Virtual-machine exploit lets attackers take over host

Penetration-testing company Immunity has exploited a flaw in VMware software that allows malicious code running in a virtual machine to take over the host operating system.

Immunity included the attack code in an update to its commercial penetration-testing tool, Canvas 6.47, released on Tuesday last week. The attack code is in a module of the tool called Cloudburst.

Cloudburst uses a vulnerability in the virtual-machine display functions of VMware Workstation that can be exploited by a specially crafted video file. The malicious file, when executed within a virtual machine, could allow an intruder to take over the host operating system, according to security researchers.

The bug itself affects VMware Workstation 6.5.1 and earlier, or the associated Player versions. The software can be running on any host system, including Linux, according to VMware.

However, the Cloudburst exploit currently has certain limitations: it will only succeed on Workstation 6.5.0 or 6.5.1 or the associated Player versions. In addition, the guest and host must be Windows-based, among other requirements, Immunity said in its release notes.

The bug, which has been assigned the Common Vulnerabilities and Exploits (CVE) reference CVE-2009-1244, was disclosed in January, and VMware issued a patch in April. However, system administrators do not always keep their systems up to date with patches, Immunity said.

The bug is dangerous partly because it works with default VMware settings, according to security researchers. Secunia, a third-party security firm, gave the flaw a "highly critical" rating.

The flaw was discovered by Immunity researcher Kostya Kortchinsky, and Immunity published a video demonstrating its attack in April.

"The exploit is amazing," Immunity chief executive Dave Aitel said in a newslist post announcing the exploit video.

Two similar vulnerabilities came to light in 2007: a memory corruption vulnerability (CVE-2007-4496) and a bug in the Shared Folders implementation (CVE-2007-1744) that could allow a guest operating system to read or write files on the host system.

However, the first bug was not necessarily exploitable, while the second required a non-default configuration to be exploitable, security researchers said.