1

Possible Duplicate:
How secure are virtual machines really? False sense of security?

If a VM (e.g. VirtualBox) on host A opens a TCP connection to a hacker Z, are there any possible vulnerabilities in e.g. the VM's NAT that would allow Z to communicate with A itself or other devices on its network?

Can a host running a VM be compromised because of malicious access a hacker obtained on the VM?

Back story: I was watching the show 'Person of Interest' where a protagonist used a virtual machine to hack somebody, but it was a "honeypot" (possible incorrect usage?) and instead the hacker got into all the systems on the protagonist's network.

Now I know this is fiction, and that being able to connect to a machine does not necessarily allow you to hack it, but is there a core of truth in this?

Community
  • 1
Bart van Heukelom
  • 326
  • 3
  • 9
  • While the anecdote is funny, I would recommend deleting everything up to "If a VM ..." I am worried that the introduction will stop people from reaching the final question. – chao-mu Jun 22 '12 at 14:36
  • Oh btw, the show is pretty awesome I watch it too, but in the manner it is done in the show it's not possible. – Rohan Durve Jun 22 '12 at 14:42
  • 1
    Perhaps a better wording for the question (if I understand your intent) "Can a VM be "escaped from" to reach its host" – chao-mu Jun 22 '12 at 14:45

2 Answers2

2

Yeah, it's definitely a possibility but only if the host of the VM is having a security vulnerability and also left configured improperly.

A good example of this, is if you run backtrack in a VM and then ping the VM's IP from your PC you can reach it.

VMs can have different types of links to a router. It can be:

  • Physical (Another Ethernet Card or USB Wifi)
  • Bridged to Host (Connect via the host)
  • Replicating Host Connection

Depending on the exact type, the method may change but fundamentally the VM to access the internet has to be on your LAN. Now regardless whether it's on the router directly LAN or an interval LAN between the host and the VM, it still can ping you and you can ping it in normal communication.

So unless the host has a good firewall, etc that blocks these kind of connections, it can be hacked into through the VM via this common network interface in theory. Obviously, it's not very practical in terms of amount of effort to use the VM as a pivot point to find and then exploit in the host but it can be done.

Solution:

  • Have a firewall to monitor inter-VM traffic, etc. Don't use the same
  • Internet connection on the VM, using a separate say USB Internet Modem would keep you on different networks.

In a nut shell: VMs are mostly contained and secure on their own, but it is you who connects the host and the VM on a common network, i/o device, etc. Don't do that and you'll be practically quite safe.

A good potential option is remove all non-critical components sharing from the VM and use shell access to run the VM. Chances that a program can bypass the memory limit or so is not likely, not likely at all.

Point is, anything programmable can be hacked given enough time and effort.

Rohan Durve
  • 2,321
  • 16
  • 19
  • "100% contained and secure". Honestly, I wouldn't *ever* bet the farm on anything "100%". Because it very, very likely isn't. – Jürgen A. Erhard Jun 23 '12 at 01:12
  • 1
    Note that even if a VM does NOT have a wireless adapter, it is still possible in theory to infect a host machine from a VM as they share certain other I/O functionality. –  Jun 23 '12 at 01:30
  • 1
    All that is true, but the question here was originally relating to infecting the host through a network. Nothing is 100% secure, that's a well known fact. But the fact that a casual hacker would have the knowledge to break through a VM's borders and then get access to the host is far from common. – Rohan Durve Jun 23 '12 at 02:59
  • 1
    Yes i do agree with you. VMs should be treated just like any other host in the network. I was just pointing out your sentence "VMs are 100% contained and secure on their own" might not be very true. –  Jun 23 '12 at 06:03
  • 1
    It was more of an expression than a definitive statement. :P Edited my post. – Rohan Durve Jun 23 '12 at 06:21
1

I would refer you to this post right here at security stackexchange, which should cover most of the questions you might have.

Community
  • 1