Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15975
HistoryFeb 05, 2007 - 12:00 a.m.

Vmare workstation guest isolation weaknesses (clipboard transfer)

2007-02-0500:00:00
vulners.com
24
JSON

Suggested severity level: Low

Type of Risk: isolation failure, information leakage, infection path

Affected Software: VMware Workstation, version 5.5.3 build 34685 (including
installation of "VMware tools" of the same version on the guest OS).
(Other products by the vendor using the same isolation components may be
effected as well, but they weren't tested due to lack of resources. I advise
administrators who use the corporate products of VMware to test this issues
if they use this products in a production environment)
Guest and Host OS: Windows XP Pro with SP2 and all the latest operational
and security patches from the "windows update" site, up to 31-Jan-2007.
(Other guest OS (especially ones by Microsoft) maybe effected as well, but
they weren't tested).

Local / Remote activated: Local

Summary: Each VM has its own settings. one settings category is "Guest
Isolation", which includes a checkbox named "Enable copy and paste to and
from this virtual machine".
This feature can work only if the "VMware tools" component is installed on
the guest OS.
The clipboard copy operation can transfer only text, not files or streams.
I have discovered the following issues regarding this component:

  1. Changing the value of this feature (in either way – enabling or
    disabling) becomes actually active only if a global operation is made
    towards the guest OS, like suspend and resume, reset, restart (from within
    the guest OS), shutdown (either from within the guest OS of by performing a
    "power off" from the VMware workstation application) and then turning it
    back on.
    Simply changing the check box value and pressing OK will not change current
    functionality of this feature.

  2. When this feature is turned on and working – The direction of the
    clipboard content transfer is the same as the direction of the focus change
    between guest and host operating systems and vice versa.
    But, when the host OS clipboard is empty and the focus is moved to the guest
    OS clipboard – the guest clipboard is not cleared and left with its current
    content.
    Now, when focusing back to the host's, empty, source clipboard – it is now
    filled with the content of the guest's clipboard – thus the host clipboard
    is failing to keep itself erased and its previously cleared content is
    re-filled from the guest OS.
    This behavior may re-fill the host's clipboard with data that was
    intentionally erased (like password or credit card number).
    Strangely, this behavior does not happen when the process is started from
    the guest OS clipboard, and if it is the first to be erased, and then the
    focus moves to the host, the host's clipboard is erased.
    So, the issue here is only when the process starts from the host side.

Possible Abuses:

  1. Issue 1 - The VMware administrator might turn on the clipboard transfer
    and use it, but when he will turn it off by un-checking the check box – it
    will remain active – thus transferring text objects (a password, for
    example), from one clipboard to another, in any direction – while the
    administrator will believe the environments are separated and isolated.
    This brakes the promised isolation, and may cause information leakage and
    may infect any OS (host or guest) if the text is a string that can be run as
    a command or URL – when it will unintentionally be pasted into a command
    line interface and activated.

  2. Issue 2 - The VMware user will clear his host clipboard (from a copied
    password, for example) and think it is cleared. But the content that was
    cleared may have been previously copied to the guest clipboard and when the
    focus will move back to the host – the content will re-enter the host's
    clipboard.
    (General note: To my opinion VMware has, regarding the isolation features, a
    significant lack of security measures like setting permissions for specific
    users and groups, at the host and at the guest, (or simply a password) to
    allow or prohibit performing data transfer (clipboard and/or drag & drop)
    and the allowed data transfer directions).

