Suggested severity level: Low
Type of Risk: isolation failure, information leakage, infection path
Affected Software: VMware Workstation, version 5.5.3 build 34685 (including
installation of "VMware tools" of the same version on the guest OS).
(Other products by the vendor using the same isolation components may be
effected as well, but they weren't tested due to lack of resources. I advise
administrators who use the corporate products of VMware to test this issues
if they use this products in a production environment)
Guest and Host OS: Windows XP Pro with SP2 and all the latest operational
and security patches from the "windows update" site, up to 31-Jan-2007.
(Other guest OS (especially ones by Microsoft) maybe effected as well, but
they weren't tested).
Local / Remote activated: Local
Summary: Each VM has its own settings. one settings category is "Guest
Isolation", which includes a checkbox named "Enable copy and paste to and
from this virtual machine".
This feature can work only if the "VMware tools" component is installed on
the guest OS.
The clipboard copy operation can transfer only text, not files or streams.
I have discovered the following issues regarding this component:
Changing the value of this feature (in either way – enabling or
disabling) becomes actually active only if a global operation is made
towards the guest OS, like suspend and resume, reset, restart (from within
the guest OS), shutdown (either from within the guest OS of by performing a
"power off" from the VMware workstation application) and then turning it
back on.
Simply changing the check box value and pressing OK will not change current
functionality of this feature.
When this feature is turned on and working – The direction of the
clipboard content transfer is the same as the direction of the focus change
between guest and host operating systems and vice versa.
But, when the host OS clipboard is empty and the focus is moved to the guest
OS clipboard – the guest clipboard is not cleared and left with its current
content.
Now, when focusing back to the host's, empty, source clipboard – it is now
filled with the content of the guest's clipboard – thus the host clipboard
is failing to keep itself erased and its previously cleared content is
re-filled from the guest OS.
This behavior may re-fill the host's clipboard with data that was
intentionally erased (like password or credit card number).
Strangely, this behavior does not happen when the process is started from
the guest OS clipboard, and if it is the first to be erased, and then the
focus moves to the host, the host's clipboard is erased.
So, the issue here is only when the process starts from the host side.
Possible Abuses:
Issue 1 - The VMware administrator might turn on the clipboard transfer
and use it, but when he will turn it off by un-checking the check box – it
will remain active – thus transferring text objects (a password, for
example), from one clipboard to another, in any direction – while the
administrator will believe the environments are separated and isolated.
This brakes the promised isolation, and may cause information leakage and
may infect any OS (host or guest) if the text is a string that can be run as
a command or URL – when it will unintentionally be pasted into a command
line interface and activated.
Issue 2 - The VMware user will clear his host clipboard (from a copied
password, for example) and think it is cleared. But the content that was
cleared may have been previously copied to the guest clipboard and when the
focus will move back to the host – the content will re-enter the host's
clipboard.
(General note: To my opinion VMware has, regarding the isolation features, a
significant lack of security measures like setting permissions for specific
users and groups, at the host and at the guest, (or simply a password) to
allow or prohibit performing data transfer (clipboard and/or drag & drop)
and the allowed data transfer directions).
Reproduction:
(You might wish to use the freeware clipclear
(http://www.moonsoftware.com/freeware.asp) for a visual sign of when the
clipboard if full or empty and for clearing the clipboard)
Issue 1:
Issue 2:
Exploit Code: No need.
Direct resolution: Not any that I am aware of at the time of writing this
advisory.
Workarounds:
Issue 1: No workaround was found.
Issue 2: Disabling the clipboard transfer on a global level, for all of the
VMs immediately - by clearing the following checkbox in VMware workstation
interface:
"Edit" menu -> "Preferences" command -> "Input" tab -> "Enable copy and
paste to and from virtual machine".
If this global option is turned off, than at each VM level, clipboard copy,
in any direction, will not be allowed, regardless of the current actual
clipboard copy status at each VM.
Remember that this option effects ALL of the virtual machines used within
the VMware workstation.
Vendor Notification: The vendor was notified at the end of September 2006,
but it could not commit to any planned date for a fix regarding both issues.
Credit:
Eitan Caspi
Israel
Email: [email protected]
Past security advisories:
http://www.microsoft.com/technet/security/bulletin/MS02-003.mspx
http://support.microsoft.com/kb/315085/en-us
http://online.securityfocus.com/bid/4053
http://support.microsoft.com/?kbid=329350
http://online.securityfocus.com/bid/5972
http://www.securityfocus.com/archive/1/301624
http://online.securityfocus.com/bid/6280
http://online.securityfocus.com/archive/1/309442
http://online.securityfocus.com/bid/6736
http://www.securityfocus.com/archive/1/314361
http://www.securityfocus.com/bid/7046
http://www.securityfocus.com/archive/1/393800
http://www.securityfocus.com/archive/1/archive/1/434704/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/446220/100/0/
Articles:
You can find some articles I have written at
http://www.themarker.com/eng/archive/one.jhtml
(filter: Author = Eitan Caspi (second name set), From year = 2000 , Until
year = 2002)
Eitan Caspi
Israel
Current Blog (Hebrew): http://blog.tapuz.co.il/eitancaspi
Past Blog (Hebrew): http://www.notes.co.il/eitan
Dead Blog (English): http://eitancaspi.blogspot.com
"Technology is like sex. No Hands On - No Fun." (Eitan Caspi)
–
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.17.22/666 - Release Date: 03/02/2007
15:31