VUPEN Exploit Enables Virtual Machine Escape

VUPEN Security has detailed how to exploit a critical memory corruption vulnerability in Xen hypervisors to break out of virtual machines and execute code.

The attack leverages a now-patched vulnerability discovered by researchers Rafal Wojtczuk of Bromium and Jan Beulich of SUSE Linux and demonstrated earlier this year at the Black Hat security conference. The vulnerability, CVE-2012-0217, exists because the system-call functionality in Xen 4.1.2 and earlier, when running on an Intel processor, improperly uses the sysret path in cases where a certain address is not a canonical address, resulting in local users being able to gain privileges via a "crafted application," according to an advisory for the issue. In the case of France-based VUPEN, exploitation has been achieved under a 64-bit Linux PV guest running on Citrix XenServer 6.0.0 with Xen version 4.1.1.

In order to trigger the bug, explained VUPEN Security Researcher Jordan Gruskovnjak, one has to map memory close to a non-canonical address and perform a SYSCALL instruction in such a way that the address of the instruction after the SYSCALL instruction will point inside a non-canonical address.