Microsoft Virtual PC Hypervisor Memory Protection Vulnerability
17 Mar. 2010
Summary
A vulnerability found in the memory management of the Virtual Machine Monitor makes memory pages mapped above the 2GB available with read or read/write access to user-space programs running in a Guest operating system.
Vulnerable Systems:
* Virtual PC 2007
* Virtual PC 2007 SP1
* Windows Virtual PC
* Virtual Server 2005
* Virtual Server 2005 R2 SP1
Immune Systems:
* Microsoft virtualization products that are based on Hyper-V technology.
A vulnerability found in the memory management of the Virtual Machine Monitor makes memory pages mapped above the 2GB available with read or read/write access to user-space programs running in a Guest operating system. By leveraging this vulnerability it is possible to bypass security mechanisms of the operating system such as Data Execution Prevention (DEP), Safe Structured Error Handling (SafeSEH) and Address Space Layout Randomization (ASLR) designed to prevent exploitation of security bugs in applications running on Windows operation systems.
Thus applications with bugs that are not exploitable when running in non-virtualized operating systems become exploitable if running within a guest OS of Virtual PC. In particular, an application running on Windows 7 in XP Mode may be exploitable while the same application running directly on a Windows XP SP3 system is not.
Additionally, software bugs that normally may not be considered security-relevant and therefore not prioritized for the development or deployment of fixes may suddenly become unpatched and exploitable security bugs in the context of this vulnerability.
The vulnerability can be exploited locally within a virtualized system to escalate privileges or remotely for code execution in combination with any client-side bug for which existing patches have not been applied or with any client-side bug for which a fix has not been developed after dismissing the bug as not exploitable or of low priority. The vulnerability does not seem usable to escape from a virtualized OS (guest) to execute code in the context of the non-virtualized OS (host). Use of the vulnerability to implement covert inter-process communications within the virtualized OS or to establish inter-VM communication have not been researched in full but are deemed possible.
Patch Availability:
This issue was reported to Microsoft in August 2009. The vendor has acknowledged the report and after extensive analysis indicated that it plans to solve the problem in future updates to the associated products.
Workaround:
Affected users are advised to run all mission critical Windows applications on non-virtualized systems or to use virtualization technologies that aren't affected by this bug. Windows operating systems and applications that must run virtualized using Virtual PC technologies should be kept at the highest patch level possible and monitored to detect exploitation attempts.
Disclosure Timeline:
2009-08-19 - Microsoft notified
2010-03-03 - Advisory publication date within 15 days agreed
2010-03-16 - Advisory published
