Breaking into a Virtual Machine


Say you're running your business on a rented virtual private server. How secure is your setup? I wouldn't expect it to be more secure than the system your server runs on, and a simple experiment confirmed it.

I performed the experiment on a Linux system running VMware server software (the host). Inside a virtual machine I installed FreeBSD 6.2 (the client). I assumed an adversary had obtained full control of the host, and was attempting to gain access to the client. This could happen through a security hole on the host, or a malicious system administrator. In my case I had created the virtual machine, and therefore had full control over it and full access to its files. Here is how I used my access privileges on the host to gain access to the client as user jsmith.

  1. Locate the virtual disk file holding the master.passwd file.
    host$ cd /space/vm/client
    host$ grep :/home/jsmith:/usr/local/bin/bash *
    Binary file freeBSD.vmss matches
    Binary file istlab-s001.vmdk matches
    Binary file istlab-s002.vmdk matches
  2. Edit the file, emptying the password field of jsmith. In order to keep the file exactly the same size, I space-filled the adjoining user-id field. Thus, I changed the record from
    jsmith:0tOcWfiX8z7Qc:1042:20007::0:0:John Smith:/home/jsmith:/usr/local/bin/bash
    jsmith::             1042:20007::0:0:John Smith:/home/jsmith:/usr/local/bin/bash
  3. Restart the client to flush its cache.
After this step I logged into the client and verified that the password of the hapless user jsmith was indeed empty.


Comments   Toot! Share

Last modified: Monday, April 16, 2007 10:14 pm

Creative Commons Licence BY NC

Unless otherwise expressly stated, all original material on this page created by Diomidis Spinellis is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.