11

I have some untrusted software. I plan to run them on a guest Windows 7 on my host Windows 8 OS using Oracle VirtualBox. In the worst case, will only my guest OS be affected? Can the hacker access information from my main OS? I don't expect the developers of this software to be skilled enough to do a "Virtual machine escape"

T.Todua
  • 2,677
  • 4
  • 19
  • 28
user3584
  • 131
  • 1
  • 1
  • 4
  • This has been answered elsewhere on this site. However, VMWare uses OpenSSL and some versions are vulnerable to the Heartbleed bug. If your VM has network access (or there is any way it can communicate with a vulnerable host), it can borrow data from the host, potentially doing "bad" things with what it learns. – makerofthings7 Apr 30 '14 at 14:16

5 Answers5

15

Escaping a virtual machine does not require skill. It only requires that:

  • A known vulnerability exists in the VM.
  • The attacker downloads and uses the exploit.

The Internet is a fabulous thing; it allows people to do a lot of things that they don't actually understand.

In any case, if you dutifully apply security updates to your VM solution (i.e. when VirtualBox tells you that a new version available, you don't tarry: you download and install that new version right away), then risks of a successful escape are slim. An "unskilled" attacker can only apply known exploits for known vulnerabilities, and the VM vendor also keeps track of such vulnerabilities. The relevant notion here is that of a Zero-day: an attack that the attacker knows of before everybody else; your assumption of "unskilled attacker" really means that the attackers cannot use zero-day vulnerabilities.

That being said, while you can assume that your VM is robust, there still are risks of mis-configuration. VM solutions, in particular VirtualBox, allow for "shortcuts" between the guest and the host. VirtualBox calls these guest additions. In particular, these allow for shared folders; but also mouse integration, clipboard access, 3D graphics fall-through... these are so many escape routes by which hostile guest code could impact the host.

An important point is that "guest additions" are drivers installed in the guest, which exercise extra functionalities offered by the VM. If you do not install the guest additions, then the escape hole may still be there, ready to be used. For instance, to prevent an hostile guest from accessing shared folders, you must disable it (or not enable it) from the VM settings.

Similarly, if you let the VM use the default network settings (NAT), then the hostile code can do network calls to other machines within your local network.

Therefore, you must review all VM settings to make sure that you deactivate all features that could allow for an escape or unwanted impact outside of the guest. In particular, take care of the network configuration (it is simpler if you deactivate it altogether, or use internal networking).

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • **Is shared folder vulnerable** if used only to transfer files from HOST to GUEST? (thus, user not executing anything in shared folder from HOST OS) – T.Todua Jan 01 '22 at 22:24
9

There is an option to mount USB Devices and share folders on the parent OS with the VM. DO NOT DO THAT. If malware running in a VM gets access to your parent OS folders/USB, it will affect the files in it and thus if you open those infected files from your parent OS, the infection will spread.

Years ago I created an experimental application in C that gets added to other EXE files. I ran it on a VM forgetting that I had shared a folder in my parent OS. All exe's in my parent folder got affected.

schroeder
  • 123,438
  • 55
  • 284
  • 319
techno
  • 475
  • 1
  • 4
  • 13
6

That's a good list from TMR_OS, but add:

  • Disable 3D video enhancements
  • Disable guest additions
  • Disable copy/paste - or at least no paste from host to guest
  • You might want networking enabled to study malware. Bridged is most dangerous. Then NAT, finally a local private network is most secure and most useless.
Andrew
  • 61
  • 1
3

To protect yourself from the vulnerable virtual machine :

  • Remove network adapter
  • Unistall Vmware tools
  • Disable usb auto connect
  • Remove the CD/DVD Drive
TMR_OS
  • 208
  • 2
  • 10
3

A virtual machine can also exploit vulnerabilities in hardware that you connect to it (for example if you "redirect" an USB device to the VM), here's an example with an Apple iSight webcam.

The reprogramability of the iSight firmware can be exploited to effect a virtual machine escape whereby malware running in a guest operating system is able to escape the confines of the virtual machine and influence the host operating system. One method is to reprogram the iSight from inside the virtual machine to act as a USB Human Interface Device (HID) such as a mouse or keyboard. Once the iSight reenumerates, it would send mouse movements and clicks or key presses which the host operating system would then interpret as actions from the user.

In this case they reprogram the webcam to appear as a standard keyboard, open a terminal on the host using keyboard shortcuts and finally "typing" commands that download malicious code on the host.