Before 1998, it was impossible to virtualize Intel x86 systems. VMware introduced a technique called binary translation. In 2006, Intel introduced VT-x virtualization technology for x86. This was hardware support for virtualization by Intel. This presentation discusses what kind of support does Intel provides for virtualization in detail. It also discusses different implementation techniques in brief.
Static partitioning is used to split an embedded system into multiple domains, each of them having access only to a portion of the hardware on the SoC. It is key to enable mixed-criticality scenarios, where a critical application, often based on a small RTOS, runs alongside a larger non-critical app, typically based on Linux. The two domains cannot interfere with each other.
This talk will explain how to use Xen for static partitioning. It will introduce dom0-less, a new Xen feature written for the purpose. Dom0-less allows multiple VMs to start at boot time directly from the Xen hypervisor, decreasing boot times drastically. It makes it very easy to partition the system without virtualization overhead. Dom0 becomes unnecessary.
This presentation will go into details on how to setup a Xen dom0-less system. It will show configuration examples and explain device assignment. The talk will discuss its implications for latency-sensitive and safety-critical environments.
VENOM (Virtualised Environment Neglected Operations Manipulation) is a vulnerability that could allow an attacker to escape a guest virtual machine and access the host system, along with other virtual machines running on this system, and access their data.
Before 1998, it was impossible to virtualize Intel x86 systems. VMware introduced a technique called binary translation. In 2006, Intel introduced VT-x virtualization technology for x86. This was hardware support for virtualization by Intel. This presentation discusses what kind of support does Intel provides for virtualization in detail. It also discusses different implementation techniques in brief.
Static partitioning is used to split an embedded system into multiple domains, each of them having access only to a portion of the hardware on the SoC. It is key to enable mixed-criticality scenarios, where a critical application, often based on a small RTOS, runs alongside a larger non-critical app, typically based on Linux. The two domains cannot interfere with each other.
This talk will explain how to use Xen for static partitioning. It will introduce dom0-less, a new Xen feature written for the purpose. Dom0-less allows multiple VMs to start at boot time directly from the Xen hypervisor, decreasing boot times drastically. It makes it very easy to partition the system without virtualization overhead. Dom0 becomes unnecessary.
This presentation will go into details on how to setup a Xen dom0-less system. It will show configuration examples and explain device assignment. The talk will discuss its implications for latency-sensitive and safety-critical environments.
VENOM (Virtualised Environment Neglected Operations Manipulation) is a vulnerability that could allow an attacker to escape a guest virtual machine and access the host system, along with other virtual machines running on this system, and access their data.
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. This talk includes real-world examples of attacks that they use on a daily basis, and some reflections on what techniques have changed over the last year. Vulnerabilities related to the application, network, and server layers will all be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Simple tips to improve Server SecurityResellerClub
Simple tips to improve Server Security
In these times, it’s very essential to secure your servers from the outside as well as from customers using the server. This session will show some basic methods on how to protect your server(s).
Pulkit Gupta
CEO & Chief Architect
Softaculous
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. This talk includes real-world examples of attacks that they use on a daily basis, and some reflections on what techniques have changed over the last year. Vulnerabilities related to the application, network, and server layers will all be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Simple tips to improve Server SecurityResellerClub
Simple tips to improve Server Security
In these times, it’s very essential to secure your servers from the outside as well as from customers using the server. This session will show some basic methods on how to protect your server(s).
Pulkit Gupta
CEO & Chief Architect
Softaculous
1. SSID: FYRM URL: http://172.16.254.1
STEALING GUESTS...
THE VMWARE WAY
Justin Morehouse & Tony Flick
ShmooCon 2010
2. SSID: FYRM URL: http://172.16.254.1
DISCLAIMER
Standard disclaimer verbiage...
•Everything said, showed, implied, etc. is not the
opinion of our employers, friends, dogs, VMware,
ShmooCon, etc.
•This disclaimer is not endorsed by our lawyers.
