Vmare workstation guest isolation weaknesses (clipboard transfer)

2007-02-05T00:00:00
ID SECURITYVULNS:DOC:15975
Type securityvulns
Reporter Securityvulns
Modified 2007-02-05T00:00:00

Description

Suggested severity level: Low

Type of Risk: isolation failure, information leakage, infection path

Affected Software: VMware Workstation, version 5.5.3 build 34685 (including installation of "VMware tools" of the same version on the guest OS). (Other products by the vendor using the same isolation components may be effected as well, but they weren't tested due to lack of resources. I advise administrators who use the corporate products of VMware to test this issues if they use this products in a production environment) Guest and Host OS: Windows XP Pro with SP2 and all the latest operational and security patches from the "windows update" site, up to 31-Jan-2007. (Other guest OS (especially ones by Microsoft) maybe effected as well, but they weren't tested).

Local / Remote activated: Local

Summary: Each VM has its own settings. one settings category is "Guest Isolation", which includes a checkbox named "Enable copy and paste to and from this virtual machine". This feature can work only if the "VMware tools" component is installed on the guest OS. The clipboard copy operation can transfer only text, not files or streams. I have discovered the following issues regarding this component:

  1. Changing the value of this feature (in either way – enabling or disabling) becomes actually active only if a global operation is made towards the guest OS, like suspend and resume, reset, restart (from within the guest OS), shutdown (either from within the guest OS of by performing a "power off" from the VMware workstation application) and then turning it back on. Simply changing the check box value and pressing OK will not change current functionality of this feature.

  2. When this feature is turned on and working – The direction of the clipboard content transfer is the same as the direction of the focus change between guest and host operating systems and vice versa. But, when the host OS clipboard is empty and the focus is moved to the guest OS clipboard – the guest clipboard is not cleared and left with its current content. Now, when focusing back to the host's, empty, source clipboard – it is now filled with the content of the guest's clipboard – thus the host clipboard is failing to keep itself erased and its previously cleared content is re-filled from the guest OS. This behavior may re-fill the host's clipboard with data that was intentionally erased (like password or credit card number). Strangely, this behavior does not happen when the process is started from the guest OS clipboard, and if it is the first to be erased, and then the focus moves to the host, the host's clipboard is erased. So, the issue here is only when the process starts from the host side.

Possible Abuses: 1. Issue 1 - The VMware administrator might turn on the clipboard transfer and use it, but when he will turn it off by un-checking the check box – it will remain active – thus transferring text objects (a password, for example), from one clipboard to another, in any direction – while the administrator will believe the environments are separated and isolated. This brakes the promised isolation, and may cause information leakage and may infect any OS (host or guest) if the text is a string that can be run as a command or URL – when it will unintentionally be pasted into a command line interface and activated.

  1. Issue 2 - The VMware user will clear his host clipboard (from a copied password, for example) and think it is cleared. But the content that was cleared may have been previously copied to the guest clipboard and when the focus will move back to the host – the content will re-enter the host's clipboard. (General note: To my opinion VMware has, regarding the isolation features, a significant lack of security measures like setting permissions for specific users and groups, at the host and at the guest, (or simply a password) to allow or prohibit performing data transfer (clipboard and/or drag & drop) and the allowed data transfer directions).

Reproduction: (You might wish to use the freeware clipclear (http://www.moonsoftware.com/freeware.asp) for a visual sign of when the clipboard if full or empty and for clearing the clipboard)

Issue 1: 1. When the test VM is turned off (one with the "VMware tools" pre-installed), make sure the "Enable copy and paste to and from this virtual machine" checkbox is checked (VM settings -> "Options" tab -> "Guest Isolation" line -> "Enable copy and paste to and from this virtual machine"). 2. Turn on the VM and log into the guest OS. 3. Copy any text in the guest OS. 4. Move the focus to the host and paste the clipboard into any text field – verify the text is the same as the one copied in the guest OS. 5. Copy a different text in the host OS. 6. Move the focus back to the guest OS and paste the clipboard to any text field - verify the text is the same as the one copied from the host OS. 7. Turn off the "Enable copy and paste to and from this virtual machine" from the VM settings and click OK. 8. Repeat steps 3 to 6 and verify you are able to perform them, although the relevant option is now "disabled". 9. You can repeat steps 1 to 8 but this time in the other way round, by starting with the check box as un-checked. 10. Activate the change by performing one of the following operations towards the guest OS: either suspend and resume, reset (from the VMware hosting application), restart (from within the guest OS), shutdown (either from within the guest OS of by performing a "power off" from the VMware hosting application) and then turning it back on. After performing either operation make sure the change was applied.

Issue 2: 1. When the test VM is turned off (one with the "VMware tools" pre-installed), make sure the "Enable copy and paste to and from this virtual machine" checkbox is checked (VM settings -> "Options" tab -> "Guest Isolation" line -> "Enable copy and paste to and from this virtual machine"). 2. Turn on the VM and log into the guest OS. 3. Move the focus the host OS and copy the word "password". 4. Move to the focus to the guest OS and paste the clipboard into any text field. 5. Make sure the word "password" is displayed. 6. Move back to the host OS and clear the clipboard content. Make sure it is clear by pasting its content to a text field and verify nothing was pasted. 7. Move the focus to the guest OS and then back to the host OS and again perform a paste action to a text field. 9. Verify that now the clipboard has pasted the word "password".

Exploit Code: No need.

Direct resolution: Not any that I am aware of at the time of writing this advisory.

Workarounds: Issue 1: No workaround was found.

Issue 2: Disabling the clipboard transfer on a global level, for all of the VMs immediately - by clearing the following checkbox in VMware workstation interface: "Edit" menu -> "Preferences" command -> "Input" tab -> "Enable copy and paste to and from virtual machine". If this global option is turned off, than at each VM level, clipboard copy, in any direction, will not be allowed, regardless of the current actual clipboard copy status at each VM. Remember that this option effects ALL of the virtual machines used within the VMware workstation.

Vendor Notification: The vendor was notified at the end of September 2006, but it could not commit to any planned date for a fix regarding both issues.

Credit: Eitan Caspi Israel Email: eitancaspi@yahoo.com

Past security advisories:

1. http://www.microsoft.com/technet/security/bulletin/MS02-003.mspx http://support.microsoft.com/kb/315085/en-us http://online.securityfocus.com/bid/4053

2. http://support.microsoft.com/?kbid=329350 http://online.securityfocus.com/bid/5972

3. http://www.securityfocus.com/archive/1/301624 http://online.securityfocus.com/bid/6280

4. http://online.securityfocus.com/archive/1/309442 http://online.securityfocus.com/bid/6736

5. http://www.securityfocus.com/archive/1/314361 http://www.securityfocus.com/bid/7046

6. http://www.securityfocus.com/archive/1/393800

7. http://www.securityfocus.com/archive/1/archive/1/434704/100/0/threaded

8. http://www.securityfocus.com/archive/1/archive/1/446220/100/0/

Articles: You can find some articles I have written at http://www.themarker.com/eng/archive/one.jhtml (filter: Author = Eitan Caspi (second name set), From year = 2000 , Until year = 2002)

Eitan Caspi Israel

Current Blog (Hebrew): http://blog.tapuz.co.il/eitancaspi Past Blog (Hebrew): http://www.notes.co.il/eitan Dead Blog (English): http://eitancaspi.blogspot.com

"Technology is like sex. No Hands On - No Fun." (Eitan Caspi)

-- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.17.22/666 - Release Date: 03/02/2007 15:31