Re: Immunity's CLOUDBURST

[Julien TINNES <jt () cr0 org>]

On Tuesday 07 April 2009, Dave Aitel wrote:
> A few people have mentioned that this was a bit terse. It's "Final's"
> night for a lot of people who watch collage basketball I hear, so I'll
> leave you with just a quick bullet list and expand on it tomorrow:
>
> 1. What you're seeing in the movie is shellcode executing on a Host
> from a driver that runs in a Guest.
> 2. If you're running the latest update of Workstation, you're patched.
> 3. ESX/ESXi is not vulnerable, to my knowledge.
> 4. The exploit is amazing, and at some point Kostya will do a talk on it.
> 5. As you can see in the movie, the exploit defeats DEP/ASLR on Vista
> SP1 to go from guest to host. The exploit also works on Linux, but
> ScreenFlash doesn't.

That seems very cool, I can't wait for details!

However I wonder why DEP and ASLR are a problem.

- If a page is marked as executable in Guest, it'll be marked as executable in 
the shadow page tables (with some exceptions).
- For ASLR, well, most page table entries in guest will be mirrored in shadow 
page tables on host, so in this process, you know the addresses.

Hence I would say, as long as you can run unmonitored code with VMM privileges 
in the guest, you don't have any problem with DEP/ASLR and you can subvert 
the VMM easily by using the gs segment selector (whose corresponding segment 
is not limited, since this is how binary translated code access the VMM 
memory).

Which would suggest you are exploiting something in another process than the 
Guest-VMM one ? Did you put your shellcode in the framebuffer (which would 
indeed end-up in VMWare's main process). Is it another instance of bitblt 
overflows in virtualization software (Tavis Ormandy found a couple of them a 
few years ago)?

All of this is very exciting.

Julien
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave