Vmare workstation guest isolation weaknesses (clipboard transfer) Feb 03 2007 10:30PM
EitanCaspi (at) yahoo (dot) com [email concealed] (eitancaspi yahoo com)

Suggested severity level: Low

Type of Risk: isolation failure, information leakage, infection path

Affected Software: VMware Workstation, version 5.5.3 build 34685 (including
installation of "VMware tools" of the same version on the guest OS).
(Other products by the vendor using the same isolation components may be
effected as well, but they weren't tested due to lack of resources. I advise
administrators who use the corporate products of VMware to test this issues
if they use this products in a production environment)
Guest and Host OS: Windows XP Pro with SP2 and all the latest operational
and security patches from the "windows update" site, up to 31-Jan-2007.
(Other guest OS (especially ones by Microsoft) maybe effected as well, but
they weren't tested).

Local / Remote activated: Local

Summary: Each VM has its own settings. one settings category is "Guest
Isolation", which includes a checkbox named "Enable copy and paste to and
from this virtual machine".
This feature can work only if the "VMware tools" component is installed on
the guest OS.
The clipboard copy operation can transfer only text, not files or streams.
I have discovered the following issues regarding this component:

1. Changing the value of this feature (in either way ? enabling or
disabling) becomes actually active only if a global operation is made
towards the guest OS, like suspend and resume, reset, restart (from within
the guest OS), shutdown (either from within the guest OS of by performing a
"power off" from the VMware workstation application) and then turning it
back on.
Simply changing the check box value and pressing OK will not change current
functionality of this feature.

2. When this feature is turned on and working ? The direction of the
clipboard content transfer is the same as the direction of the focus change
between guest and host operating systems and vice versa.
But, when the host OS clipboard is empty and the focus is moved to the guest
OS clipboard ? the guest clipboard is not cleared and left with its current
content.
Now, when focusing back to the host's, empty, source clipboard ? it is now
filled with the content of the guest's clipboard ? thus the host clipboard
is failing to keep itself erased and its previously cleared content is
re-filled from the guest OS.
This behavior may re-fill the host's clipboard with data that was
intentionally erased (like password or credit card number).
Strangely, this behavior does not happen when the process is started from
the guest OS clipboard, and if it is the first to be erased, and then the
focus moves to the host, the host's clipboard is erased.
So, the issue here is only when the process starts from the host side.

Possible Abuses:
1. Issue 1 - The VMware administrator might turn on the clipboard transfer
and use it, but when he will turn it off by un-checking the check box ? it
will remain active ? thus transferring text objects (a password, for
example), from one clipboard to another, in any direction ? while the
administrator will believe the environments are separated and isolated.
This brakes the promised isolation, and may cause information leakage and
may infect any OS (host or guest) if the text is a string that can be run as
a command or URL ? when it will unintentionally be pasted into a command
line interface and activated.

2. Issue 2 - The VMware user will clear his host clipboard (from a copied
password, for example) and think it is cleared. But the content that was
cleared may have been previously copied to the guest clipboard and when the
focus will move back to the host ? the content will re-enter the host's
clipboard.
(General note: To my opinion VMware has, regarding the isolation features, a
significant lack of security measures like setting permissions for specific
users and groups, at the host and at the guest, (or simply a password) to
allow or prohibit performing data transfer (clipboard and/or drag & drop)
and the allowed data transfer directions).

