Local Privilege Escalation By Hijacking The VMware VMX
Local Privilege Escalation By Hijacking The VMware VMX Process Sun Bing taoshaixiaoyao@hotmail. com Can. Sec. West 26 th MAR 2008
Agenda n VMware release notes and security advisories. n Vulnerabilities description. n Exploitation I (vmware. exe). n Exploitation II (vmware-authd. exe). n VMware internals (authd protocol, vmx 86 ioctls, VMM). n Something about the newly released VMware versions. n Question time.
VMware 5. 5. 6 Release Notes New in Version 5. 5. 6 Workstation 5. 5. 6 addresses the following security issues: An internal security audit determined that a malicious user could attain and exploit Local. System privileges by causing the authd process to connect to a named pipe that is opened and controlled by the malicious user. In this situation, the malicious user could successfully impersonate authd and attain privileges under which Authd is executing. bug 221309, (Foundstone CODE-BUG-H-001) This release updates the libpng library to version 1. 2. 22 to remove various security vulnerabilities. bug 224453 A vulnerability in VMware Workstation running on Windows allowed complete access to the host's file system from a guest machine. This access included the ability to create and modify executable files in sensitive locations. bug 224522, (CORE-2007 -0930) A security vulnerability in Open. SSL 0. 9. 7 j could make it possible to forge a RSA key signature. Workstation 5. 5. 6 upgrades Open. SSL to version 0. 9. 7 l to avoid this vulnerability. bug 236970), RSA Signature Forgery (CVE-2006 -4339) The authd process read and honored the vmx. fullpath variable in the userwritable file config. ini, creating a security vulnerability. bug 241646 The config. ini file could be modified by non-administrator to change the VMX launch path. This created a vulnerability that could be exploited to escalate a user's privileges. bug 241675
VMware Security Advisories h. Local Privilege Escalation on Windows based platforms by Hijacking VMware VMX configuration file VMware uses a configuration file named "config. ini" which is located in the application data directory of all users. By manipulating this file, a user could gain elevated privileges by hijacking the VMware VMX process. The Common Vulnerabilities and Exposures project (cve. mitre. org) assigned the name CVE-2008 -1363 to this issue. Windows based Hosted products -------VMware Workstation 6. 0 upgrade to version 6. 0. 3 (Build# 80004) VMware Workstation 5. 5 upgrade to version 5. 5. 6 (Build# 80404) VMware Player 2. 0 upgrade to version 2. 0. 3 (Build# 80004) VMware Player 1. 0 upgrade to version 1. 0. 6 (Build# 80404) VMware Server 1. 0 upgrade to version 1. 0. 5 (Build# 80187) VMware ACE 2. 0 upgrade to version 2. 0. 1 (Build# 80004) VMware ACE 1. 0 upgrade to version 1. 0. 5 (Build# 79846)
Vulnerability Description n VMware uses an important configuration file named “config. ini” which exists in the application data directory of all users, for example “C: Documents and SettingsAll UsersApplication DataVMware Workstationconfig. ini”, which means even a common user (in Users group) can create(and modify) this config file. VMware locates this config file by using the Shell 32 API “SHGet. Folder. Path. A” with the 2 nd argument n. Folder being “CSIDL_FLAG_CREATE | CSIDL_COMMON_APPDATA”. n VMware determines the full path of VMX (vmware-vmx. exe) by two methods: 1. 2. n Install. Path value under “SOFTWAREVMware, Inc. VMware Workstation” registry key combined with “binvmwarevmx. exe”, which can’t be controlled by a common user. “vmx. fullpath” config line within “config. ini”, which overrides the registry value above and can be controlled by a common user. Therefore the consequence is that a common user can hijack the VMX process that will be launched by VMware by simply manipulating a config file, which then gives them chances to
VMware App. Data Permissions (XP SP 2) Note: However in Windows 2000 and Vista, the Users group may not have write permission to the Application Data directory of all users by default.
Exploitation Method I n The easiest exploitation method of this vulnerability is like this: A low privileged user can add a config line (“vmx. fullpath”) within “config. ini” and point it to his/her fake VMX which is actually an exploitation program used to escalate privilege, then waits it to be launched later by a higher privileged VMware user. In some circumstances, all these exploitation actions (modifying the config file and uploading the fake VMX) could be performed remotely. n Demo: VMware. exe is trapped to launch a calc. exe (vmx. fullpath = c: windowssystem 32calc. exe, see the picture on the next page). n The shortcoming: What if no higher privileged user is gonna to use VMware in a short time, do we still need to keep on waiting?
