VENOM DEMO & FAQAkash Mahajan

VENOM is an acronym for

V I R T U A L I Z E D

EN V I R O N M E N T

N E G L E C T E D

OP E R AT I O N S

MA N I P U L AT I O N

What is VENOM?

It is a security vulnerability in the virtual floppy drive code used by

many computer virtualization platforms.

CVE-2015 -3456

What does it do?

This vulnerability may allow an

attacker to escape from the confines

of an affected virtual machine (VM)

guest and potentially obtain code-

execution access to the host.

Why is it a big deal?

He was right

about the

cloud, wasn’t

he!

Seriously why is this a big deal?

• Consider that all the cloud vendors in the

world use OS level virtualization

• Now all of those who use Xen, Qemu, KVM

and Virtualbox were vulnerable to this

• It doesn’t matter if the virtual machine is a

linux box or a windows box

All of these use Xen/Qemu/KVM

How does it work?

• So a VM (guest) gets access to virtual

hardware of a physical machine (host)

• Quick EMUlator (QEMU) is an open source

hypervisor that performs hardware

virtualization

Exploiting the QEMU Hypervisor

• The hypervisor code sits between the guest and the

host, operating as the ‘bridge’ and abstraction layer

relied upon by either side to communicate with the

other.

• Incorporating all of the memory mapping and device

drivers required to trick the guest into believing it is

operating on real hardware.

Hypervisor and XEN

QEMU Floppy Disk Controller

• The QEMU FDC is enabled by default in Xen

and KVM platforms.

• The problem exists in the Floppy Disk

Controller, which is initialized for every x86 and

x86_64 guest regardless of the configuration

and cannot be removed or disabled.

QEMU Floppy Disk Controller

• The QEMU FDC is enabled by default in Xen

and KVM platforms.

• The problem exists in the Floppy Disk

Controller, which is initialized for every x86 and

x86_64 guest regardless of the configuration

and cannot be removed or disabled.

One Ring to Rule Them all

The Devil is in the C Code

• FDC uses a buffer of 512 bytes to store the I/O

command and its parameters

• It has an index variable to access the buffer area

• After every command the index variable is set

to 0

Still the Devil is in the C Code

The FDC’s data_pos and data_len fields above are

initialized to 0 upon FDC reset.

• For two of the command handler functions, the

data_pos reset is delayed or circumvented.

– FDC_CMD_READ_ID

– FDC_CMD_DRIVE_SPECIFICATION_COMMAND

Buffer Overflow of FIFO buffer

• The VENOM advisory talks about overflow

of the *fifo buffer due to this particular

reason

BARELY WORKING DEMO

Deja VM Bugs

• BlackHat/DEFCON 2011 Talk: Breaking Out of KVM• CVE-2007-1744 – Directory traversal vulnerability in shared

folders feature• CVE-2008-0923 – Path traversal vulnerability in VMware’s

shared folders implementation• CVE-2009-1244 – Cloudburst (VMware virtual video adapter

vulnerability)• CVE-2011-1751 – Missing hotplug check during device removal• CVE-2012-0217 – 64-bit PV guest privilege escalation

vulnerability• CVE-2014-0983 – Oracle VirtualBox 3D acceleration multiple

memory corruption vulnerabilities

Questions?

• Ask Datta!

@makash | aka@null.co.in | theappseclab.com

Attributions and References

• Starting point for understanding http://venom.crowdstrike.com/• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456• https://access.redhat.com/articles/1444903• CC BY-SA 3.0 File:Priv rings.svg Uploaded by OgreBot• https://en.wikipedia.org/wiki/Protection_ring#Hypervisor_mode• https://blog.nelhage.com/2011/08/breaking-out-of-kvm/• https://github.com/nelhage/virtunoid• http://www.dedoimedo.com/computers/kvm-intro.html• http://blog.crowdstrike.com/venom-vulnerability-details/• http://www.dedoimedo.com/computers/kvm-intro.html