Breaking virtualization by switching the cpu to virtual 8086 mode

Jonathan Brossard

CEO – Toucan System



Virtualization : big picture

Attack surface analysis

The need for new tools

Introducing Virtual 8086 mode

Practical fuzzing with vm86()

Virtualization : big picture

Market shares


Virtualization :

market shares

Source : Forrester Research 2009

78% of companies have production servers virtualized.

20% only have virtualized servers.

Virtualization :

market shares

Source : Forrester Research 2009

VMWare is present in 98% of the companies.

Microsoft virtualization products are used by 17%.

Citrix/Xen is used by 10%.

In a nutshell...

-As widespread as Apache or Bind

- Proprierary software + very few builds + weak toolchains so it runs with other toolchains (no SSP, etc) = reliable exploitation.

-You don't need a « remote » exploit : you buy a shell at the same hosting provider.


-Cost reduction (shared hosting)

-Scalability (cloud computing)

-Run broken applications on broken Oses (legacy).


Virtualization : Definitions


Virtualization is the name given to the simulation with higher level components, of lower level components.

NOTE: Virtualization of applications (as opposed to full Oses) is out of topic.

Virtualization : Definitions

Virtual Machine

A virtual machine (VM) is : "an efficient, isolated duplicate of a real machine".

--Gerald J. Popek and Robert P. Goldberg (1974). "Formal Requirements for Virtualizable Third Generation Architectures", Communications of the ACM.


Virtualization : Definitions


Requires the modification of the guest Oses (eg: Xen, UML, Qemu with kquemu, VMWare Workstation with VMWare Tools).

Opposed to « full virtualization ».

Virtualization : Definitions

There are two types of virtualizations : Virtual Machine Monitors (or Hypervisors) of type I and type II.

Type I Hypervisor

Virtualization : Definitions

Hypervisors of type I

Run on bare metal (eg: Xen, Hyper-V, VMWare ESX).

Type II hypervisor

Virtualization : Definitions

Hypervizors of type II

Run as a process inside a host OS to virtualize guests Oses (eg: Qemu, Virtualbox, VMWare Workstation, Parallels).




Hardware assisted


-Takes advantage of AMD-V On Intel VT-x CPU extentions for virtualization.

-x64 Only.

-The hypervisor is running in « ring -1 ».

-Much like the NX bit : requires the motherboard to support it and activation in the BIOS.

Virtualization : Definitions


Isolation of the userland part of the OS to simulate independant machines (eg: Linux-Vservers, Solaris « Zones », BSD « jails », OpenVZ under GNU/Linux).


Attack surface analysis

Depending on your perspective...

What are the risks ?

Where to attack ?

Privilege escalation on the


Exemple :

VMware Tools HGFS Local Privilege Escalation Vulnerability




Attacking setuid binaries in vmware.

Virtual machines file fuzzing on virtualbox.

Privilege escalation on the


Exemple :

CVE-2009-2267 « Mishandled exception on page fault in VMware » Tavis Ormandy and Julien Tinnes


Overwriting the MBR under vserver and instrumenting the original bootloader with keyboard/motherboard PIC programming through ioports

(see also « Invisible Man » tool from Jonathan Brossard, Defcon 2008).

Attacking other guests


Vmare workstation guest isolation weaknesses (clipboard transfer)


DoS (Host + Guests)


CVE-2007-4591 CVE-2007-4593 (bad

ioctls crashing the Host+Guests)


Attacking vmware kernel modules with ioctls.

Escape to host

Exemples :

Rafal Wojtczuk (Invisible things, BHUS 2008) Kostya Kortchinsky (« Cloudburst », BHUS


IDEFENSE VMware Workstation Shared Folders Directory Traversal Vulnerability (CVE-2007-1744)

Escape to host

This is the real hard thing, and what we will focus on on the rest of this talk.

Attack surface analysis :


Hosting two companies on the same hardware is very common (shared hosting).

Getting a shell on the same machine as a given target may therefor be a matter of paying a few euros a month.

Attack surface : conclusion

Rooting the Host OS from the Guest is practical (Kostya Kortchinsky BHUS 2009, Rafal Wojtczuk BHUS 2008).

Seemingly minor bugs (local, DoS) do matter : virtualization amplifies consequences.

Note : public, reliable, packed attack tools exist (Claudio Criscione, HITB Kuala Lumpur 2010)

The need for dedicated methodologies and tools

The need for new tools :


How do you attack a hard drive with software ?

What about a screen or a keyboard ?

=> Unusual attack surface.

How to dynamically test a virtual Hard Drive ? Naive approach

Standard API :

ssize_t read(int fd, void *buf, size_t count);

ssize_t write(int fd, const void *buf, size_t count);

This would mostly fuzz the kernel, not the Virtual Machine :(

We need something (much) lower level.

(low level) attack vectors


outb, outw, outl, outsb, outsw, outsl, inb, inw, inl, insb, insw, insl, outb_p, outw_p, outl_p, inb_p, inw_p, inl_p

Problems: sequence, multiple ports


int ioctl(int d, int request, ...)

Problems : arbitrary input size !