Details of a dangerous virtual machine escape exploit were revealed Wednesday by French research outfit VUPEN Security. The attack exploits a recently reported vulnerability in Xen hypervisors and allows an attacker within a guest virtual machine to escape to the host and execute code.
Virtual machine (VM) escapes have been in circulation since 2008, the most notable being Cloudburst, an exploit in Immunity’s CANVAS pen-testing tool. VUPEN’s exploit would escalate an attacker’s local privileges to the most privileged domain, essentially giving the outsider control over the host and other guest VMs, VUPEN researcher Jordan Gruskovnjak said in a post on the VUPEN Vulnerability Research Blog
The exploit targets a vulnerability reported in June that affects the way Intel processors implement error handling in the AMD SYSRET instruction. The vulnerability is in the instruction, and not the chip, US-CERT said in its June alert.
“The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier incorrectly uses the SYSRET path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application,” cautioned the advisory for CVE-2012-0217.
The Xen Project, which manages the open source code, repaired the vulnerability in June, as did Citrix and other virtualization vendors such as Red Hat, Microsoft, Oracle, FreeBSD, NetBSD and SUSE Linux patched their respective products. Unpatched versions remain vulnerable.
VUPEN said it was able to exploit this vulnerability on a 64-bit Linux paravirtualized guest running on Citrix XenServer 6.0.0 with Xen version 4.1.1. It cautions other versions are vulnerable as well. The attack is a local privilege escalation attack that targets the dom0 virtual machine, the most privileged domain. Dom0, VUPEN explained, is the only VM by default that has access to hardware, and from there can manipulate the hypervisor to launch unpriviledged domains.
“The strategy here will be to inject a dom0 root process with a bindshell (or reverse shell) payload in order to get a root shell from dom0,” Gruskovnjak said. “The same idea as in remote kernel exploitation will be used: hijack the interrupt 0x80 syscall handler in order to wait for an interruption from dom0 to occur. When an interrupt is triggered from dom0, one is assured that dom0 virtual pages are mapped into memory.”
Tim Deegan, a computer scientist in England and one of the maintainers of the Xen hypervisor code, said it was interesting VUPEN would choose inject code into dom0 rather than exploit the hypervisor privilege or elevate the privilege of the calling domain.
“I had imagined that an attacker would elevate the privilege of their malicious VM to and then map other VMs’ memory and CPU state directly, but that involves doing some work to understand the OS
structures of the other VMs,” Deegan wrote in an email to Threatpost. “Injecting a process into dom0 lets them just use the existing management toolstack to manipulate other VMs.”
This vulnerability was covered in depth at the Black Hat Briefings in Las Vegas last month by researcher Rafal Wojtczuk of Bromium. Wojtczuk and Jan Beulich of SUSE Linux reported the vulnerability in June.
This story was updated on Sept. 6 to add comments from Tim Deegan and a clarification that Citrix also added a hotfix in June.