VMX Hijacked
Exploitation Method II n Another instantly effective exploitation method could be implemented via VMware Authorization Service (vmware-authd. exe) as follows: 1. 2. 3. The VMXExp adds a config line (“vmx. fullpath”) in “config. ini”, which points to itself. The VMXExp sends the “vmexec” command to vmware-authd through a named pipe, and lets it launch itself. The VMXExp gets executed by vmware-authd, although it still only runs at a lower privilege (authd uses Impersonate. Logged. On. User and Create. Process. As. User. W), since it is now a child process of vmware-authd, it can ask authd to help opening any object which actually needs higher privilege (File/Device, Event, authd opens it and duplicates the handle to its child). The VMXExp sends the “opensecurable” command to vmware-authd through a named pipe, and asks it to open a file or device which can be used later to escalate privilege.
4. 5. Exploitation Method II (Cont) The VMXExp reads the reply (prefixed with a “TOKEN” string) from vmware-authd, and gets the duplicated handle to its desired file or device object. The VMXExp can then continue with the real privilege escalation actions by using these handles. For example, a write mode handle to a critical Local System service executable image can be used to replace this service with a fake one, while a handle to VMware VMX 86 device can be used to send some interesting IOCTLs (discussed later). n Demo: Local privilege escalation by system service replacement. n Note: Since vmware-authd of VMware 6. 0 doesn’t look at the “vmx. fullpath” line in “config. ini” when creating the VMX process, this exploitation method can only be applied on VMware 5. 5 (or below).
VMware Authd Protocols n The Named Pipe used: \. pipevmware-authdpipe n Commands supported: Ø Ø n localconnect/tlocalconnect vmexec/vmexecdebug opensecurable: “opensecurable”“objectname”|0 x 86 b dw. Desired. Access dw. Share. Mode dw. Creation. Disposition dw. Flags. And. Attributes Current. PID openvmautomation Except for the named pipe (for local use), VMware 6. 0 authd also supports socket communication (VMware Authentication Daemon listens on the port 912), Some critical configurable items are still stored under all users’s profiles directory as the
VMX 86 Device IOCTLs n Devie object exported by vmx 86. sys: \. vmx 86 n These Device I/O Control interfaces are protected, only higher privileged users can open the device handle and send IOCTLs (privileges must be higher than the “__vmware__” group, and the password of the only user “__vmware_user__” in this group seems to be generated randomly by VMware authd upon each startup), therefore firstly we need to bypass this protection by using the method introduced before. n Interesting VMX 86 IOCTLs that facilitate arbitrary memory manipulation and ring 0 code execution: IOCTL_VMX 86_CREATE_VM, IOCTL_VMX 86_INIT, IOCTL_VMX 86_RUN_VM: a fake crosspage, VMM and VM Ø IOCTL_VMX 86_LOOK_UP_MPN, IOCTL_VMX 86_LOCK_PAGE, IOCTL_VMX 86_WRITE_PAGE Ø … Ø n Demo: Local privilege escalation by ring 0 code execution.
Ring 0 Code Execution Via VMX 86 n IOCTLs IOCTL_VMX 86_CREATE_VM: Ø IOCTL_VMX 86_INIT: Ø IOCTL_VMX 86_RUN_VM: Ø IOCTL_VMX 86_RELEASE_VM: Ø n 0 x 81013 f 4 c, out: VM id 0 x 81013 f 5 c, in: Init. Block 0 x 81013 f 67, in: VCPU id 0 x 81013 f 54 Init. Block typedef struct _Init. Block_ { DWORD Magic. Number; // INIT_BLOCK_MAGIC 0 x 1796 DWORD User. Call. Handle; DWORD Num. VCPUs; void* Cross. Page[MAX_INITBLOCK_CPUS]; // 32 slots DWORD Iteration; } Init. Block; n Cross. Page size of 4 K, and the Shell Code starts from offset 0 x 10, which will be executed by VMX 86 in the kernel mode in the host world context (interrupts disabled but page table not switched)
VMware Virtual Machine Monitor n VMware VMM Core Dump It resides within the VMware VMX (vmware-vmx. exe). Access the unimplemented devices regions (not emulated), such as the reserved IOAPIC registers, which would make VMM panic and to generate a core dump file for analyzing. n 2 Isolated Worlds & 5 Different Contexts: Ø Ø n Host World: Host Ring 0, Host Ring 3. Guest World: VMM(Ring 0), Guest Ring 0(Ring 1), Guest Ring 3. VMware VMM security considerations: A parasitical Rootkits that hides within the VMware VMM, which gets executed at ring 0 mode in both the Host and the Guest world. Ø A possible way to run ring 0 code without the need to load a driver, which can probably be used to bypass the driver signature verification in Windows Vista. Ø
VMware Guest Context (VMM) <bochs: 66> info cpu eax: 0 x 000 c 0370, ebx: 0 x 77 e 29894, ecx: 0 x 00000038, edx: 0 x 000 c 0370 ebp: 0 x 00002 f 18, esp: 0 x 00002 ee 8, esi: 0 x 77 e 29894, edi: 0 x 00002 f 40 eip: 0 x 00064 d 46, eflags: 0 x 00080206, inhibit_mask: 0 cs: s=0 x 4020, dl=0 x 000003 ff, dh=0 xffc 09 ac 0, valid=1 ss: s=0 x 4028, dl=0 x 000003 ff, dh=0 xffc 093 c 0, valid=7 ds: s=0 x 4028, dl=0 x 000003 ff, dh=0 xffc 093 c 0, valid=7 es: s=0 x 4028, dl=0 x 000003 ff, dh=0 xffc 093 c 0, valid=1 fs: s=0 x 0000, dl=0 x 0000, dh=0 x 0000, valid=0 gs: s=0 x 0000, dl=0 x 0000, dh=0 x 0000, valid=0 ldtr: s=0 x 4060, dl=0 xb 0000000, dh=0 xff 0082 ce, valid=1 tr: s=0 x 4000, dl=0 x 64 a 00088, dh=0 xff 0089 c 0, valid=1 gdtr: base=0 xffc 07000, limit=0 x 412 f idtr: base=0 xffc 18000, limit=0 x 7 ff dr 0: 0 x 0000, dr 1: 0 x 0000, dr 2: 0 x 0000 dr 3: 0 x 0000, dr 6: 0 xffff 0, dr 7: 0 x 00000700 cr 0: 0 x 80010031, cr 1: 0 x 0000, cr 2: 0 x 77 e 29894 cr 3: 0 x 01 e 44020, cr 4: 0 x 00000635 done
VMware Guest Context (Guest Ring 0) <bochs: 52> info cpu eax: 0 x 0000, ebx: 0 xe 12490 e 8, ecx: 0 x 0000, edx: 0 x 00000003 ebp: 0 xbe 4 ef 4 a 4, esp: 0 xbe 4 ef 484, esi: 0 xe 12490 e 0, edi: 0 x 814 a 7428 eip: 0 x 0011 ae 11, eflags: 0 x 00081246, inhibit_mask: 0 cs: s=0 x 4039, dl=0 x 000003 ff, dh=0 xffc 0 bbc 0, valid=1 ss: s=0 x 40 d 1, dl=0 x 0000 fbff, dh=0 x 00 cfb 300, valid=7 ds: s=0 x 0023, dl=0 x 0000 fbff, dh=0 x 00 cff 300, valid=7 es: s=0 x 0023, dl=0 x 0000 fbff, dh=0 x 00 cff 300, valid=5 fs: s=0 x 0030, dl=0 xe 0000001, dh=0 xffc 0 b 3 ff, valid=7 gs: s=0 x 4041, dl=0 x 000003 ff, dh=0 xffc 0 b 3 c 0, valid=7 ldtr: s=0 x 4060, dl=0 xb 0000000, dh=0 xff 0082 ce, valid=1 tr: s=0 x 4000, dl=0 x 64 a 00088, dh=0 xff 0089 c 0, valid=1 gdtr: base=0 xffc 07000, limit=0 x 412 f idtr: base=0 xffc 18000, limit=0 x 7 ff dr 0: 0 x 0000, dr 1: 0 x 0000, dr 2: 0 x 0000 dr 3: 0 x 0000, dr 6: 0 xffff 0, dr 7: 0 x 00000700 cr 0: 0 x 8001003 b, cr 1: 0 x 0000, cr 2: 0 xe 1 ee 8001 cr 3: 0 x 01 e 44020, cr 4: 0 x 00000631 done
VMware Guest Context (Guest Ring 3) <bochs: 38> info cpu eax: 0 x 00 e 3 f 114, ebx: 0 x 00000002, ecx: 0 x 00 e 3 ffdc, edx: 0 x 00000001 ebp: 0 x 00 e 3 eee 0, esp: 0 x 00 e 3 ecc 0, esi: 0 x 0000, edi: 0 x 0000 eip: 0 x 77 c 524 a 6, eflags: 0 x 00080246, inhibit_mask: 0 cs: s=0 x 001 b, dl=0 x 0000 fbff, dh=0 x 00 cffb 00, valid=1 ss: s=0 x 0023, dl=0 x 0000 fbff, dh=0 x 00 cff 300, valid=7 ds: s=0 x 0023, dl=0 x 0000 fbff, dh=0 x 00 cff 300, valid=7 es: s=0 x 0023, dl=0 x 0000 fbff, dh=0 x 00 cff 300, valid=1 fs: s=0 x 0038, dl=0 x 90000 fff, dh=0 x 7 f 40 f 3 fd, valid=7 gs: s=0 x 0000, dl=0 x 0000, dh=0 x 0000, valid=0 ldtr: s=0 x 4060, dl=0 xb 0000000, dh=0 xff 0082 ce, valid=1 tr: s=0 x 4000, dl=0 x 64 a 00088, dh=0 xff 0089 c 0, valid=1 gdtr: base=0 xffc 07000, limit=0 x 412 f idtr: base=0 xffc 18000, limit=0 x 7 ff dr 0: 0 x 0000, dr 1: 0 x 0000, dr 2: 0 x 0000 dr 3: 0 x 0000, dr 6: 0 xffff 0, dr 7: 0 x 00000700 cr 0: 0 x 8001003 b, cr 1: 0 x 0000, cr 2: 0 x 8003603 a cr 3: 0 x 01 e 44000, cr 4: 0 x 00000635 done
VMware Guest Context (TSS) <bochs: 40> info tss tr: s=0 x 4000, base=0 xffc 064 a 0, valid=1 ss: esp(0): 0 x 4028: 0 x 00002 fe 8 ss: esp(1): 0 x 4041: 0 x 00006000 ss: esp(2): 0 x 4028: 0 x 00002 fe 8 cr 3: 0 x 01 e 44020 eip: 0 x 00055103 eflags: 0 x 0000 cs: 0 x 4020 ds: 0 x 4028 ss: 0 x 4028 es: 0 x 4028 fs: 0 x 0000 gs: 0 x 0000 eax: 0 x 00006484 ebx: 0 x 000000 d 1 ecx: 0 x 81 e 45400 esi: 0 x 00002 f 94 edi: 0 x 0000412 f ebp: 0 x 00002 f 10 ldt: 0 x 4060 i/o map: 0 x 0088 edx: 0 x 00006400 esp: 0 x 00002 eb 4
VMware Guest Context (IDT) <bochs: 34> info idt Interrupt Descriptor Table (base=0 x 0000 ffc 18000, limit=2047): IDT[0 x 00]=32 -Bit Interrupt Gate target=0 x 4020: 0 x 00055536, DPL=0 IDT[0 x 01]=32 -Bit Interrupt Gate target=0 x 4020: 0 x 0005554 e, DPL=0 IDT[0 x 02]=32 -Bit Interrupt Gate target=0 x 4020: 0 x 00018800, DPL=0 IDT[0 x 03]=32 -Bit Interrupt Gate target=0 x 4020: 0 x 0005555 b, DPL=1 IDT[0 x 04]=32 -Bit Interrupt Gate target=0 x 4020: 0 x 00018810, DPL=0 IDT[0 x 05]=32 -Bit Interrupt Gate target=0 x 4020: 0 x 00055568, DPL=0 IDT[0 x 06]=32 -Bit Interrupt Gate target=0 x 4020: 0 x 00055580, DPL=0 IDT[0 x 07]=32 -Bit Interrupt Gate target=0 x 4020: 0 x 0005558 d, DPL=0 IDT[0 x 08]=Task Gate target=0 x 4008: 0 x 0000, DPL=0 IDT[0 x 09]=32 -Bit Interrupt Gate target=0 x 4020: 0 x 00018820, DPL=0 … IDT[0 xfb]=32 -Bit Interrupt Gate target=0 x 4020: 0 x 000 c 29 c 0, DPL=0 IDT[0 xfc]=32 -Bit Interrupt Gate target=0 x 4020: 0 x 000 c 29 d 0, DPL=0 IDT[0 xfd]=32 -Bit Interrupt Gate target=0 x 4020: 0 x 000 c 29 e 0, DPL=0 IDT[0 xfe]=32 -Bit Interrupt Gate target=0 x 4020: 0 x 000 c 29 f 0, DPL=0 IDT[0 xff]=32 -Bit Interrupt Gate target=0 x 4020: 0 x 000 c 2 a 00, DPL=0
VMware Guest Context (GDT) <bochs: 43> info gdt Global Descriptor Table (base=0 x 0000 ffc 07000, limit=16687): GDT[0 x 01]=Code segment, linearaddr=0000, limit=ffbff * 4 Kbytes, Execute/Read, Accessed, 32 -bit GDT[0 x 02]=Data segment, linearaddr=0000, limit=ffbff * 4 Kbytes, Read/Write GDT[0 x 03]=Code segment, linearaddr=0000, limit=ffbff * 4 Kbytes, Execute/Read, Accessed, 32 -bit GDT[0 x 04]=Data segment, linearaddr=0000, limit=ffbff * 4 Kbytes, Read/Write, Accessed GDT[0 x 05]=32 -Bit TSS (Busy) at 0 x 80285000, length 0 x 020 ab GDT[0 x 06]=Data segment, linearaddr=ffffe 000, limit=00001 * 4 Kbytes, Read/Write, Accessed GDT[0 x 07]=Data segment, linearaddr=7 ffd 9000, limit=00 fff bytes, Read/Write, Accessed GDT[0 x 08]=Data segment, linearaddr=00000400, limit=0 ffff bytes, Read/Write GDT[0 x 0 a]=32 -Bit TSS (Available) at 0 x 80470040, length 0 x 00068 GDT[0 x 0 b]=32 -Bit TSS (Available) at 0 x 804700 a 8, length 0 x 00068 GDT[0 x 0 c]=Data segment, linearaddr=00022 ab 0, limit=0 ffff bytes, Read/Write …
VMware Guest Context (GDT Cont) GDT[0 x 800]=32 -Bit TSS (Busy) at 0 xffc 064 a 0, length 0 x 00088 GDT[0 x 801]=32 -Bit TSS (Available) at 0 xffcbe 000, length 0 x 00067 GDT[0 x 804]=Code segment, linearaddr=ffc 00000, limit=003 ff * 4 Kbytes, Execute/Read, 32 -bit GDT[0 x 805]=Data segment, linearaddr=ffc 00000, limit=003 ff * 4 Kbytes, Read/Write, Accessed GDT[0 x 806]=Data segment, linearaddr=ffc 00000, limit=003 ff * 4 Kbytes, Read/Write, Accessed GDT[0 x 807]=Code segment, linearaddr=ffc 00000, limit=003 ff * 4 Kbytes, Execute/Read, Accessed, 32 -bit GDT[0 x 808]=Data segment, linearaddr=ffc 00000, limit=003 ff * 4 Kbytes, Read/Write, Accessed GDT[0 x 809]=Data segment, linearaddr=0000, limit=fffff * 4 Kbytes, Read/Write, Accessed GDT[0 x 80 a]=Code segment, linearaddr=81 e 45000, limit=00 fff bytes, Execute/Read, 32 -bit GDT[0 x 80 b]=Code segment, linearaddr=ffc 00000, limit=003 ff * 4 Kbytes, Execute/Read, 16 -bit GDT[0 x 80 c]=LDT GDT[0 x 80 e]=Data segment, linearaddr=0000, limit=ffbff * 4 Kbytes, Read/Write, Accessed …
Local Privilege Escalation Via VMX 86
New Exploitation Method n Is Game Over? Possibly Not! n Exploiting the newly released VMware versions (VMware Workstation 6. 0. 3 build 80004, 5. 5. 6 build 80404 etc) on almost all Windows platforms. n Demo: Local privilege escalation by exploiting the VMware Workstation 5. 5. 6 on Windows XP SP 2.
Thanks For Watching! Question & Discussion Time
- Slides: 24