Re: RE: how an hacker can bypass a chrooted environement ?

From: john.fellers@gmail.com
Date: Thu May 18 2006 - 12:59:33 EDT

Next message: Michael Sierchio: "Re: rules of engagement scope"
Previous message: Martin Mačok: "Re: rules of engagement scope (DoS testing)"
Maybe in reply to: David M. Zendzian: "RE: how an hacker can bypass a chrooted environement ?"
Next in thread: Chris Byrd: "Re: how an hacker can bypass a chrooted environement ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

('binary' encoding is not supported, stored as-is) I have read some articles about this in the past. Here is an excerpt from one of those:

VMware has its own "backdoor" port, to communicate between internal (emulated) and exernal (emulating) code. There are some functions, which allows you (under emulation) to enable/disable different virtual devices, send internal messages, and do other things. Here is how these functions are called (you should use exception handling for this code):

        mov ecx, 0Ah ; CX=function# (0Ah=get_version)
        mov eax, 'VMXh' ; EAX=magic
        mov dx, 'VX' ; DX=magic
        in eax, dx ; specially processed io cmd
                                ; output: EAX/EBX/ECX = data
        cmp ebx, 'VMXh' ; also eax/ecx modified (maybe vmw/os ver?)
        je under_VMware

VMware registry keys are

HKLM\Software\VMware, Inc.\VMware for Windows NT -- real
HKLM\Software\VMWare, Inc.\VMware Tools\ -- virtual

VMware executables directory is

C:\Program Files\VMware -- both real and virtual

There can be many different methods to detect if you're under virtual OS, such as incorrectly emulated ports, predetermined hardware info, special drivers and other things.

I have not tried this, but the capability exists. It would not be hard to write a detection mechanism to test if you are in a virtual OS and write routines and functions to essentially "break out" of the virtual environment. You would simply have to know where the virtual OS is hooking into the actual operating system and bypass those.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

Next message: Michael Sierchio: "Re: rules of engagement scope"
Previous message: Martin Mačok: "Re: rules of engagement scope (DoS testing)"
Maybe in reply to: David M. Zendzian: "RE: how an hacker can bypass a chrooted environement ?"
Next in thread: Chris Byrd: "Re: how an hacker can bypass a chrooted environement ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:59 EDT