Thursday, August 07, 2008

A crude way to detect VMware

Yesterday the kernel maintainers fixed an information disclosure vulnerability I found in the Linux kernel a few days ago (see TKADV2008-2005). One interesting thing about the vulnerability is that it can be used to detect if a system is running as a guest inside VMware.

The vulnerability itself allows an unprivileged user to access and read arbitrary memory addresses including memory pages owned by the kernel. As I did some tests to check if the vulnerability is indeed exploitable I encountered a weird VMware problem: every time a special kernel memory range is accessed, VMware crashes reproducible.

That means that every similiar kernel bug that allows to read arbitrary kernel memory can be used to crash and therefore detect VMware as an unprivileged user.

With superuser privileges it is of course possible to reproduce the VMware crash without the need of a kernel vulnerability. All you have to do is write and load a kernel module that sweeps over the kernel memory space.