Reproduction:
(You might wish to use the freeware clipclear
(http://www.moonsoftware.com/freeware.asp) for a visual sign of when the
clipboard if full or empty and for clearing the clipboard)

Issue 1:

  1. When the test VM is turned off (one with the "VMware tools"
    pre-installed), make sure the "Enable copy and paste to and from this
    virtual machine" checkbox is checked (VM settings -> "Options" tab -> "Guest
    Isolation" line -> "Enable copy and paste to and from this virtual
    machine").
  2. Turn on the VM and log into the guest OS.
  3. Copy any text in the guest OS.
  4. Move the focus to the host and paste the clipboard into any text field –
    verify the text is the same as the one copied in the guest OS.
  5. Copy a different text in the host OS.
  6. Move the focus back to the guest OS and paste the clipboard to any text
    field - verify the text is the same as the one copied from the host OS.
  7. Turn off the "Enable copy and paste to and from this virtual machine"
    from the VM settings and click OK.
  8. Repeat steps 3 to 6 and verify you are able to perform them, although the
    relevant option is now "disabled".
  9. You can repeat steps 1 to 8 but this time in the other way round, by
    starting with the check box as un-checked.
  10. Activate the change by performing one of the following operations
    towards the guest OS: either suspend and resume, reset (from the VMware
    hosting application), restart (from within the guest OS), shutdown (either
    from within the guest OS of by performing a "power off" from the VMware
    hosting application) and then turning it back on.
    After performing either operation make sure the change was applied.

Issue 2:

  1. When the test VM is turned off (one with the "VMware tools"
    pre-installed), make sure the "Enable copy and paste to and from this
    virtual machine" checkbox is checked (VM settings -> "Options" tab -> "Guest
    Isolation" line -> "Enable copy and paste to and from this virtual
    machine").
  2. Turn on the VM and log into the guest OS.
  3. Move the focus the host OS and copy the word "password".
  4. Move to the focus to the guest OS and paste the clipboard into any text
    field.
  5. Make sure the word "password" is displayed.
  6. Move back to the host OS and clear the clipboard content. Make sure it is
    clear by pasting its content to a text field and verify nothing was pasted.
  7. Move the focus to the guest OS and then back to the host OS and again
    perform a paste action to a text field.
  8. Verify that now the clipboard has pasted the word "password".

Exploit Code: No need.

Direct resolution: Not any that I am aware of at the time of writing this
advisory.

Workarounds:
Issue 1: No workaround was found.

Issue 2: Disabling the clipboard transfer on a global level, for all of the
VMs immediately - by clearing the following checkbox in VMware workstation
interface:
"Edit" menu -> "Preferences" command -> "Input" tab -> "Enable copy and
paste to and from virtual machine".
If this global option is turned off, than at each VM level, clipboard copy,
in any direction, will not be allowed, regardless of the current actual
clipboard copy status at each VM.
Remember that this option effects ALL of the virtual machines used within
the VMware workstation.

Vendor Notification: The vendor was notified at the end of September 2006,
but it could not commit to any planned date for a fix regarding both issues.

Credit:
Eitan Caspi
Israel
Email: [email protected]

Past security advisories:

http://www.microsoft.com/technet/security/bulletin/MS02-003.mspx
http://support.microsoft.com/kb/315085/en-us
http://online.securityfocus.com/bid/4053

http://support.microsoft.com/?kbid=329350
http://online.securityfocus.com/bid/5972

http://www.securityfocus.com/archive/1/301624
http://online.securityfocus.com/bid/6280

http://online.securityfocus.com/archive/1/309442
http://online.securityfocus.com/bid/6736

http://www.securityfocus.com/archive/1/314361
http://www.securityfocus.com/bid/7046

http://www.securityfocus.com/archive/1/393800

http://www.securityfocus.com/archive/1/archive/1/434704/100/0/threaded

http://www.securityfocus.com/archive/1/archive/1/446220/100/0/

Articles:
You can find some articles I have written at
http://www.themarker.com/eng/archive/one.jhtml
(filter: Author = Eitan Caspi (second name set), From year = 2000 , Until
year = 2002)

Eitan Caspi
Israel

Current Blog (Hebrew): http://blog.tapuz.co.il/eitancaspi
Past Blog (Hebrew): http://www.notes.co.il/eitan
Dead Blog (English): http://eitancaspi.blogspot.com

"Technology is like sex. No Hands On - No Fun." (Eitan Caspi)


No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.17.22/666 - Release Date: 03/02/2007
15:31

JSON