Xen Targeted Virtually

Monday, September 10, 2012 @ 03:09 PM gHale


A virtual machine escape attack exploits the vulnerability in Xen hypervisors and allows an attacker within a guest virtual machine to escape to the host and execute code.

This new exploit would escalate an attacker’s local privileges to the most privileged domain, essentially giving the outsider control over the host and other guest VMs, said VUPEN researcher Jordan Gruskovnjak.

RELATED STORIES
Pushdo Trojan a Master of Disguise
Warning: Google Alert Contains Trojan
Cross-Platform Trojan Steals Passwords
Crisis Malware Goes Virtual

The exploit targets a vulnerability reported in June that affects the way Intel processors implement error handling in the AMD SYSRET instruction. The vulnerability is in the instruction, and not the chip, US-CERT said in its June alert.

“The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier incorrectly uses the SYSRET path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application,” said the advisory for CVE-2012-0217.

The Xen Project, which manages the open source code, repaired the vulnerability in June, as did Citrix and other virtualization vendors such as Red Hat, Microsoft, Oracle, FreeBSD, NetBSD and SUSE Linux patched their respective products. Unpatched versions remain vulnerable.

VUPEN said it was able to exploit this vulnerability on a 64-bit Linux paravirtualized guest running on Citrix XenServer 6.0.0 with Xen version 4.1.1. It cautions other versions are vulnerable as well. The attack is a local privilege escalation attack that targets the dom0 virtual machine, the most privileged domain. Dom0, VUPEN said, is the only VM by default having access to hardware, and from there can manipulate the hypervisor to launch unpriviledged domains.

“The strategy here will be to inject a dom0 root process with a bindshell (or reverse shell) payload in order to get a root shell from dom0,” Gruskovnjak said. “The same idea as in remote kernel exploitation will be used: Hijack the interrupt 0x80 syscall handler in order to wait for an interruption from dom0 to occur. When an interrupt is triggered from dom0, one is assured that dom0 virtual pages are mapped into memory.”

Tim Deegan, a computer scientist in England and one of the maintainers of the Xen hypervisor code, said it was interesting VUPEN would choose to inject code into dom0 rather than exploit the hypervisor privilege or elevate the privilege of the calling domain.

“I had imagined that an attacker would elevate the privilege of their malicious VM to and then map other VMs’ memory and CPU state directly, but that involves doing some work to understand the OS structures of the other VMs,” Deegan said. “Injecting a process into dom0 lets them just use the existing management toolstack to manipulate other VMs.”



Leave a Reply

You must be logged in to post a comment.