This vulnerability, called VENOM, allows an attacker to escape from a virtual machine guest into the host system. It affects virtualization platforms that use Xen, Qemu, KVM, or VirtualBox as their hypervisor. The vulnerability is in the virtual floppy disk controller code, which contains a buffer overflow issue. This allows an attacker to potentially gain code execution on the host machine. It is a serious issue because many cloud providers use these vulnerable virtualization platforms.

1. VENOM DEMO & FAQ
Akash Mahajan

2. VENOM is an acronym for
V IRTUALIZE D
ENVIRONMENT
NEGLEC TE D
O PE RATIONS
M ANIPULATION

3. What is VENOM?
It is a security vulnerability in the
virtual floppy drive code used by
many computer virtualization
platforms.

4. What does it do?
This vulnerability may allow an
attacker to escape from the confines
of an affected virtual machine (VM)
guest and potentially obtain code-
execution access to the host.

5. Why is it a big deal?
He was right
about the
cloud, wasn’t
he!

6. Seriously why is this a big deal?
• Consider that all the cloud vendors in the
world use OS level virtualization
• Now all of those who use Xen, Qemu, KVM
and Virtualbox were vulnerable to this
• It doesn’t matter if the virtual machine is a
linux box or a windows box

7. All of these use Xen/Qemu/KVM

8. How does it work?
• So a VM (guest) gets access to virtual
hardware of a physical machine (host)
• Quick EMUlator (QEMU) is an open source
hypervisor that performs hardware
virtualization

9. Exploiting the QEMU Hypervisor
• The hypervisor code sits between the guest and the
host, operating as the ‘bridge’ and abstraction layer
relied upon by either side to communicate with the
other.
• Incorporating all of the memory mapping and device
drivers required to trick the guest into believing it is
operating on real hardware.

10. Hypervisor and XEN

11. QEMU Floppy Disk Controller
• The QEMU FDC is enabled by default in Xen
and KVM platforms.
• The problem exists in the Floppy Disk
Controller, which is initialized for every x86 and
x86_64 guest regardless of the configuration
and cannot be removed or disabled.

12. QEMU Floppy Disk Controller
• The QEMU FDC is enabled by default in Xen
and KVM platforms.
• The problem exists in the Floppy Disk
Controller, which is initialized for every x86 and
x86_64 guest regardless of the configuration
and cannot be removed or disabled.

13. One Ring to Rule Them all

14. The Devil is in the C Code
• FDC uses a buffer of 512 bytes to store the I/O
command and its parameters
• It has an index variable to access the buffer
area
• After every command the index variable is set
to 0

15. Still the Devil is in the C Code
The FDC’s data_pos and data_len fields above are
initialized to 0 upon FDC reset.
• For two of the command handler functions, the
data_pos reset is delayed or circumvented.
– FDC_CMD_READ_ID
– FDC_CMD_DRIVE_SPECIFICATION_COMMAND

16. Buffer Overflow of FIFO buffer
• The VENOM advisory talks about overflow
of the *fifo buffer due to this particular
reason

17. BARELY WORKING DEMO

18. Deja VM Bugs
• BlackHat/DEFCON 2011 Talk: Breaking Out of KVM
• CVE-2007-1744 – Directory traversal vulnerability in
shared folders feature
• CVE-2008-0923 – Path traversal vulnerability in
VMware’s shared folders implementation
• CVE-2009-1244 – Cloudburst (VMware virtual video
adapter vulnerability)
• CVE-2011-1751 – Missing hotplug check during device
removal
• CVE-2012-0217 – 64-bit PV guest privilege escalation
vulnerability
• CVE-2014-0983 – Oracle VirtualBox 3D acceleration
multiple memory corruption vulnerabilities

19. Questions?
• Ask Datta!
@makash | aka@null.co.in | theappseclab.com

20. Attributions and References
• Starting point for understanding http://venom.crowdstrike.com/
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456
• https://access.redhat.com/articles/1444903
• CC BY-SA 3.0 File:Priv rings.svg Uploaded by OgreBot
• https://en.wikipedia.org/wiki/Protection_ring#Hypervisor_mode
• https://blog.nelhage.com/2011/08/breaking-out-of-kvm/
• https://github.com/nelhage/virtunoid
• http://www.dedoimedo.com/computers/kvm-intro.html
• http://blog.crowdstrike.com/venom-vulnerability-details/
• http://www.dedoimedo.com/computers/kvm-intro.html