Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Escaping VMware Workstation Through COM1 (docs.google.com)
82 points by transpute on June 20, 2015 | hide | past | favorite | 14 comments


You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes. -- Theo de Raadt


Virtualization is a great tool for using "well behaved" programs. It's foolhardy to expect it to defend against sophisticated malicious software.

About 40 years ago IBM studied the security of their own VM technology. They found many exploitable bugs, and this was on a codebase that was probably less than 1% the size of VMware. I wrote more about IBM's findings on HN about 3 months ago:

https://news.ycombinator.com/item?id=9241807


Remind me: Are modern hypervisors meant to securely contain guests? Because they advertise their presence pretty loudly, and there's nothing which motivates a jail-break like reminding the inmate they're in a cell.


This is why I'm not a fan of public cloud virtualization for high security systems (PCI-DSS/HIPPA/etc).

In addition to the escapes, you need to contend with side channel timing observation and resource contention.


Yes, they are. A common use case of hypervisors is to split up a large server between multiple renters, who demand a hypervisor which won't let other renters hack them.


    COM1
Man, I haven't even /thought/ about that term in years...


That's not the only place that has poor isolation: clocks, cache, devices ...

virtualization comes with the lie of hardware isolation while devices are views on common peripherals that are isolated at application level by an incorrect abstraction.

jails and virtual machines alike are jails made of a strong but viciously brittling glass.


I disable any hardware in VMware guests that I don't need, like printers, speakers, or USB devices, to avoid exploits like this.


The VENOM vulnerability that affected the Floppy Drive didn't require that you had it enabled to be exploited: http://news.softpedia.com/news/11-Year-Old-Bug-in-Virtual-Fl...


Well I suppose a guest with access the internet could also deploy malware to a website which is then visited by the host computer and downloads a hack that patches vmware to allow full host control from the guest.

Depends on what you mean by "escape".


Is this a bug in VMware or a bug in Windows?


VMWare. It takes advantage of the fact that VMWare links guest VMs to the host's printers by default and takes advantage of that link. The patch from VMWare even applied to VMWare Fusion even though there hasn't been anything published on getting this to work in OSX.


Anyone know why some of the images are incredibly low resolution?


If you look at the non-mobile version at https://docs.google.com/document/d/1sIYgqrytPK-CFWfqDntraA_F... you'll see that the images have been resized to the width of the page, probably from much larger images, causing the text to be very small and fuzzy.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: