mailing list archives
CVE-2013-5892: hypervisor exploitation and stuff
From: Bas Alberts <bas.alberts () immunityinc com>
Date: Fri, 7 Feb 2014 11:34:25 -0500
So the ORACLE VirtualBox hypervisor vulnerability has been turning a few
heads today after Matthew Daley's full disclosure post about the bugs
Hypervisor exploitation is always interesting because you don't know what's
at the end of the yellow brick road when you're popping out of the guest.
Something we see a lot is people making the assumption of network connectivity
on the host side of things, but in reality the only assumption of
connectivity you can make is your established route into the guest.
So one thing we generally spend a lot of time on when doing hypervisor
work is to ensure that the payload can tunnel your shell from host to
guest. Generally the easiest way to do that is to use some shared memory
segment between the host and the guest and run a simple protocol over
that to tunnel your connectivity. This e.g. is what we did for the
CLOUDBURST project (in a more convoluted form through direct3d APIs).
This is also what we ended doing for our work on what is now
CVE-2013-5892. The exploitation route we ended up taking does not
require an LKM (you can use libpciaccess for that stuff, and all
you need is io port access and pci access, which can just do as root).
Anyhow, we have a full research paper and working/reliable Linux to
Linux guest/host exploit up on our CEU subscription feed. It's an
interesting piece of exploit engineering and a neat example of real
world hypervisor attacks (i.e. you're far from done once you get code
For the CEU folks you can find it at: https://www.immunityinc.com/ceu-index.shtml
Description: Digital signature
Dailydave mailing list
Dailydave () lists immunityinc com
- CVE-2013-5892: hypervisor exploitation and stuff Bas Alberts (Feb 07)