Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: More on VMWare poor guest isolation design

from [Tim Newsham] Network Security [Permanent Link]
Subject: Re: More on VMWare poor guest isolation design
Date: Sat, 25 Aug 2007 09:05:13 -1000 (HST) 
2. This issue is not about a user on the host compromising a virtual guest.
It is about a *non-privileged* user on the host being logged in to guest
machines as an administrator, and a worm--running in the context of that
non-privileged user on the host--being able to access the admin-level
context of the guest machines without knowing those administrator
credentials. Also remember that since I am talking about a non-privileged
user on the host, there will be limits on what this user could do to
accomplish some of the other attacks mentioned.

Your position seems to be that an easy automated scripting interface is a lot more dangerous than a slightly harder indirect attack method. The truth is that they are both scriptable and reliable. Techniques for attacking virtual machines from the host are certainly no harder to code than the average remote exploit that worms used to propogate. Do you really think a worm writer who wants to compromise VMWare guests would take advantage of a scripting interface but shy away from the task if he had to write custom code to break into the guest?

4. This is also not so much about this specific issue at hand--we can easily
block this--but also looking at the bigger picture of establishing best
practices for dealing with the guest/host relationship.

Here's a best practice: Don't assume that guests are protected from software running on the host system.

As a side note, I specialize in hardening Windows so all of these systems
have been hardened with my own hardening script that is quite extreme. These
are by no means weak targets.


A (virtual) machine where attackers can arbitrarily read and write
the memory, the disk and even alter devices is going to be a soft target.

The physical analogy that someone brought up earlier works well here.
Would you consider your machine locked down if someone could open
your computer case, yank the hard drive and attach new devices to the
system at will?  Well, with a virtual machine they can do that while
the machine is running.

Mark Burnett
http://xato.net


Tim Newsham
http://www.thenewsh.com/~newsham/

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] n.runs-SA-2007.027 - Sophos Antivirus UPX parsing Arbitrary CodeExecution Advisory, 3APA3A
Next by Date:  Sunshop v4.0 <= Blind SQL Injection exploit, auah
Previous by Thread:  More on VMWare poor guest isolation design, M. Burnett
Next by Thread:  RE: More on VMWare poor guest isolation design, M. Burnett
Indexes:  [Date] [Thread] [Top] [All Lists]