Bypassing VM software on XP hosts?

Discussion in 'sandboxing & virtualization' started by Gullible Jones, Nov 8, 2013.

Thread Status:
Not open for further replies.
  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    A thought re using VMs for safe browsing on Windows XP:

    - The client side stuff is Linux, so it should be harder to attack. (If it's properly updated anyway...)
    - But the XP networking stack is still exposed. Packets going to the VM are forwarded by the Windows kernel.
    - Could an attacker figure out that someone was running Linux on an obsolete Windows host?
    - If they could, and working network attacks were available, couldn't they leverage one against the host OS and bypass the VM entirely?

    Probably not a likely scenario IRL; but I'd be interested to know if it's possible at all. If I have a server interacting with client software on a VM, is there any way to discover a) that the client is on a VM, and b) what OS is hosting the VM? Some kind of deep packet inspection maybe?
     
  2. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    We are on defensive forum, not in an offensive one where to learn hacking, pentesting and VM server rooting...
    The answer is yes for all the questions, even if the Yes requires some circumstances in some particular case.
    Attacks scenario are possible from Host to Host, Guest to Guest, Host to Guest and Guest to Host, external to Guest and external to Host.
    YES with the right and proper methods (ex. passive/silent fingerprinting), frameworks and tools, skills, and in some cases severe remotely exploitable vulnerability.
    Even if ARP cache poisoning and SSL MITM can be used, there is no need advanced network attack or law enforcement based DPI.
    But these attacks are not commons...discovering that my target is running Ubuntu VM on XP will not let me jump from guest to Host and vice-versa in one click and one command shell...

    During the informatiomn gathering phase, a scan of the target system is done, scan that helps for the OS fingerprint( -O command if nmap is used http://nmap.org/book/osdetect-usage.html )
    Like most OSs, most virtualization solutions have an hardware, software and network signature that can be fingerprinted and recognized locally or/and remotely (instructions, services and ports, registry and files, memory etc)
    As cloud is in vogue, VM are the target of the future.
    By default, XP is certainly the most insecure of MST systems, especially its TCP/IP stack.
    And using a guest linux OS to secure a colander OS like XP makes no sense.
    Linux would not be my favourite choice as a client OS (BSD family have more chance of exploit survey), simply because some 3 or 4 paid exploit frameworks palteforms are sold with exploit services updates.
    Understand that all available and circulating and exploitable vulnerabilities are not published, as some of them are only profitable for some clients (case of Vupen for instance), or rich buyers (50 000 dollars for a browser vuln. in some IRC encrypted channels).
    I remember this one https://community.rapid7.com/community/metasploit/blog/2013/09/05/cve-2013-1662-vmware-mount-exploit
    In the same way, I prefer any alternative (VB, XEN, Parallels) solution to the big VMWare.
    Regarding malware scenario, the latest generation of bot, rootkit or trojan bankers include VM/emulation/sandbox/debug armoring techniques.
    A very few PoC rootkits have made the buzz a few years ago by subverting the VM, BluePill is the most popular of them.
    But their evil career opportunities have been limited to the laboratory.
    of course, countermeasures exist as multilayered defense process.
    And in this case no problem for listening the softs.
    IPMorph, mostly known in France by paranoiacs sysadmins. http://blog.hynesim.org/en/ipmorph/
    Project Nova http://projectnova.org/
    VMInformer http://www.vminformer.com/
    And some ports and arp spoofers defense tools, network architecture hardening, free network software IDS to the paid heavy hardware IPS.
    I forget to say tha GJ questions have been quite the same for most HoneyPots projects (like honeynet) developers since years and years.
    For more, search engines and ethical hacking schools are your friends.
    Sorry, i post my answer as it comes in my mind, without structured plans, and of course english dictionary.
     
  3. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,425
    You can tell if a VM is running because each VM (VirtualBox or VMware) has a unique MAC address. This is inbuilt to the software, so unless you use a MAC changer you can tell if your in a VM or not. Aswell there are certain System Calls and Hooks that can tell the attacker if your running a VM.

    Yes they can. NSA has a working hypervisor bypass I'm convinced of that and have seen it in action. I've seen it on a machine I was asked to help fix, I don't work for the NSA btw.

    It turns on Allow Remote Connections on the Windows machine when it escapes the VM.

    I'm not sure how it jumped from the VM to the Host, because the Linux VM was hardened with Grsecurity/Pax but the disto hadn't been updated in awhile which could explain vulnrabilities in the distro's software. As I said I don't know how it jumped the VM but it did.
     
Loading...
Thread Status:
Not open for further replies.