Someone figured out how to step up in VMware

by Alex Handy 04/11/2009 02:33 AM EST

No one seems to know who, where or how. But this security update from VMware sure makes it sound like what we've all feared is true: Hypervisors can be compromised from the code they run in their bellies. Joanna Rutkowska gave a talk back in 2006 at Black Hat about her Red Pill and Blue Pill. I'm not covering super-duper cutting-edge security much, outside of the development side, these days. But this patch from VMware did catch my eye because I hadn't yet heard of any host compromising exploits for hypervisors in the wild. I could easily not be "with it," but right now, it looks like the cool kids in the know are out there. Beware!

As if it's a surprise that these virtualization exploits were still being researched by the bad guys. I think the frightening thing here is that, somewhere, someone had code, and now VMware is aware of it. That's scary. I'd rather know that VMware figured it out themselves. Or that Rutkowska or her cohorts had contributed some new information. Either way, watch your VMs. They may be watching you!

Clarification: The security hole here works like this: I run Windows in a VM on my Linux desktop. I run some horribly trojan-ridden Windows program with the exploit in question inside of it. This exploit, when run inside of a virtual machine, leaps up and compromises the hypervisor, likely through an overflow of some known type. The compromised hypervisor is then a slave to run what-have-you. Local priv escalations could be fired up to the Linux OS. As I understand it, the Red Pill is this type of attack. Beware of pulling apart malware in non-updated copies of Fusion, researchers.

The Blue Pill, on the other hand, is a hypervisor-as-trojan. You run something, it installs virtualization software. Upon reboot, your desktop OS is launched seamlessly as a guest operating system inside of a trojan (invisible to the user) hypervisor. This patch has little to do with the blue pill. The question with the blue pill becomes, "How do I tell if I am running inside a hypervisor?" How do you know when the nightmare is over?

Hope I got the colors right. I wouldn't want to wake up inside the rabbit hole.

Currently rated 5.0 by 1 people

Currently 5/5 Stars.
1
2
3
4
5

Share this link: http://www.sdtimes.com/blog/1399

Tags: security, vmware, blue pill, red pill, virtualization, virtual machines, operating systems, compsec, security, information security, technology, exploits, 31337, hacking, hackers, hack, code, coding, vmware

security

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST

EclipseCon

3/22/2010 to 3/25/2010
Santa Clara, Calif.
The Eclipse Foundation

DevConnections

4/12/2010 to 4/14/2010
Las Vegas
Penton Media

MySQL Conf. and Expo

4/12/2010 to 4/15/2010
Santa Clara, Calif.
O'Reilly Media

High Performance Computing Linux Financial Markets

4/19/2010
New York City
Flagg Management

Informix User Conf.

4/25/2010 to 4/28/2010
Overland Park, Kans.
IIUG

4/11/2009 6:42:33 AM #

Dude, your posting is "sentence fragment city".

Where the frack the Hypervisor's "belly" is at?

Are you saying a GUEST can compromise a HOST/HYPERVISOR or a HOST/HYPERVISOR can compromise a GUEST or just that the boot sector can be infected with a compromised HOST/HYPERVISOR or none of the above?

Am I the only one who thinks "San Diego" when I see "sdtimes"?

My Head Hurts

4/11/2009 9:01:47 AM #

Google "cloudburst immunity" to see who and where. There's even a movie of it!

dave aitel

4/12/2009 1:38:36 AM #

Quite interesting...I know numerous businesses who utilize VMWare for production server virtualization. This should cause a major disruption to their process. I'm not sure the patching of virtualization software has been a very high priority at many places. I think this SHOULD be much bigger news than it currently is.

AbeFroman

Someone figured out how to step up in VMware

Related posts

Comments

Add comment