Reproduction:
(You might wish to use the freeware clipclear
(http://www.moonsoftware.com/freeware.asp) for a visual sign of when the
clipboard if full or empty and for clearing the clipboard)

Issue 1:
1. When the test VM is turned off (one with the "VMware tools"
pre-installed), make sure the "Enable copy and paste to and from this
virtual machine" checkbox is checked (VM settings -> "Options" tab -> "Guest
Isolation" line -> "Enable copy and paste to and from this virtual
machine").
2. Turn on the VM and log into the guest OS.
3. Copy any text in the guest OS.
4. Move the focus to the host and paste the clipboard into any text field ?
verify the text is the same as the one copied in the guest OS.
5. Copy a different text in the host OS.
6. Move the focus back to the guest OS and paste the clipboard to any text
field - verify the text is the same as the one copied from the host OS.
7. Turn off the "Enable copy and paste to and from this virtual machine"
from the VM settings and click OK.
8. Repeat steps 3 to 6 and verify you are able to perform them, although the
relevant option is now "disabled".
9. You can repeat steps 1 to 8 but this time in the other way round, by
starting with the check box as un-checked.
10. Activate the change by performing one of the following operations
towards the guest OS: either suspend and resume, reset (from the VMware
hosting application), restart (from within the guest OS), shutdown (either
from within the guest OS of by performing a "power off" from the VMware
hosting application) and then turning it back on.
After performing either operation make sure the change was applied.

Issue 2:
1. When the test VM is turned off (one with the "VMware tools"
pre-installed), make sure the "Enable copy and paste to and from this
virtual machine" checkbox is checked (VM settings -> "Options" tab -> "Guest
Isolation" line -> "Enable copy and paste to and from this virtual
machine").
2. Turn on the VM and log into the guest OS.
3. Move the focus the host OS and copy the word "password".
4. Move to the focus to the guest OS and paste the clipboard into any text
field.
5. Make sure the word "password" is displayed.
6. Move back to the host OS and clear the clipboard content. Make sure it is
clear by pasting its content to a text field and verify nothing was pasted.
7. Move the focus to the guest OS and then back to the host OS and again
perform a paste action to a text field.
9. Verify that now the clipboard has pasted the word "password".

Exploit Code: No need.

Direct resolution: Not any that I am aware of at the time of writing this
advisory.

 
Workarounds:
Issue 1: No workaround was found.

Issue 2: Disabling the clipboard transfer on a global level, for all of the
VMs immediately - by clearing the following checkbox in VMware workstation
interface:
"Edit" menu -> "Preferences" command -> "Input" tab -> "Enable copy and
paste to and from virtual machine".
If this global option is turned off, than at each VM level, clipboard copy,
in any direction, will not be allowed, regardless of the current actual
clipboard copy status at each VM.
Remember that this option effects ALL of the virtual machines used within
the VMware workstation.

Vendor Notification: The vendor was notified at the end of September 2006,
but it could not commit to any planned date for a fix regarding both issues.

Credit:
Eitan Caspi
Israel
Email: eitancaspi (at) yahoo (dot) com [email concealed]

 
Past security advisories:

1.
http://www.microsoft.com/technet/security/bulletin/MS02-003.mspx
http://support.microsoft.com/kb/315085/en-us
http://online.securityfocus.com/bid/4053

2.
http://support.microsoft.com/?kbid=329350
http://online.securityfocus.com/bid/5972

3.
http://www.securityfocus.com/archive/1/301624
http://online.securityfocus.com/bid/6280

4.
http://online.securityfocus.com/archive/1/309442
http://online.securityfocus.com/bid/6736

5.
http://www.securityfocus.com/archive/1/314361
http://www.securityfocus.com/bid/7046

6.
http://www.securityfocus.com/archive/1/393800

7.
http://www.securityfocus.com/archive/1/archive/1/434704/100/0/threaded

8.
http://www.securityfocus.com/archive/1/archive/1/446220/100/0/

Articles:
You can find some articles I have written at
http://www.themarker.com/eng/archive/one.jhtml
(filter: Author = Eitan Caspi (second name set), From year = 2000 , Until
year = 2002)

Eitan Caspi
Israel

Current Blog (Hebrew): http://blog.tapuz.co.il/eitancaspi
Past Blog (Hebrew): http://www.notes.co.il/eitan
Dead Blog (English): http://eitancaspi.blogspot.com

"Technology is like sex. No Hands On - No Fun." (Eitan Caspi)

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.17.22/666 - Release Date: 03/02/2007
15:31

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus