Feeds

VMware vuln exposes the perils of virtualization

Container raider

Protecting against web application threats using SSL

Security researchers have discovered a bug in VMware desktop virtualization applications that allows attackers to take complete control of the underlying PC, including the execution or modification of files on the host operating system.

The vulnerability, which was unearthed by researchers from Core Security Technologies, is particularly important to individuals and companies working in the world of computer security. They frequently turn to VMware Player and Workstation as a means of protecting their machines when analyzing Trojans and other types of malware. In a nutshell, the vulnerability allows attackers to break out of the virtual environment and gain full access to the host computer system.

"This vulnerability provides an important wake-up call to security-concerned IT practitioners," Core researchers wrote. "It signals that virtualization is not immune to security flaws and that 'real' environments aren't safe simply because they sit behind virtual environments."

Core has released proof-of-concept code that allows customers to understand exactly how the bug works in real-world settings.

The exploit uses a specially crafted path name to access folders that are being shared between the host and virtual environments. VMware applications fail to validate the malicious parameters passed from the guest system to VMware's Shared Folders mechanism. The Shared Folders mechanism then hands off the bad data to the host system's file system, which allows the exploit complete access.

The bug is closely related to a vulnerability Core discovered last year that allowed unauthorized directory traversals on machines running VMware Workstation. VMware engineers responded by tightening the input validation, but according to Core, "the shared folder mechanism still provides complete access to the underlying file system of the Host system due to improper handling of strings with multi-byte encodings."

Over the past several years, desktop virtualization has become a popular method for dividing a PC's resources into separate environments that - in theory, at least - can't be altered by other environments. Researchers frequently use virtual machines to analyze how a piece of malware works. While the virtualized environment becomes infected, the host machine remains clean.

We've already heard of malware that attempts to thwart whitehat hackers by monitoring victim machines for VMware and refusing to run correctly if the virtualization software is detected. Core's discovery, which was announced Monday, means bad guys likely have other tricks up their sleeves. After all, if researchers can write an exploit that breaks into the underlying operating system, miscreants almost certainly have the same ability.

"What it shows is that anybody who is proposing virtualization as a widespread anti-malware technique is probably barking up the wrong tree," said Roger Thompson, who frequently uses virtualization when researching web exploits for Exploit Prevention Labs. "It means we've got to take extra steps to ensure the integrity of the sacrificial goat machines. I may have to stop running these things on my primary laptop."

Core's CTO Ivan Arce agrees. While his company still uses VMware, all malware running in company labs is installed on ad-hoc PCs that run on networks completely separated from the one used for corporate purposes.

The vulnerability "has a very practical effect on how we secure our virtual environments here," he said. "To us, this underlies the fact that having the virtualization technology isolated within an ad-hoc network is a good security practice to prevent potential outbreaks."

Arce said VMware has acknowledged the bug and is working on a fix. As a work-around in the meantime, users should disable the shared folders feature, which, according to the report, is turned on by default in VMware's Workstation, Player and ACE applications. If sharing can't be turned off, users should configure it for read-only access and implement file system monitoring. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.