On Friday, July 27, 2007 a very tired member of the PaulDotCom crew sat in a standing room only room ar SANSFIRE 2007 to hear about the latest research in VMWare escaping (or really any other virtualization technology). VMWare escaping you say? What's that? Ed Skoudis, SANS Instructor and co-founder of Intelguardians, true to form gave the perfect ananlogy (and it didn't have anything to do with the Matrix!). Think of virtualization as a cave, and you are trapped inside (just like the "guest" OS). Outside the cave there is a giagantic monster. Everytime you try to escape from the cave, you get squashed, pushed back in, or even have your legs cut off and re-attached facing the opposite way. No matter what you do, you can't escape the cave, unless of course your name is Tom Liston...
Tom and Ed went on to describe all of their attempts to escape from the cave. Spawned from this were many attempts and tools that start with "VM", including VMChat, VMftp, VMcat, and my favorite VM-Drag-N-Sploit. All of these tools allow for some communications between the guest and the host, or between two guests running on the host (Fool Moon Blog has a good write-up on all the tools, located here). While these tools are interesting, they are not a "true" escape, as they only allow file transfer and/or require end-user interaction.
But with Ed calling Tom everyday for a year and asking, "Do you have a VM escape yet?", Tom was motivated to break out from the cave. The first, and most obvious method, was to exploit a known vulnerability in the form of a directory traversal. While this close to a full escape, it is still a directory traversal at its core. This directory traversal was disclosed by iDefense, reportedly from an anonymous source. You can find a full write-up here (CVE-2007-1744). Apparently, Ed and Tom and his team aren't the only ones interested in VM escaping. This also became apparent when another Intelguardians member, Jay Beale (he's a genius right?), saw a presentation at the most recent CANSECWEST on VM escaping using QEMU. It was interesting to see how many of the vulnerabilities in that research were applied to all of the other VM products, many of which centered around the ne2000 network driver and video card emulation. You can find the research in this area from a Google employee named Tavis Ormandy here, titled, "An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments" They stressed that these emulation drivers were important, and especially the video one...
So, enough already, get to the escaping! Ed and Tom had to get special permission to give the talk and release the details, which is why the next section was light on details, and answers were vague. Tom demonstrated a program running on the guest, which took a minute or so to run, then crashed the guest and ran a program on the host. W00t! VM escape by blowing up the cave. I asked Tom if that works with a fully patched version of VMware and got an answer of "portions of it", and couldn't get any more information, and for good reasons I'm sure.
The bottom line is that you cannot trust virtualization products to provide security. You should keep up-to-date on all the patches and design your security architecture such that you do not espose sensative data in the case of a guest breaking out of the cave.
What is interesting is that just after this presentation, more vulnerabilities for VMware were released!
While these may not lead to escaping (exploit was non-specific on this topic), they are interesting none the less.
Paul "PaulDotCom" Asadoorian
http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf - Tom and Ed's presentation from 2006, before they could release many of the details.
http://www.cutawaysecurity.com/blog/archives/170 - Cutaway's blog posting on the subject.