Virtual machine escape
   HOME

TheInfoList



OR:

In
computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
, virtual machine escape is the process of a program breaking out of the
virtual machine In computing, a virtual machine (VM) is the virtualization/emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized hardw ...
on which it is running and interacting with the host
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
. A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". In 2008, a vulnerability () in
VMware VMware, Inc. is an American cloud computing and virtualization technology company with headquarters in Palo Alto, California. VMware was the first commercially successful company to virtualize the x86 architecture. VMware's desktop software ru ...
discovered by
Core Security Technologies Core Security by HelpSystems is an American computer and network security company provides cyber threat prevention and identity access management software products and services, including penetration testing, network traffic analysis, threat dete ...
made VM escape possible on VMware Workstation 6.0.2 and 5.5.4. A fully working exploit labeled ''Cloudburst'' was developed by Immunity Inc. for Immunity CANVAS (commercial penetration testing tool). Cloudburst was presented in
Black Hat Black hat, blackhats, or black-hat refers to: Arts, entertainment, and media * Black hat (computer security), a hacker who violates computer security for little reason beyond maliciousness or for personal gain * Black hat, part of black and white ...
USA 2009.


Previous known vulnerabilities

* Xen pygrub: Command injection in grub.conf file. * Directory traversal vulnerability in shared folders feature for VMware * Directory traversal vulnerability in shared folders feature for VMware * Xen Para Virtualized Frame Buffer backend buffer overflow. * Cloudburst: VM display function in VMware * QEMU-KVM: PIIX4 emulation does not check if a device is hotpluggable before unplugging * The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier * Oracle VirtualBox 3D acceleration multiple memory corruption *
VENOM Venom or zootoxin is a type of toxin produced by an animal that is actively delivered through a wound by means of a bite, sting, or similar action. The toxin is delivered through a specially evolved ''venom apparatus'', such as fangs or a sti ...
: buffer-overflow in QEMU's virtual floppy disk controller * QEMU-KVM: Heap overflow in pcnet_receive function. * Xen Hypervisor: Uncontrolled creation of large page mappings by PV guests * Xen Hypervisor: The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases (e.g. clearing only Access/Dirty bits). The bits considered safe were too broad, and not actually safe. * Xen Hypervisor: Disallow L3 recursive pagetable for 32-bit PV guests *CVE-2017-5715, 2017-5753, 2017-5754: The Spectre and Meltdown hardware vulnerabilities, a cache side-channel attack on CPU level (Rogue Data Cache Load (RDCL)), allow a rogue process to read all memory of a computer, even outside the memory assigned to a virtual machine * Hyper-V Remote Code Execution Vulnerability * Hyper-V Remote Code Execution Vulnerability * VMware ESXi, Workstation, Fusion: SVGA driver contains buffer overflow that may allow guests to execute code on hosts * VMware Workstation, Fusion: Heap buffer-overflow vulnerability in VMNAT device that may allow a guest to execute code on the host * VMware Workstation, Horizon View : Multiple out-of-bounds read issues via Cortado ThinPrint may allow a guest to execute code or perform a Denial of Service on the Windows OS * Oracle VirtualBox: shared memory interface by the VGA allows read and writes on the host OS * VMware ESXi, Workstation, Fusion: Uninitialized stack memory usage in the vmxnet3 virtual network adapter. *: "Microarchitectural Data Sampling" (MDS) attacks: Similar to above Spectre and Meltdown attacks, this cache side-channel attack on CPU level allows to read data across VMs and even data of the host system. Sub types: Microarchitectural Store Buffer Data Sampling (MSBDS), Microarchitectural Fill Buffer Data Sampling (MFBDS) = Zombieload, Microarchitectural Load Port Data Sampling (MLPDS), and Microarchitectural Data Sampling Uncacheable Memory (MDSUM) *, , , , Windows Hyper-V Remote Code Execution Vulnerability *: Xen Hypervisor and Citrix Hypervisor: Allows guest virtual machines to compromise the host system (denial of service and rights escalation) * (critical), : Windows 10 and VMWare Workstation using AMD Radeon graphics cards using Adrenalin driver: attacker in guest system can use pixel shader to cause memory error on the host system, injecting malicious code to the host system and execute it. *: ZombieLoad, ZombieLoad v2, Vector Register Sampling (VRS), Microarchitectural Data Sampling (MDS), Transactional Asynchronous Abort (TAA), CacheOut, L1D Eviction Sampling (L1DES): L1 cache side attacks on CPU level allow virtual machines to read memory outside of their sandbox *CVE-2020-3962, CVE-2020-3963, CVE-2020-3964, CVE-2020-3965, CVE-2020-3966, CVE-2020-3967, CVE-2020-3968, CVE-2020-3969, CVE-2020-3970, CVE-2020-3971: VMware ESXi, Workstation Pro / Player, Fusion Pro, Cloud Foundation: Vulnerabilities in SVGA, graphics shader, USB driver, xHCI/EHCI, PVNVRAM, and vmxnet3 can cause virtual machine escape


See also

*
Hyperjacking Hyperjacking is an attack in which a hacker takes malicious control over the hypervisor that creates the virtual environment within a virtual machine (VM) host. The point of the attack is to target the operating system that is below that of the v ...


References


External links

* {{CVE, 2008-0923
Cloudburst (Hacking 3D And Breaking Out Of Vmware) Blackhat 2009
(Video) * https://technet.microsoft.com/library/security/MS17-008 Virtualization Computer security exploits