venom vulnerability overview and a basic demo
TRANSCRIPT
VENOM DEMO & FAQAkash Mahajan
VENOM is an acronym for
V I R T U A L I Z E D
EN V I R O N M E N T
N E G L E C T E D
OP E R AT I O N S
MA N I P U L AT I O N
What is VENOM?
It is a security vulnerability in the virtual floppy drive code used by
many computer virtualization platforms.
CVE-2015 -3456
What does it do?
This vulnerability may allow an
attacker to escape from the confines
of an affected virtual machine (VM)
guest and potentially obtain code-
execution access to the host.
Why is it a big deal?
He was right
about the
cloud, wasn’t
he!
Seriously why is this a big deal?
• Consider that all the cloud vendors in the
world use OS level virtualization
• Now all of those who use Xen, Qemu, KVM
and Virtualbox were vulnerable to this
• It doesn’t matter if the virtual machine is a
linux box or a windows box
All of these use Xen/Qemu/KVM
How does it work?
• So a VM (guest) gets access to virtual
hardware of a physical machine (host)
• Quick EMUlator (QEMU) is an open source
hypervisor that performs hardware
virtualization
Exploiting the QEMU Hypervisor
• The hypervisor code sits between the guest and the
host, operating as the ‘bridge’ and abstraction layer
relied upon by either side to communicate with the
other.
• Incorporating all of the memory mapping and device
drivers required to trick the guest into believing it is
operating on real hardware.
Hypervisor and XEN
QEMU Floppy Disk Controller
• The QEMU FDC is enabled by default in Xen
and KVM platforms.
• The problem exists in the Floppy Disk
Controller, which is initialized for every x86 and
x86_64 guest regardless of the configuration
and cannot be removed or disabled.
QEMU Floppy Disk Controller
• The QEMU FDC is enabled by default in Xen
and KVM platforms.
• The problem exists in the Floppy Disk
Controller, which is initialized for every x86 and
x86_64 guest regardless of the configuration
and cannot be removed or disabled.
One Ring to Rule Them all
The Devil is in the C Code
• FDC uses a buffer of 512 bytes to store the I/O
command and its parameters
• It has an index variable to access the buffer area
• After every command the index variable is set
to 0
Still the Devil is in the C Code
The FDC’s data_pos and data_len fields above are
initialized to 0 upon FDC reset.
• For two of the command handler functions, the
data_pos reset is delayed or circumvented.
– FDC_CMD_READ_ID
– FDC_CMD_DRIVE_SPECIFICATION_COMMAND
Buffer Overflow of FIFO buffer
• The VENOM advisory talks about overflow
of the *fifo buffer due to this particular
reason
BARELY WORKING DEMO
Deja VM Bugs
• BlackHat/DEFCON 2011 Talk: Breaking Out of KVM• CVE-2007-1744 – Directory traversal vulnerability in shared
folders feature• CVE-2008-0923 – Path traversal vulnerability in VMware’s
shared folders implementation• CVE-2009-1244 – Cloudburst (VMware virtual video adapter
vulnerability)• CVE-2011-1751 – Missing hotplug check during device removal• CVE-2012-0217 – 64-bit PV guest privilege escalation
vulnerability• CVE-2014-0983 – Oracle VirtualBox 3D acceleration multiple
memory corruption vulnerabilities
Attributions and References
• Starting point for understanding http://venom.crowdstrike.com/• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456• https://access.redhat.com/articles/1444903• CC BY-SA 3.0 File:Priv rings.svg Uploaded by OgreBot• https://en.wikipedia.org/wiki/Protection_ring#Hypervisor_mode• https://blog.nelhage.com/2011/08/breaking-out-of-kvm/• https://github.com/nelhage/virtunoid• http://www.dedoimedo.com/computers/kvm-intro.html• http://blog.crowdstrike.com/venom-vulnerability-details/• http://www.dedoimedo.com/computers/kvm-intro.html