I hope that you have been designing your implementation of virtual environments properly. It has been no secret that the crew of InGuardians has been feverishly working on a method to escape from a virtual guest and gain control of the host operating system. Well, according to a recent post by my good friend, Monty McDougal, who attended a presentation on the subject at SANFire 2007 they might have accomplished it. Although Monty describes some of the interesting applications they have developed such as VMchat, VMcat, VMdrag-n-hack, VMdrag-n-sploit, and VMftp, it is the demonstration of an “unnamed” application that has Monty saying,
Additionally, another “un-named” application was run on the client OS. This ran for quite a while and eventually produced a crash of the client OS. While not immediately visible this had the effect of killing the client OS, but in doing so they were able to execute arbitrary code on the host OS thus providing a full escape of the virtualization that did not rely on the path traversal flaw above. The details of how this worked was not disclosed and I would not speculate as to how it was done, but I would call this VMowned and say it is GAME OVER.
Could it be true? I guess we will find out soon enough. Either way, if you are currently deploying virtual environments or just considering it, I would be sure to evaluate your method of deployments and updating procedures. Also, as Monty suggested, watch the Center for Internet Security as they will soon add a guideline for virtual environments to their list. I have helped with this document a little bit and a version for ESX should be released in the next couple of months. If you would like to help with the development of the ESX document or the other virtual technologies then check out how you can get involved at the CIS website.
I also highly recommend that you add Monty’s blog to your RSS feeds. Monty is very smart and I often look to him for guidance and leadership. We can all expect some very interesting insight and, if I know Monty, some very good technical posts.
BTW, Monty, you do need to turn on comments.
Go forth and do good things,
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.