RE: VMWare poor guest isolation design
This is a multipart message in MIME format.
------=_NextPart_000_012F_01C7E592.32C29F70
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
You are correct that this isn't an issue for everyone and you are correct
that this isn't an issue if reasonable security practices are employed. On
the other hand, most security issues reported here wouldn't be issues if
reasonable security practices were employed. I have been saying that for
years.
Because it does not apply to your particular environment doesn't invalidate
the issue. There are many, many situations where someone would want to
access a vmware guest via the console and not allow any network access at
all. One that comes to mind is an offline root CA that you can only fire up
only when you need it--a virtual offline machine. Another situation for
myself is I keep all my hacking/pen-testing tools on a vm that I can use
when I need them, and quickly move to any vm host I need to run them on. I
don't necessarily want to make that virtual machine accessible from the
network. Anyway, it is absurd to say you will never log in to the console,
sometimes you just have to.
Whether it affects you personally or not, it certainly is helpful to know
that the capability exists so you can make better informed security
decisions--and that there is an undocumented switch to disable that feature.
Addressing some other points:
> If the host OS (or an account within it) is compromised,
> of course all bets are off when it comes to a virtual machine running
> within it.
This isn't completely true. Yes, it is much more difficult to secure a
virtual machine that way, but it can be done. You could, for example, use
full disk encryption to prevent someone from mounting a virtual disk outside
the guest OS. Besides, I concede that point in my article, emphasizing that
an automated attack increases the seriousness of the problem.
> Furthermore, this attack only works if you are running the vmware guest
> utilities *and* you are currently logged into a GUI desktop running the
> vmware userland process.
VMWare constantly reminds you that you don't have the vmware guest tools
installed. I'd say that most people do install them. But that doesn't matter
anyway because you can just use the VIX API function VixVM_InstallTools to
install them if they aren't already there.
And you do not need to be logged in, the VIX API allows you to wait until
the command actually runs. So it can just sit there until the next time you
do login to the console.
Mark Burnett
http://xato.net
> -----Original Message-----
> From: Arthur Corliss [mailto:corliss@digitalmages.com]
> Sent: Thursday, August 23, 2007 10:49 AM
> To: M. Burnett
> Cc: bugtraq@securityfocus.com
> Subject: Re: VMWare poor guest isolation design
>
> On Wed, 22 Aug 2007, M. Burnett wrote:
>
> > I have run across a design issue in VMware's scripting automation API
> that
> > diminishes VM guest/host isolation in such a manner to facilitate
> privilege
> > escalation, spreading of malware, and compromise of guest operating
> systems.
> >
> > VMware's scripting API allows a malicious script on the host machine
> to
> > execute programs, open URLs, and perform other privileged operations
> on any
> > guest operating system open at the console, without requiring any
> > credentials on the guest operating system. Furthermore, the script
> can
> > execute programs even if you lock the desktop of the guest OS.
> >
> > For example, if a non-admin user is logged in at the vm host, but
> logged in
> > to guest operating systems as an administrator, the script running as
> a
> > non-admin on the host can still execute admin-level scripts on the
> guests.
> >
> > I obviously did not discover this issue--the API developers provided
> it as a
> > feature-I am simply pointing out the potential danger, that it was a
> poor
> > design decision, and that there is a need to establish best practices
> for
> > virtual machine guest and host isolation.
>
> I don't see this as a serious problem. This is the virtual equivalent
> of no
> physical security. If the host OS (or an account within it) is
> compromised,
> of course all bets are off when it comes to a virtual machine running
> within
> it.
>
> Furthermore, this attack only works if you are running the vmware guest
> utilities *and* you are currently logged into a GUI desktop running the
> vmware userland process.
>
> I personally look at this as an issue for Windows. I personally don't
> install the vmware guest software for my Linux VMs, nor would I log
> into a
> GUI as root. For that matter, if you are merely hosting the guest VMs
> why
> would you need to ever use the vmware console after installation? Use
> a
> network-based access method, making the need for the vmware guest
> utilities
> unnecessary. That should be sufficient for all OS'es.
