Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 93 lines (73 sloc) 3.945 kB
a373cad @nelhage More comments.
authored
1 virtunoid -- a guest -> host breakout for qemu-kvm
2 Nelson Elhage <nelhage@nelhage.com>
3 @nelhage
4 http://blog.nelhage.com/
5
6 This is an exploit for CVE-2011-1751, a missing check in the qemu-kvm
7 userspace driver for the KVM Linux Kernel-mode Virtual Machine. For
8 more information, see the slides from my talk at BlackHat/DEFCON 2011:
9 <http://nelhage.com/talks/kvm-defcon-2011.pdf>
10
11 RUNNING THE EXPLOIT
12 -------------------
13
14 The exploit expects to be run as root inside a guest. For maximum
15 reliability, the provided Makefile builds an initrd containing the
16 exploit that can be used to run the exploit in as minimal an
17 environment as possible. While I have seen the exploit work inside a
18 fully booted Linux guest, there is a high chance of just crashing the
19 host.
20
21 The provided linux-3.0.0-config Linux config file contains the config
22 I used for my demo at DEFCON. The details of the config aren't too
23 important, except that it needs to contain an appropriate driver for
24 the virtual network card; I've just provided mine for
25 convenience. I've also posted a suitable bzImage at
26 <http://dl.dropbox.com/u/2595898/bzImage-kvm-demo>.
27
28 To run the exploit, build an appopriate kernel or download mine, and
29 run
30
31 kvm -kernel bzImage -initrd initrd.gz
32
33 virtunoid-config.h contains various addresses needed for the
34 exploit. The provided version is targeted at Ubuntu's
35 qemu-kvm_0.14.0+noroms-0ubuntu4_amd6, which can be downloaded from
36 <https://launchpad.net/ubuntu/+source/qemu-kvm/0.14.0+noroms-0ubuntu4/+build/2385343/+files/qemu-kvm_0.14.0%2Bnoroms-0ubuntu4_amd64.deb>
37
38 For any other version, the addresses and some of the offsets in
39 virtunoid-config.h will need to be tweaked.
40
41 KNOWN ISSUES
42 ------------
43
44 Most of these could be fixed, but I didn't feel particularly inclined
45 for a proof-of-concept exploit. If you do feel like fixing one or
46 more, let me know.
47
48 * This exploit requires "-net user" with the default settings (or no
49 -net options at all, which defaults to "-net nic -net user"). This
50 requirement could be fixed, but this is a proof-of-concept.
51
52 * This exploit only works on the specific Ubuntu qemu-kvm build it is
53 built for. This exploit uses symbols that don't exist prior to
54 qemu-kvm 0.13.51.
55
56 * This exploit is still somewhat unreliable. I observe a failure rate
57 of maybe 1 in 20 running it from an initrd on my test rig. There are
58 a few different failure modes, the most common being SEGVing
59 qemu-kvm instead of successful exploitation.
60
61 * The guest locks up after the exploit.
76ec118 @nelhage Add a license to the README.
authored
62
63 LEGALESE
64 --------
65
66 Copyright (c) Nelson Elhage.
67 All rights reserved.
68
69 Redistribution and use in source and binary forms, with or without
70 modification, are permitted provided that the following conditions
71 are met:
72 1. Redistributions of source code must retain the above copyright
73 notice, this list of conditions and the following disclaimer.
74 2. Redistributions in binary form must reproduce the above copyright
75 notice, this list of conditions and the following disclaimer in the
76 documentation and/or other materials provided with the distribution.
77 3. The name of the author may be used to endorse or promote products
78 derived from this software without specific prior written
79 permission.
80
81 THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
82 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
83 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
84 ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
85 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
86 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
87 OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
88 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
89 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
90 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
91 SUCH DAMAGE.
92
Something went wrong with that request. Please try again.