM image file (snap shot or suspended state) to
a memory dump file (vmss2core)
– Obtain OS version and use in combination with Volatility to
dump the hashes (via the virtual memory offsets) using the
registry entries:
• REGISTERYMACHINESYSTEM
• SystemRootSystem32ConfigSAM
– Then use lsadump/samdump to start cracking the
passwords

Suspended state: pass the hash

Adaptive VM aware malware
• Crisis or Morcut is a rootkit that has the ability
to adaptively weaponise for multiple targets:
– Windows, Mac OSX, VM’s

Appraisal
• The ‘cloud’ hypervisor world is upon us
• User demands for convenience and business promises
of lower costs for maintenance are speeding the
adoption of a virtualised world
• VMware Backdoor access isn’t secured
• Vmdk exploitations are now gaining traction
• VSphere SOAP calls are vulnerable
• VMware Backdoor network always available to help
• VMotion network transmits the memory image in clear
text

Optimism
• VMware’s silent patching and quick release cycles are improving the
security situation
• Enterprise patching for public clouds should be ensured by the
vendor and governed contractually
• Security is getting focus
• VMware profiling allows golden secure guest OS images to be
created and distributed
• VMware Update allows for synchronised and manageable control of
the virtualised environment

Pessimism
• Virtualised bridging between the guest and host will always offer a juicy
attack vector
– Paravirtualised drivers
– Regular drivers
• Shared hardware resources will never be able to ensure secure sandboxing
• Asset segregation can never be secured to the same degree as physical
systems
• Derek Soeder is always lurking
– CVE-2012-1515: Backdoor ROM overwrite privilege escalation vulnerability,
March 2012
– CVE-2012-1517: Unprivileged code execution from the guest machine, May
2012
– CVE-2012-1516: Uninitialized memory, potential VM breakout, May 2012

Pessimism
• Did I mention patch cycles?
– Customer question on community blog:
• Question: “Does VMware have a scheduled patch
cycle? When do they release patches, monthly,
quarterly, or on a "as needed" basis?”
• Answer: “There is no such Patch Release cycle as
Microsoft has for its operating systems in VMware. You
can check continuously in Update Manager for any
recent patch release and can apply them according to
the advisory released from VMware.”

Pessimism
• Trend of Security Advisories from VMware
– The rate of security advisories for VMware in 2012
demonstrates issues still exist
0
1
2
3
4
5
6
VMware Security Advisories 2012
Number of Advisories

Future
• QubesOS
– Virtualisation issues identified early on
– Invisible Things Labs has been leading the way in
this field for research
• Places data responsibility into the hands of the security
architect
• Segregates information into security domains
supported by network permission and accessibility
• Champions the notion of light weight disposable virtual
machines whose purpose will be to host only a single
application

Future
• QubesOS
– Rutkowska’s take on secure sandboxing methods:
“I think that Apple iOS is a good example of such a “safe” OS
– it automatically puts each application into its own sandbox,
essentially not relaying on the user to make any security
decisions. However, the isolation that each such sandbox
provides is far from being secure, as various practical attacks
have proven, and which is mostly a result of exposing too fat
APIs to each sandbox, as I understand. In Qubes OS, it's the
user that is responsible for making all the security decisions
– how to partition her digital life into security domains, what
network and other permissions each domain might have”

Current PoC Research
Parasite
• Parasite
– A new form of malware
– Exists as a self-contained agent that stays with it’s
host
– Manipulates it’s carriers environment to ensure
migration
– Explores the virtual target space

Parasite: Mode of operation
Exploit the
system
Identify
environment
Reconnaissance
Test constraints
Trigger
Migration
Reconnaissance

Parasite Lab
• Host: VMware ESXi 5.0.0 build 623860
• Clients: Linux BT R3 32bit, Windows XP,
Windows 8
• 1 Cluster, 6 VM’s all existing on the same VLAN
segment
• vMotion configured to ‘moderate’ threshold
setting

PoC objectives
• Demonstrate capabilities and present a case for a potential new threat
• Force automatic migration by triggering vMotion
– Simulate high load on the guest OS
• Produce a high number of files and directories forcing VMware DB limit to overload
(circa 31,000)
• Explore clustered hosts of the virtualised infrastructure
• DoS attack caused due to constant migratory VM, overloading the hypervisor (due to a
poorly defined vMotion threshold configuration)
• Sniff network traffic of various nodes e.g. VM migrations
• Perform reconnaissance analysis

PoC Status
• Work in progress
• Whitepaper planned for early 2013

Precaution from Woz
• A quote from someone it might be worth
listening to:
"I really worry about everything going to the cloud"
"I think it's going to be horrendous. I think there are
going to be a lot of horrible problems in the next five
years.”
-- Steve Wozniak

Final word
• Hackers: We have a fertile new playground with a
lot of tech to explore
• Youth: Use the cloud but know the risks
• Old/Experienced: The time-share idea is
becoming a reality
A new piece of malware may be lurking

Thanks for listening
And for those still paying attention, the smart people at Vupen have released
the following PoC: Citrix Xen Intel CPU 64-Bit Mode Sysret PV Guest to Host
Escape (CVE-2012-0217)

State of virtualisation -- 2012

More Related Content

What's hot (19)

Similar to State of virtualisation -- 2012 (20)

More from Jonathan Sinclair (11)

Recently uploaded (20)

State of virtualisation -- 2012

Editor's Notes