Venom vulnerability Overview and a basic demo
Download as PPTX, PDF2 likes884 views
This vulnerability, called VENOM, allows an attacker to escape from a virtual machine guest into the host system. It affects virtualization platforms that use Xen, Qemu, KVM, or VirtualBox as their hypervisor. The vulnerability is in the virtual floppy disk controller code, which contains a buffer overflow issue. This allows an attacker to potentially gain code execution on the host machine. It is a serious issue because many cloud providers use these vulnerable virtualization platforms.
Venom vulnerability Overview and a basic demo
- 1. VENOM DEMO & FAQ Akash Mahajan
- 2. VENOM is an acronym for V IRTUALIZE D ENVIRONMENT NEGLEC TE D O PE RATIONS M ANIPULATION
- 3. What is VENOM? It is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms.
- 4. What does it do? This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code- execution access to the host.
- 5. Why is it a big deal? He was right about the cloud, wasn’t he!
- 6. Seriously why is this a big deal? • Consider that all the cloud vendors in the world use OS level virtualization • Now all of those who use Xen, Qemu, KVM and Virtualbox were vulnerable to this • It doesn’t matter if the virtual machine is a linux box or a windows box
- 7. All of these use Xen/Qemu/KVM
- 8. How does it work? • So a VM (guest) gets access to virtual hardware of a physical machine (host) • Quick EMUlator (QEMU) is an open source hypervisor that performs hardware virtualization
- 9. Exploiting the QEMU Hypervisor • The hypervisor code sits between the guest and the host, operating as the ‘bridge’ and abstraction layer relied upon by either side to communicate with the other. • Incorporating all of the memory mapping and device drivers required to trick the guest into believing it is operating on real hardware.
- 11. QEMU Floppy Disk Controller • The QEMU FDC is enabled by default in Xen and KVM platforms. • The problem exists in the Floppy Disk Controller, which is initialized for every x86 and x86_64 guest regardless of the configuration and cannot be removed or disabled.
- 12. QEMU Floppy Disk Controller • The QEMU FDC is enabled by default in Xen and KVM platforms. • The problem exists in the Floppy Disk Controller, which is initialized for every x86 and x86_64 guest regardless of the configuration and cannot be removed or disabled.
- 13. One Ring to Rule Them all
- 14. The Devil is in the C Code • FDC uses a buffer of 512 bytes to store the I/O command and its parameters • It has an index variable to access the buffer area • After every command the index variable is set to 0
- 15. Still the Devil is in the C Code The FDC’s data_pos and data_len fields above are initialized to 0 upon FDC reset. • For two of the command handler functions, the data_pos reset is delayed or circumvented. – FDC_CMD_READ_ID – FDC_CMD_DRIVE_SPECIFICATION_COMMAND
- 16. Buffer Overflow of FIFO buffer • The VENOM advisory talks about overflow of the *fifo buffer due to this particular reason
- 18. Deja VM Bugs • BlackHat/DEFCON 2011 Talk: Breaking Out of KVM • CVE-2007-1744 – Directory traversal vulnerability in shared folders feature • CVE-2008-0923 – Path traversal vulnerability in VMware’s shared folders implementation • CVE-2009-1244 – Cloudburst (VMware virtual video adapter vulnerability) • CVE-2011-1751 – Missing hotplug check during device removal • CVE-2012-0217 – 64-bit PV guest privilege escalation vulnerability • CVE-2014-0983 – Oracle VirtualBox 3D acceleration multiple memory corruption vulnerabilities
- 19. Questions? • Ask Datta! @makash | [email protected] | theappseclab.com
- 20. Attributions and References • Starting point for understanding http://venom.crowdstrike.com/ • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456 • https://access.redhat.com/articles/1444903 • CC BY-SA 3.0 File:Priv rings.svg Uploaded by OgreBot • https://en.wikipedia.org/wiki/Protection_ring#Hypervisor_mode • https://blog.nelhage.com/2011/08/breaking-out-of-kvm/ • https://github.com/nelhage/virtunoid • http://www.dedoimedo.com/computers/kvm-intro.html • http://blog.crowdstrike.com/venom-vulnerability-details/ • http://www.dedoimedo.com/computers/kvm-intro.html