VMWare Workstation Guest Escape via Shared Printers on COM1

Published: 2015-06-10
Last Updated: 2015-06-11 00:47:48 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Shared hardware has always been a weakness of virtualization products. In some cases side channel attacks can be exploited to collect information from other virtual machines, or bugs in drivers can be exploited to fully escape a virtual machines, like recently with floppy disk drivers. [1] [2]

The latest variation of this is an attack against VMWare Workstation taking advantage of "COM1". This serial port is configured by default and used for printer sharing. Using printer sharing, the user can access a printer connected to the host [3].

To implement this feature, VMWare uses "vprintproxy.exe". This executable receives the file to be printed from the guest, and passes it to the host's printer.  The guest uses the serial port COM1 to send data vprintproxy.exe. The data is sent to vprintproxy.exe as an "Enhanced Metafile Spool Format" file, or "EMFSPOOL" file for short. Sadly, vprintproxy.exe does not parse these files safely, and crafted files can lead to exploits against vprintproxy.exe, which runs as whatever user started VMWare. 

This is a threat to VMWare Workstation. In particular if you are using VMWare Workstation to analyze malicious code, you should be extra careful. VMWare released a patch yesterday, but you may have missed it among other patch Tuesday issues.

[1] http://arstechnica.com/security/2015/05/extremely-serious-virtual-machine-bug-threatens-cloud-providers-everywhere/
[2] https://eprint.iacr.org/2014/248.pdf
[3] https://docs.google.com/document/d/1sIYgqrytPK-CFWfqDntraA_Fwi2Ov-YBgMtl5hdrYd4/preview?sle=true#heading=h.dv8d1g4lp83q

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
0 comment(s)

How much is your IPv4 Space Worth

Published: 2015-06-10
Last Updated: 2015-06-10 17:52:33 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

Thanks to Rob for reminding me of IPv4 auction websites again. I looked at them a couple years ago, but there was very little real activity at the time. Looks like that has changed now. ARIN is essentially out of IPv4 space, and very restrictive in handing out any addition addresses. It has gotten very hard, if not impossible, to obtain a larger block of IPv4 space. So no surprise that markets for IPv4 space are coming up. 

These markets are not in line with registrar policies [1]. If someone receives an IP address assignment, then they don't technically "own" the addresses. Once they are no longer needed, they are supposed to be returned to ARIN to be handed to the next applicant in line. But there has been little enforcement, and there have always been grey areas. For example, a company may buy another company, and in the process obtain access to that companies IP address space. Later, assets other then the IP address space could be sold off, leaving the buy with the rights to the IP address space.

Here are some of the sites offering IP address space (I am not endorsing them, and have no idea how "real" they are):

- ipv4auctions.com. Currently three offers for space up to a /20 at $7-$10 per address. There are a couple of bids.
- ebay.com. There are a number of auctions with IP addresses for sale and for rent. Looks like they are going for about the same price as the addresses at ipv4auctions.com [2]

Some sites have dones so in the past, but already shut down (e.g. tradeipv4.com). In other cases, the nanog mailing list was used to offer IP address space, or IP addresses were purchased as part of bankruptcy auctions [3]

[1] http://www.internetsociety.org/internet-society-open-letter-transfer-internet-protocol-addresses
[2] http://www.ebay.com/itm/IP-Address-22-Routable-IP-Block-Four-Class-C-For-Sale-or-Rent-/181769443467?pt=LH_DefaultDomain_0&hash=item2a524d988b
​[3] http://www.maximumpc.com/borders-sells-65536-ipv4-addresses-for-12-each/​

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
4 comment(s)
ISC StormCast for Wednesday, June 10th 2015 http://isc.sans.edu/podcastdetail.html?id=4521

Comments


Diary Archives