3. SSID: FYRM URL: http://172.16.254.1
ABOUT US
Justin Morehouse
• Assessment Lead @ Large Retailer in Southeast USA
• Controls 58.2% of the MacBook Pro flipping market on Craigslist
Tony Flick
• Principal @ FYRM Associates
• Has never mistaken Hunts ketchup for Heinz ketchup...EVER!
4. SSID: FYRM URL: http://172.16.254.1
WARNING
What this presentation IS NOT:
• 0 day release - worked w/ VMware
• A demonstration of rocket science
What this presentation IS:
• A reminder of the security implications of virtualization
• The culmination of ‘sanity’ projects
5. SSID: FYRM URL: http://172.16.254.1
TIMELINE
• Vulnerability identified on 5/14/09
• Reported to VMware on 5/15/09
• VMware responded on 5/21/09
• CVE-2009-3733 reserved on 10/20/09
• VMSA-2009-0015 released on 10/27/09
• ‘b. Directory Traversal vulnerability’
6. SSID: FYRM URL: http://172.16.254.1
IDENTIFICATION
• Originally identified on VMware Server 2.0.1 build 156745
(on Ubuntu 8.04)
• Thought to be localized to inside of NAT interface of Host (8307/tcp)
• Can steal VMs from within other VMs... if NAT’d
• Kinda cool, not really practical
• What we originally reported to VMware & submitted to ShmooCon
but......
7. SSID: FYRM URL: http://172.16.254.1
DOES THIS LOOK FAMILIAR?
8. SSID: FYRM URL: http://172.16.254.1
HOW ABOUT THIS?
9. SSID: FYRM URL: http://172.16.254.1
VULNERABILITY
•Web Access web servers also vulnerable
•Server (default ports 8222/8333) - ../ x 6
•ESX/ESXi (default ports 80/443) - %2E%2E/ x 6
•No longer requires NAT mode / Remotely exploitable
•Not as straightforward as originally thought
•Still trivial to exploit because...
10. SSID: FYRM URL: http://172.16.254.1
IT’S GOOD TO BE ROOT
•Web servers are running as root = complete access
•ESX/ESXi
•Server
11. SSID: FYRM URL: http://172.16.254.1
HOW IT WORKS ON SERVER
•Proxy used to redirect requests based on URL
•/etc/vmware/hostd/proxy.xml (includes mappings)
•/sdk = 8307/tcp
•/ui = 8308/tcp
12. SSID: FYRM URL: http://172.16.254.1
HOW IT WORKS ON SERVER
•Web server on 8308/tcp is vulnerable, but will only serve
certain filetypes (xml, html, images, etc.)
•Web server on 8307/tcp is also vulnerable, but serves ALL
filetypes
•Simply append /sdk to our URL request and we’ve got
complete access to Host filesystem (including other Virtual
Machines)
•ESX/ESXi - ALL web servers return ALL filetypes (no /sdk)
14. SSID: FYRM URL: http://172.16.254.1
GUESTSTEALER
•Perl script remotely ‘steals’ virtual machines from vulnerable
hosts
•Supports Server, ESX, ESXi
•Allows attacker to select which Guest to ‘steal’
•Utilizes VMware configuration files to identify available
Guests and determine associated files
15. SSID: FYRM URL: http://172.16.254.1
VMINVENTORY.XML
•/etc/vmware/hostd/vmInventory.xml (default location)
•Gives us Guest inventory & location information
16. SSID: FYRM URL: http://172.16.254.1
GUEST .VMX & .VMDK
• .vmx gives us Guest config and file locations
•.vmdk (disk image) can point to other .vmdk images
18. SSID: FYRM URL: http://172.16.254.1
MITIGATION STRATEGIES
• Patch, patch, patch
• Hosts are an attractive target (compromise one = access many)
• Better yet...Segment, segment, segment
• Segment management interfaces
• Segment systems of different security levels
• Don’t share physical NICs between different security levels
• Virtualization is not always the ‘best answer’
19. SSID: FYRM URL: http://172.16.254.1
QUESTIONS?
GuestStealer available for download @
www.fyrmassociates.com