Just a fun, somewhat terrifying read

  • slazer2au
    link
    English
    -16 months ago

    VM does not mean it is safe. There is malware out there that can break the sandbox and infect the hypervisor

    • @extracheese
      link
      English
      206 months ago

      Such an exploit would not get wasted on some random xp honeypot

      • slazer2au
        link
        English
        36 months ago

        It’s XP, there are likely several unpatched escaping bugs with free POC out there. You don’t need anything new.

        • Zagorath
          link
          fedilink
          English
          206 months ago

          Surely breaking out of a VM requires exploiting a vulnerability of the VM, not of the OS running in it?

          • slazer2au
            link
            English
            46 months ago

            I would assume it requires both a hypervisor and guest OS bug to be tripped.

            • @yggdar
              link
              English
              46 months ago

              It’s pure speculation, but I assume you’ll need

              1. Enough access to the guest OS so that you can interact directly with the virtual hardware. That would probably require root access, so you’ll probably need to exploit some bug in the guest OS to get there.
              2. To break out of the vm, you’ll then need to exploit a bug in the virtual hardware. You would want to get the hypervisor to execute arbitrary code.
              3. If you want to infect the host OS, then you’ll need sufficient access on the host. If the hypervisor doesn’t run with sufficient privileges, you’ll have to exploit a bug in the host as well to perform a privilege escalation. But I’m guessing the hypervisor will usually have sufficient privileges, so exploiting the host is probably not necessary.

              Sounds like quite a bit of work, but I don’t see why malware couldn’t automate it. An up-to-date hypervisor should help reduce the risk though.

              • @extracheese
                link
                English
                56 months ago

                Theres no way an hypervisor zero day gets implemented in some random Malware. Those are worth millions and are used in coordinated manual attacks against VIP targets

                • @yggdar
                  link
                  English
                  2
                  edit-2
                  6 months ago

                  Yeah a zero-day would be very unlikely, but a months-old, publically known and patched vulnerability could always be attempted. One of the reasons why the hypervisor should definitely be kept up-to-date. There is always someone who forgets to patch their software, why not give it a try? We’re talking about a Windows XP scenario after all!

            • @pivot_root
              link
              English
              16 months ago

              It’s XP. There’s guaranteed to be a way to go from userland to ring 0 code execution.