Wednesday, May 13, 2015

Some brief technical notes on Venom

Like you, I was displeased by the lack of details on the "Venom" vulnerability, so I thought I'd write up what little I found.

The patch to the source code is here. Since the note references CVE-2015-3456, we know it's venom:;a=commit;h=e907746266721f305d67bc0718795fedee2e824c

Looking up those terms, I find writeups, such as this one from RedHat:

It comes down to a typical heap/stack buffer overflow (depending), where the attacker can write large amounts of data past the end of a buffer. Since this is the kernel, there are no protections like NX or ASLR. To exploit this, you'd likely need some knowledge of the host operating system.

The details look straightforward, which means a PoC (proof-of-concept exploit) should arrive by tomorrow. (Update: a PoC has arrived today here).

This is a hypervisor privilege escalation bug. To exploit this, you'd sign up with one of the zillions of VPS providers and get a Linux instance. You'd then, likely, replace the floppy driver in the Linux kernel with a custom driver that exploits this bug. You have root access to your own kernel, of course, which you are going to escalate to root access of the hypervisor.

People suggest adding an exploit to toolkits like Metasploit framework -- but I don't think it has a framework for running drivers. This would instead be more of a one-off.

Once you gained control of the host, you'd then of course gain access to any of the other instances. This would be a perfect bug for the NSA. Bitcoin wallets, RSA private keys, forum passwords, and the like are easily found searching raw memory. Once you've popped the host, reading memory of other hosted virtual machines is undetectable. Assuming the NSA had a program that they'd debugged over the years that looked for such stuff, for $100,000 they could buy a ton of $10 VPS instances around the world, then run the search. All sorts of great information would fall out of such an effort -- you'd probably make your money back from discovered Bitcoin alone.

I'm not sure how data centers are going to fix this, since they have to reboot the host systems to patch. Customers hate reboots -- many would rather suffer the danger rather than have their instance reboot. Some datacenters may be able to pause or migrate instances, which will make some customers happier.

By the way, once a PoC is released, you should probably add to your VM's startup scripts. It'll likely crash the host, bringing all the VMs down. That's a good thing -- better to crash the host than allow it to be exploited.

By the way, we in the security community are a bit offended by the exploit-sploitation by Crowdstrike (VENOM! With logo!!), but yea, it's still a great find a serious bug.

1 comment:

AnObfuscator said...

"I'm not sure how data centers are going to fix this, since they have to reboot the host systems to patch."

Actually, as I understand it, only the running VMs need to be rebooted. The host itself does not.