Venom vulnerability Overview and a basic demo
-
Upload
akash-mahajan -
Category
Technology
-
view
103 -
download
1
Transcript of Venom vulnerability Overview and a basic demo
![Page 1: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/1.jpg)
VENOM DEMO & FAQAkash Mahajan
![Page 2: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/2.jpg)
VENOM is an acronym for
V I R T U A L I Z E D
EN V I R O N M E N T
N E G L E C T E D
OP E R AT I O N S
MA N I P U L AT I O N
![Page 3: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/3.jpg)
What is VENOM?
It is a security vulnerability in the virtual floppy drive code used by
many computer virtualization platforms.
CVE-2015 -3456
![Page 4: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/4.jpg)
What does it do?
This vulnerability may allow an
attacker to escape from the confines
of an affected virtual machine (VM)
guest and potentially obtain code-
execution access to the host.
![Page 5: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/5.jpg)
Why is it a big deal?
He was right
about the
cloud, wasn’t
he!
![Page 6: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/6.jpg)
Seriously why is this a big deal?
• Consider that all the cloud vendors in the
world use OS level virtualization
• Now all of those who use Xen, Qemu, KVM
and Virtualbox were vulnerable to this
• It doesn’t matter if the virtual machine is a
linux box or a windows box
![Page 7: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/7.jpg)
All of these use Xen/Qemu/KVM
![Page 8: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/8.jpg)
How does it work?
• So a VM (guest) gets access to virtual
hardware of a physical machine (host)
• Quick EMUlator (QEMU) is an open source
hypervisor that performs hardware
virtualization
![Page 9: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/9.jpg)
Exploiting the QEMU Hypervisor
• The hypervisor code sits between the guest and the
host, operating as the ‘bridge’ and abstraction layer
relied upon by either side to communicate with the
other.
• Incorporating all of the memory mapping and device
drivers required to trick the guest into believing it is
operating on real hardware.
![Page 10: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/10.jpg)
Hypervisor and XEN
![Page 11: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/11.jpg)
QEMU Floppy Disk Controller
• The QEMU FDC is enabled by default in Xen
and KVM platforms.
• The problem exists in the Floppy Disk
Controller, which is initialized for every x86 and
x86_64 guest regardless of the configuration
and cannot be removed or disabled.
![Page 12: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/12.jpg)
QEMU Floppy Disk Controller
• The QEMU FDC is enabled by default in Xen
and KVM platforms.
• The problem exists in the Floppy Disk
Controller, which is initialized for every x86 and
x86_64 guest regardless of the configuration
and cannot be removed or disabled.
![Page 13: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/13.jpg)
One Ring to Rule Them all
![Page 14: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/14.jpg)
The Devil is in the C Code
• FDC uses a buffer of 512 bytes to store the I/O
command and its parameters
• It has an index variable to access the buffer area
• After every command the index variable is set
to 0
![Page 15: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/15.jpg)
Still the Devil is in the C Code
The FDC’s data_pos and data_len fields above are
initialized to 0 upon FDC reset.
• For two of the command handler functions, the
data_pos reset is delayed or circumvented.
– FDC_CMD_READ_ID
– FDC_CMD_DRIVE_SPECIFICATION_COMMAND
![Page 16: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/16.jpg)
Buffer Overflow of FIFO buffer
• The VENOM advisory talks about overflow
of the *fifo buffer due to this particular
reason
![Page 17: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/17.jpg)
BARELY WORKING DEMO
![Page 18: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/18.jpg)
Deja VM Bugs
• BlackHat/DEFCON 2011 Talk: Breaking Out of KVM• CVE-2007-1744 – Directory traversal vulnerability in shared
folders feature• CVE-2008-0923 – Path traversal vulnerability in VMware’s
shared folders implementation• CVE-2009-1244 – Cloudburst (VMware virtual video adapter
vulnerability)• CVE-2011-1751 – Missing hotplug check during device removal• CVE-2012-0217 – 64-bit PV guest privilege escalation
vulnerability• CVE-2014-0983 – Oracle VirtualBox 3D acceleration multiple
memory corruption vulnerabilities
![Page 20: Venom vulnerability Overview and a basic demo](https://reader033.fdocuments.in/reader033/viewer/2022042701/55c25a58bb61ebad098b4644/html5/thumbnails/20.jpg)
Attributions and References
• Starting point for understanding http://venom.crowdstrike.com/• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456• https://access.redhat.com/articles/1444903• CC BY-SA 3.0 File:Priv rings.svg Uploaded by OgreBot• https://en.wikipedia.org/wiki/Protection_ring#Hypervisor_mode• https://blog.nelhage.com/2011/08/breaking-out-of-kvm/• https://github.com/nelhage/virtunoid• http://www.dedoimedo.com/computers/kvm-intro.html• http://blog.crowdstrike.com/venom-vulnerability-details/• http://www.dedoimedo.com/computers/kvm-intro.html