■ VM jumping/guest hopping
–Attackers take advantage of hypervisor escape vulnerabilities to “jump” from one VM to another
■ VM attacks
–Attacks during deployment and duplication
–Deletion of virtual images
–Attacks on control of virtual machines
–Code/file injection into virtualization file structure
■ VM migration
–VM migration is transfer of guest OS from one physical server to another with little or no downtime
– Implemented by several virtualization products
–Provides high availability and dynamic load balancing
■ VM migration attack
– If migration protocol is unencrypted, susceptible to man-in-the-middle attack
–Allows arbitrary state in VM to be modified
– In default configuration, Xen Motion is susceptible (no encryption)
–VMware’s VMotion system supports encryption
–Proof-of-concept developed by John Oberheide at the Univ. of Michigan
■ Management server attacks
–Exploit management console vulnerabilities that divulge password information
–Exploit management console vulnerabilities to gain access to management server
–Exploit vulnerabilities that allow local management server users to gain elevated privileges
■ Administrative VM attacks – exploit vulnerabilities to:
–Cause a denial of service by halting the system
–Cause a denial of service by crashing the administrative VM
–Obtain passwords that are stored in clear text
–Exploit buffer overflows in exposed services to execute arbitrary code
–Exploit vulnerable services to gain elevated privileges
–Bypass authentication
■ Guest VM attacks – exploit vulnerabilities to:
–Gain elevated privileges
–Crash the virtual machine
–Truncate arbitrary files on the system
–Execute arbitrary code with elevated privileges
■ Hypervisor attacks – exploit vulnerabilities to:
–Cause the hypervisor to crash
–Escape from one guest VM to another
■ Hyperjacking
–Consists of installing a rogue hypervisor
• One method for doing this is overwriting page files on disk that contain paged-out kernel code
• Force kernel to be paged out by allocating large amounts of memory
• Find unused driver in page file and replace its dispatch function with shell code
• Take action to cause driver to be executed
• Shell code downloads the rest of the malware
• Host OS is migrated to run in a virtual machine
–Has been demonstrated for taking control of Host OS
–Hyper jacking of hypervisors may be possible, but not yet demonstrated
• Hypervisors will come under intense scrutiny because they are such attractive targets
–Known hyper jacking tools: BluePill, SubVirt, Vitrio
hi,
ReplyDeleteIt is well describe article. but is guest hopping is possible in practically? Because i read most of the blogs vm jumpping and guest hopping but none of sure that it is possible or not. if it is possible, how i gave demo of it?
Hi Nirav,
DeleteYes, You can install a windows VM and do not patch it to latest patch or SP. Then try to use the bug inside Windows to start the attack. You will be able to access other VM server that located at the same physical ESXi servers, is the VM traffic will same trunk.
Hi,
Deletethanx, i will try it but which version of VM should i use? and one guest windows to another guest windows in VM ---> i use bug inside windows. can we jump from one guest to another guest in kvm?
cheers,
Nirav
SO far I only tested the vmware vMotion only. You may tried out on the unpatch hypervisor and guest OS layer.
Delete