Security Adviser | Roger A. Grimes | August 2007

MORE ENTRIES

August 2007

August 23, 2007 | Comments: (0)

VMware scripting automation API allows local exploitation

I have run across a design issue in VMware's scripting automation API that diminishes VM guest/host isolation in such a manner to facilitate privilege escalation, spreading of malware, and compromise of guest operating systems.

VMware's scripting API allows a malicious script on the host machine to execute programs, open URLs, and perform other privileged operations on any guest operating system open at the console, without requiring any credentials on the guest operating system. Furthermore, the script can execute programs even if you lock the desktop of the guest OS.

For example, if a non-admin user is logged in at the vm host, but logged in to guest operating systems as an administrator, the script running as a non-admin on the host can still execute admin-level scripts on the guests.

I obviously did not discover this issue--the API developers provided it as a feature-I am simply pointing out the potential danger, that it was a poor design decision, and that there is a need to establish best practices for virtual machine guest and host isolation.

Background

Virtual machines have become a more integral part of the computing world and are playing an increasing role in IT infrastructures. It is not uncommon to use virtual machines for everything from testing to critical server roles. One benefit of using virtual machines is that it allows you to work with several operating systems on the same machine and provides effective isolation between each operating system.

The VIX API provides an interface to manipulate virtual machines from the host machine. This API is available on any machine with VMware Server or Workstation installed. Certain commands-such as RunProgramInGuest -do require authentication to run commands on a VMware guest OS, you can instruct them to use the credentials of the user currently logged in at the console. If no user is currently logged in, the command can wait until the next user does log in.

The risk here is that although the guest OS is a separate operating system environment, a script on the host machine can still execute programs in any guest machine without knowing any actual login credentials. This would allow malware to propagate to guest OS's without any additional credentials.

Scenario

Many IT professionals have begun to use virtual machines for critical
infrastructure systems. In my own environment I use specialized virtual machines for development and administration. The snapshot features and easy backup capabilities of virtual machines make them convenient for dedicated administrative environments.

Since I-as well as many administrators-normally stay logged in to my desktop as a non-admin user, it is convenient to have separate virtual machines for performing administrative functions. I have also done this to gain further isolation so that normal PC activities such as browsing the Internet and reading e-mail do not compromise administrative access to my network.

The problem is that a malicious script running within the context of a
regular user on my desktop can run administrator-level scripts on any guest I am currently logged in to. Using Ctrl+Alt+Del to lock the desktop of those machines does not prevent VIX from executing commands on the guest. Even if I log out of each guest machine the malware can just queue the command to run the next time I log in at the console of the guest OS.

Remediation

I contacted VMWare about this issue several months ago and they responded that his was "a very difficult design choice". Their response was that anyone who is able to connect to a guest via the VIX api would also have the capability of accessing the virtual disk files of the machine and compromise the guest that way as well.

While that is true, it is also possible to use full disk encryption and other countermeasures that prevent access to a host resulting in compromise of the guests. Furthermore, being able to automate something is a big deal when it comes to spreading malware. Give me access to any system on a foreign network with user-level credentials and before too long I can acquire full admin access, but for a worm to be able to automate that in seconds is something completely different.

But rather than try to argue with VMWare about the severity of the issue, I chose to simply make you all aware that the potential is there and you can decide for yourselves.

Fortunately, there is an undocumented switch to turn this off. In the VMX config file, you can add the following:

guest.commands.anonGuestCommandsRunAsConsoleUser=FALSE

You can also set this on the host-wide configuration file, so it will
override the config setting in every VM. So with that, I would like to establish a best practice for virtual machine guest/host isolation:

A virtual server host should never provide any mechanism that, by default, allows guest-to-host or host-to-guest access without having to follow standard authentication procedures and protocols for the target operating system.

This original post can be found here:
http://xato.net/bl/2007/08/22/vmware-guest-isolation-vulnerability/
Mark Burnett
http://xato.net

Posted by Roger Grimes on August 23, 2007 04:06 PM

August 20, 2007 | Comments: (0)

Honeyd for Windows is Back!

Honeyd for Windows gets a much needed update.

Jesper Jurcenoks, co-founder of netVigilance, Inc., has released an updated version of Honeyd for Windows. You can get it here.

Honeyd, originally a Unix/Linux-only product by Niels Provos, is one of the best virtual honeypot software programs in existance. It is very flexible and useful. Michael Davis did the original Honeyd port to Windows (thank you very much, Michael), but that version didn't keep up with Windows as Windows XP and later came out. Changes in Microsoft Windows, and a few other notorious bugs made it hard for me to ever recommend using Honeyd for Windows over the last year or so.

Instead, I'd recommend that people use the Unix/Linux version of Honeyd, but that meant learning new skills if you were a Windows-only person; or use Kfsensor (my favorite honeypot software).

