blog dds

2007.04.16

Breaking into a Virtual Machine

Say you're running your business on a rented virtual private server. How secure is your setup? I wouldn't expect it to be more secure than the system your server runs on, and a simple experiment confirmed it.

I performed the experiment on a Linux system running VMware server software (the host). Inside a virtual machine I installed FreeBSD 6.2 (the client). I assumed an adversary had obtained full control of the host, and was attempting to gain access to the client. This could happen through a security hole on the host, or a malicious system administrator. In my case I had created the virtual machine, and therefore had full control over it and full access to its files. Here is how I used my access privileges on the host to gain access to the client as user jsmith.

  1. Locate the virtual disk file holding the master.passwd file.
    host$ cd /space/vm/client
    host$ grep :/home/jsmith:/usr/local/bin/bash *
    Binary file freeBSD.vmss matches
    Binary file istlab-s001.vmdk matches
    Binary file istlab-s002.vmdk matches
    
  2. Edit the file, emptying the password field of jsmith. In order to keep the file exactly the same size, I space-filled the adjoining user-id field. Thus, I changed the record from
    jsmith:0tOcWfiX8z7Qc:1042:20007::0:0:John Smith:/home/jsmith:/usr/local/bin/bash
    
    into
    jsmith::             1042:20007::0:0:John Smith:/home/jsmith:/usr/local/bin/bash
    
  3. Restart the client to flush its cache.
After this step I logged into the client and verified that the password of the hapless user jsmith was indeed empty.

Q.E.D.

Read and post comments    AddThis Social Bookmark Button


Creative Commons License Last modified: Monday, April 16, 2007 10:14 pm
Unless otherwise expressly stated, all original material on this page created by Diomidis Spinellis is licensed under a Creative Commons Attribution-Share Alike 3.0 Greece License.