>
> In (not so) short, this attack vector is virtually worthless if
> reasonable
> security practices are employed.
>
> --Arthur Corliss
> Live Free or Die
------=_NextPart_000_012F_01C7E592.32C29F70
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJFTCCAp0w
ggIGoAMCAQICEGPfoVbHsvJ96WW+eyrXmCYwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA3MDUwOTE2MzcxMVoXDTA4MDUwODE2Mzcx
MVowPTEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEaMBgGCSqGSIb3DQEJARYLbWJA
eGF0by5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKolIXs769PIPDAOlJt+EUM4yZL1
1F+ZxlNfufFstZzlt8j45BkyeMlmBbo9aFRWAzExoGhZOhzcnYpuanoM0ucVnH5cvMXNC3pafzlW
1prY5+onccbytJ3mvaFjcZObDd1PICFtgAwcRGhWDAPRZZ5P8k44oeWTI6GYyiB7Y0WVAgMBAAGj
eTB3MA4GA1UdDwEB/wQEAwIHgDARBglghkgBhvhCAQEEBAMCBaAwLAYFK2UBBAEEIzAhAgEAMBww
GgIBBAQVODN6d3ZHVHo2cDd3R2pDa3NUSlpBMBYGA1UdEQQPMA2BC21iQHhhdG8ubmV0MAwGA1Ud
EwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAMvqv9ySINTLIhcRINi/4wEAQQS18jKXmFSC+iFn9
ynWEvMLbxXkWk811NRTZDKksG8O5TVsHmtwS1y2S2ykRU7xsvgSeeg7hNjv0N9AQD1S3OZQS3ruh
AXR5AK+yvS9pfl8N7RynxS3tCVtZWlD3fKqMBp68FD38cwtomJtw23YwggMtMIIClqADAgECAgEA
MA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIw
EAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9D
ZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwg
RnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20w
HhcNOTYwMTAxMDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgT
DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3Vs
dGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMb
VGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVl
bWFpbEB0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUadfUsJRkW3HpR9gM
UbbqcpGwhF59LQ2PexLfhSV1KHQ6QixjJ5+Ve0vvfhmHHYbqo925zpZkGsIUbkSsfOaP6E0PcR9A
OKYAo4d49vmUhl6t6sBeduvZFKNdbnp8DKVLVX8GGSl/npom1Wq7OCQIapjHsdqjmJH9edvlWsQc
uQIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAMfskn5O+PWWpWdi
KqTwTRFg0G+NYFhhrCa7UjVcCM8w+6hKloofYkIjjBcP9LpknBesRynfnZhe0mxgcVyirNx54+du
AEcftQ0o6AKd5Jr9E/Sm2Xyx+NxfIyYJkYBz0BQb3kOpgyXy5pwvFcr+pquKB3WLDN1RhGvk+NHO
d6KBMIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNV
BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29u
c3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UE
AxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1m
cmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkG
A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcC
Y1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XR
xSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYD
VR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1h
aWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFi
ZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4
Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowgT2Vf
ldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAaIwggGeAgEBMHYwYjEL
MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV
BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBj36FWx7Lyfellvnsq15gm
MAkGBSsOAwIaBQCggYMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MDcwODIzMjAzMDQ4WjAjBgkqhkiG9w0BCQQxFgQU+aJKItNUbF+RSOkANg/G9IHzFV4wJAYJKoZI
hvcNAQkPMRcwFTAHBgUrDgMCGjAKBggqhkiG9w0CBTANBgkqhkiG9w0BAQEFAASBgI4NgnZeORj3
w4LMiNgsmwV7yh3FJbitfZapIFcMAHqSZgyx/0o/d4LVy6xt73qIwcqV43+qbDUaH0lkhA3TKz9h
MUGVFihsHrU3pmnzh8uLUUaa5C50klh3Mu67HiSjpgpCqatY6Q00Q4CllQy4pKUAZFC2oaiKFVTg
A6dmQFfdAAAAAAAA
------=_NextPart_000_012F_01C7E592.32C29F70--
討論串 (同標題文章)
完整討論串 (本文為第 3 之 9 篇):