Jesper Jurcenoks and his company took the time to do a complete re-write and free, update of Honeyd for Windows. Jesper even took the time to correct one bug that remains in the Linux/Unix version to make sure it didn't get replicated to the Windows version. netVigilance even offers a $99 GUI configurator, which can save you hours of configuration and troubleshooting. Thanks to Jesper and netVigilance (and Michael Davis for his earlier contributions) for allowing us Windows security types to play with Niels excellent honeypot software.

Posted by Roger Grimes on August 20, 2007 06:54 AM

August 20, 2007 | Comments: (0)

Book Review Gets Me Down

First Amazon review of my latest book gets me down

You don't get rich writing computer security books. In the end you barely make minimum wage. You a write computer security book because you want to share something about a topic that needs more detailed coverage than a 2000-word magazine article can provide.

After seven books, maybe I shouldn't let my feelings be hurt so easily by a bad review. I've normally have a tough skin, but sometimes the critics do hurt a little bit.

It was that way with the first review posted on Amazon about our (me and Jesper's) latest book, Windows Vista Security: Securing Vista Against Malicious Attack (Wiley). It gave our book only 3-stars (out of 5), and appears to rant more about Windows security than anything else.

I've never gotten an Amazon.com book review score below 4 stars before. Heck, there was only one or two 4-star rankings in all six of my previous books, the rest were 5-stars. That's not to say that all my writing reviews are good. I've been blasted by the best of them over the past decade.

Bad reviews I can handle. What is so disappointing with this latest review, by Edward Ray, is that he seems to hate Windows Vista (he even promotes OS X in the title of his review and in the finishing comments). He goes on and on about hating Vista and Windows security. He only mentions two or three things about the book.

In one of those instances he says, "Scant mention of BitLocker in this book, one of its major shortcomings." I count 12 pages and 13 step-by-step screen shots on it. Yeah, that's scant coverage alright.

Edward Ray goes on to complain how our book is 582 pages long versus some other guy's 2002 XP book which was 416 pages. Apparently, the longer pages mean a more insecure product (despite the fact that Vista has many less patches at this stage than XP did). He also mentions that the IE 7 chapter is 50-pages long. Am I really expected to apologize because we give detailed coverage to a wide range of topics?

I don't mind bad reviews...well, I'm lying, I hate them...but this guy seems to be complaining more about Microsoft and Vista, than the book. I know I'm biased, but I think Chapter 3 is the best coverage of how Windows really works behind the scenes than you'll find in any other book. Any thanks for it? No. Our Vista security book is the only one to cover IIS 7, which is significantly different than IIS 6. Any mention of that? No. It's the only Vista security book to cover wireless security. And it's the only book to say that you don't need all those expensive computer security defenses to protect yourself. Any mention? No, just a rant about how Windows security sucks. How boring.

BTW, Edward Ray, can you explain why your beloved OS X has three times as many vulnerabilities (according to Secunia.com, no friend of Microsoft) this year as compared to Windows Vista? Can you explain why OS X had more vulnerabilities this year and last as compared to XP? Can you explain how when you first start the latest version of OS X that it downloads over a 100 MB of patches? Is it because OS X is so much more secure by default?

Ah, my wife is hitting me on the back of the head telling me to get over it.

Posted by Roger Grimes on August 20, 2007 06:05 AM

August 20, 2007 | Comments: (0)

New honeypot book

New honeypot book delivers

Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos and Thorsten Holz

As a long-time honeypot and honeyclient professional (and honeypot book author), I had high hopes for this book, and it delivers.

Niels and Thorsten provide a solid reference to beginners and more experienced honeypot users. It covers how to install and use (step-by-step) dozens of honeypot products. The list of what they cover is far too long to cover here, but let's say they cover 95% of what any honeypot enthusiast would want to read about.

My favorite subjects in the book are: User-mode Linux, Honeyd, Honeywall, honey clients, collecting malware with honeypots, tracking botnets, and analyzing malware.

The only downsides I could even come up with is that the book covers a lot of Unix/Linux only products, just like the honeypot world, which might be a put off for Windows-only readers. And it didn't cover Kfsensor, my favorite Windows honeypot product. Other than that, it is an excellent, excellent book, which I would recommend to any honeypot enthusiast.

In the end, what I really liked about this book is its coverage of a wide range of products, and it's practical application to capturing and analyzing malware.

Posted by Roger Grimes on August 20, 2007 06:03 AM

August 17, 2007 | Comments: (0)

Sourcefire acquires Clam AV

Snort owners add Clam AV to their stable.

It appears that they will mimic the Snort development track, and co-sponsor commercial and open-source models.

Technology White Papers

InfoWorld Technology Marketplace

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert