Skip to main content

VUPEN Exploit Enables Virtual Machine Escape

posted onSeptember 7, 2012
by l33tdawg

VUPEN Security has detailed how to exploit a critical memory corruption vulnerability in Xen hypervisors to break out of virtual machines and execute code.

The attack leverages a now-patched vulnerability discovered by researchers Rafal Wojtczuk of Bromium and Jan Beulich of SUSE Linux and demonstrated earlier this year at the Black Hat security conference. The vulnerability, CVE-2012-0217, exists because the system-call functionality in Xen 4.1.2 and earlier, when running on an Intel processor, improperly uses the sysret path in cases where a certain address is not a canonical address, resulting in local users being able to gain privileges via a "crafted application," according to an advisory for the issue. In the case of France-based VUPEN, exploitation has been achieved under a 64-bit Linux PV guest running on Citrix XenServer 6.0.0 with Xen version 4.1.1.

In order to trigger the bug, explained VUPEN Security Researcher Jordan Gruskovnjak, one has to map memory close to a non-canonical address and perform a SYSCALL instruction in such a way that the address of the instruction after the SYSCALL instruction will point inside a non-canonical address.

Source

Tags

Vupen Security

You May Also Like

Recent News

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th

Friday, June 7th