Researchers developed an “advanced exploitation method” which triggered a previously discovered vulnerability in order to escape a Xen virtual machine running on Citrix XenServer and get onto the host machine, Jordan Gruskovnjak, a security researcher at VUPEN Security wrote on the Vulnerability Research Team Blog on Tuesday. The vulnerability was discovered by Rafal Wojtczuk and presented during the recent Black Hat security conference in Las Vegas.
With this method, attackers who have root access on a guest virtual machine running under Xen can take over the host system and be able to execute arbitrary code with appropriate permissions, Gruskovnjak said. Once out of the virtual machine, attackers would be able to access all the other virtual machines running on that hardware.
“By controlling the general purpose registers, it is possible to influence the hypervisor behavior and gain code execution in the hypervisor context, escaping the guest context.” Gruskovnjak wrote.
While the vulnerability being exploited affects systems with Intel CPU hardware, the method described in the blog post only affects paravirtualized systems and not machines with native virtualization. Intel servers that support Xen directly is not impacted. Many of the newer high-end chips support virtualization with direct hardware support and thus offers native virtualization. On many systems, paravirtualization remains common, which relies on the kernel and the host virtual machine manager such as Citrix XenServer or Vmware to make appropriate calls to the guest VM.
VUPEN researchers used mmap to map various resources on a Linux system to trigger the vulnerability. Exploitation has been achieved under a 64-bit Linux PV guest running on Citrix XenServer 6.0.0 with Xen version 4.1.1, according to the blog post. The method will work on other versions as well, said Gruskovnjak. The exploit requires root access on the VM to work.
VUPEN’s methods, if it can be used reliably, means attackers would finally be able to target virtual machines to compromise the host. A possible attack scenario may have attackers signing up with businesses that offer VM hosting. Since the attacker has root access over the VM being rented, it’s possible to try running the exploit. If any of these services happen to run Xen and use paravirtualization, which is very probable, the attacker breaks into the host operating system and then can hop into other virtual machines being rented by other customers. J
ust a few weeks ago, Symantec researchers identified a malware variant that could infect the files used by virtual machines to infect guest systems, but there have not been a lot of reliable exploits to seize control of the host.
The implications of VUPEN’s attack method are staggering.