You think a Virtual Machine can't be owned? Think again!

[Elixer]

Ouch!
They were using VMware's Workstation virtual machine.
They scored the hat trick!

"We used a JavaScript engine bug within Microsoft Edge to achieve the code execution inside the Edge sandbox, and we used a Windows 10 kernel bug to escape from it and fully compromise the guest machine," Qihoo 360 Executive Director Zheng Zheng wrote in an e-mail. "Then we exploited a hardware simulation bug within VMware to escape from the guest operating system to the host one. All started from and only by a controlled a website."

https://arstechnica.com/security/20...iting-edge-browser-fetches-105000-at-pwn2own/

 

[HitAnyKey]

Impressive.

If they can compromise the Guest and the Host OS, I wonder if they can compromise other Guests on that same Host. Think Cloud provider. Very scary. Thanks OP for the post.

 

[John Connor]

It's not the virtual machine its self, but the software that runs in it. In this case Edge. How many VPS's, etc will have Edge running? None!

 

[Ichinisan]

It's not the virtual machine its self, but the software that runs in it. In this case Edge. How many VPS's, etc will have Edge running? None!

The virtualization software was also exploited to compromise the host OS.

 

[mxnerd]

Chinese hackers have become escape artists and fetched $105,000.

Impressive.

 

[John Connor]

The virtualization software was also exploited to compromise the host OS.

Via an App as far as I read.

 

[XavierMace]

While impressive, VMWare Workstation and ESXi (and any other bare metal hypervisors) are vary different beasts. Cloud providers aren't using Workstation.

 

[Elixer]

It's not the virtual machine its self, but the software that runs in it. In this case Edge. How many VPS's, etc will have Edge running? None!

No, as Ichinisan said... "Then we exploited a hardware simulation bug within VMware to escape from the guest operating system to the host one."
So, they compromised VMware, which is the virtual machine itself, and from that, they could do whatever they want in the host OS once they escaped the VM.

 

[John Connor]

The words, "Then we" indicates something that precedes it.

So in other words, and what I'm trying to say is that Edge was the vector that caused the dominoes to come tumbling down.

 

[Ichinisan]

The words, "Then we" indicates something that precedes it.

So in other words, and what I'm trying to say is that Edge was the vector that caused the dominoes to come tumbling down.

Edge is the default web browser. It was exploited to compromise the virtual/guest machine. Then the virtualization software was exploited to compromise the physical/host machine.

Almost any browser can have exploitable vulnerabilities. Many of those can be used to compromise the OS. If the OS runs in a VM, you can exploit the host's OS in this demonstration.

 

[Red Squirrel]

That is indeed pretty scary. Sure edge would not be running on a server VM (does anyone even use that browser? lol) but given escaping the VM is now possible, it opens up tons of doors. An apache or postfix or any other standard server app could potentially have an exploit that then allows to compromise the host OS. This also means that VM honeypots where you purposely let hackers in for fun is now a bad idea. Ex: messing around with those phone scams.

 

[HitAnyKey]

It's not the virtual machine its self, but the software that runs in it. In this case Edge. How many VPS's, etc will have Edge running? None!

While impressive, VMWare Workstation and ESXi (and any other bare metal hypervisors) are vary different beasts. Cloud providers aren't using Workstation.

That is indeed pretty scary. Sure edge would not be running on a server VM (does anyone even use that browser? lol) but given escaping the VM is now possible, it opens up tons of doors. An apache or postfix or any other standard server app could potentially have an exploit that then allows to compromise the host OS. This also means that VM honeypots where you purposely let hackers in for fun is now a bad idea. Ex: messing around with those phone scams.

Exactly Red Squirrel and well said. When you have an exploit that can go from Guest to Host, regardless of the attack vector it is a serious concern. And let's face it if they can do this, they might know more than they are showing/telling us. Isn't that par for the course in this field?

Windows Server 2016 LTSB won't have the Edge browser. Server Nano (the stripped down version) should allow you to remove it completely afaik.

 

[Elixer]

...And let's face it if they can do this, they might know more than they are showing/telling us. Isn't that par for the course in this field?

You know, this is why a "bug bounty" program can be bad.
Most companies offer much less than $5K for bugs/exploits, then this kind of contest comes along, and offers 10X+ that...
People just sit on the exploits, until the purse gets really big, then they cash in.

 

[TheRyuu]

It's not the virtual machine its self, but the software that runs in it. In this case Edge. How many VPS's, etc will have Edge running? None!

It doesn't matter. Any software which could be compromised with an RCE can accomplish the same thing. Whether it's Edge or nginx doesn't matter. It doesn't reduce the impact of the bug in the VM layer.

 

[John Connor]

I said the vector was software, not the VM. For the third time.

For example. You can run an outdated VB forum software on the most secure VPS in the world, but the software is going to be the vector for the attack.

 

[TheRyuu]

I said the vector was software, not the VM. For the third time.

For example. You can run an outdated VB forum software on the most secure VPS in the world, but the software is going to be the vector for the attack.

Ok? What's your point?

What's important about this attack isn't that they used Edge or any other piece of software. It's that the container that is the virtual machine was compromised and they were able to gain execution on the host.

 

[John Connor]

I already made my point. Why must I repeat? Not my problem.

 

[Red Squirrel]

I said the vector was software, not the VM. For the third time.

For example. You can run an outdated VB forum software on the most secure VPS in the world, but the software is going to be the vector for the attack.

Yeah but the fact that an attack could escape a VM is a very BAD thing. In some cases you may want/need to purposely run something insecure on a VM, that's why you use a VM for it, but now if a VM can be escaped that's very bad.

 

[Ichinisan]

I already made my point. Why must I repeat? Not my problem.

I don't get your "point." Edge had a vulnerability. Who cares? It's one of a million things that can have a vulnerability to get into an OS. Exactly how the guest OS gets compromised isn't important. Nobody really even cares about that. What's important is that any compromised guest OS could compromise the host.

 

[Elixer]

What's important is that any compromised guest OS could compromise the host.

Pretty much this.

What does it matter what they used to compromised the guest OS?
That is totally irrelevant, it could have been anything, it just happened to be Edge this time around.

Any software that is run on a VM shouldn't be able to talk to the host OS at all, that is the whole point of a VM in the first place, you want to wall off anything IN the VM itself, so it is contained.

 

[HitAnyKey]

I believe this exploit targeted a host running VMware Workstation, a Type 2 Hypervisor. Which is really just a layer of software running on top of the OS. Not nearly as secure as a Type 1, or maybe I am wrong?

First I wonder if this same exploit would work against any Type 2 Hypervisor? Like Oracle VM VirtualBox
Second I wonder if they could pull this off using a Type 1 Hypervisor Host like VMware ESXi 6.x with latest updates.

Does anyone know if VMware has any official statement on the exploit ?

 

[Red Squirrel]

I'd be curious if Qemu/KVM is vulnerable too. I want to eventually migrate to that given it's open source.