Wednesday, October 15, 2008

Tech Break: Xen PVFB and SELinux exploit

One of the things I like to follow is technology and the continuing arms race between developers and exploiters. One of the hottest things right now in the security world is Security Enhanced Linux (SELinux) originally conceived by NSA. The next hottest thing in IT is virtualization. When the two collide, things like this happen ...

I know this is Greek to most of you, but hey, it's an occupational hazard.

Invisible Things Lab is proud to present:

"Adventures with a certain Xen vulnerability (in the PVFB backend)"

by

Rafal Wojtczuk

***

Starring

Xen 3.2.0, DomU (an ordinary virtual machine, paravirtualized),
Dom0 (privileged administrative domain) running on FC8 with NX,
ASLR and SELinux enabled, The Evil Hacker, and a certain vulnerability
in the Frame Buffer backend.

Plot

The Evil Hacker escapes from DomU and gets into Dom0. Using clever
ret-into-libc technique he succeeds with his attack on x86 architecture,
despite the NX and ASLR deployed in Dom0 OS (Fedora Core 8). The Evil
Hacker is also not discouraged by the fact that the target
OS has SELinux protection enabled - he demonstrates how the particular
SELinux policy for Xen, used by default on FC8, can be bypassed.
Ultimately he gets full root access in Dom0. Rafal also discusses
variation of the exploitation on x86_64 architecture - he partially
succeeds, but his x64 exploit doesn't work in certain circumstances.

***

Curious individuals can get the full paper here:

http://invisiblethingslab.com/pub/xenfb-adventures-10.pdf

Results summary
• A reliable exploit for x86 32 has been written and demonstrated. The exploit works in the default Fedora 8 configuration, bypassing NX, ASLR and SELinux protections.
• The author has not yet found a way to exploit the title vulnerability on x86 64 architecture in the default Fedora 8 configuration. However, if the qemu-dm binary is not prelinked, exploitation is possible.

No comments:

LinkWithin

Related Posts with Thumbnails