Microsoft Virtual PC Exploit Discovered
According to Nicolas Economou, an exploit writer at Core Security Technologies, he has discovered a major flaw in the memory management of the Virtual Machine Monitor, which effects Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC and Microsoft Virtual Server 2005. On Windows 7 the XP Mode feature is also affected by this vulnerability. He has discovered that the flaw causes memory pages mapped above the 2GB level to be accessed with read or read/write privileges by user-space programs running in a Guest operating system. This vulnerability exposes Microsoft’s Virtual PC virtualization software to malicious hacker attacks.
The vulnerability, which is unpatched, essentially allows an attacker to bypass several major security mitigations — Data Execution Prevention (DEP), Safe Exception Handlers (SafeSEH) and Address Space Layout Randomization (ASLR) — to exploit the Windows operating system.
Nicolas claims that a vulnerable application running in Windows XP Mode on Windows 7 may be exploitable in a virtual environment, while the same application running directly on a Windows XP SP3 operating system is not. Microsoft Hyper-V technology does not seem to be affected by this problem.
According to Ivan Arce, chief technology officer at Core, some applications with bugs that are not exploitable when running in a not-virtualized operating system are rendered exploitable if running within a guest OS in Virtual PC.
Here’s Microsoft official response to the discovery of this flaw:
“Core Security Technologies is describing a way for an attacker to more easily exploit security vulnerabilities already present on the system, rather than an actual vulnerability. It does this by rendering a number of protection mechanisms that are present in the Windows kernel less effective inside a virtual machine as opposed to a physical Windows machine. An attacker would need to abuse an already present vulnerability in order to leverage this technique.
In the scenario Core describes, the functionality is limited to within the virtualized environment– in other words, an attacker could only exploit a vulnerability in an application running “inside” the guest virtual machine on Windows XP rather than Windows 7 in the case of Windows XP Mode. Specially an attacker could not take over a whole host machine running multiple virtual machines. The safeguards within Windows 7 on the desktop OS (DEP, ASLR, and SafeSEH etc.) remain in place.
In addition, an actual vulnerability must already be present in an application running in the guest machine in order for an attacker to take advantage of this. The difference is that on a regular Windows system, that bug may not be exploitable, whereas in the Virtual PC guest machine, it potentially could be.
Microsoft continues to recommend using Windows XP Mode and Windows Virtual PC as a bridging strategy to Windows 7 if they are concerned about compatibility for some of their legacy applications, so that customers can realize the full security benefits Windows 7 offers.”