This week an interesting new bug was discovered and announced to the world by Kostya Kortchinsky, an exploit researcher at Immunity Inc. The bug has Mac users particularly worried as it presents the possibility of their "secure" operating system being hacked by a Windows Guest machine.

The bug relates to VMWare's Fusion virtualisation product that is designed to run virtual machines and Windows applications on Apple Macs.

The bug allows malicious code to be executed on the underlying Mac operating system by exploiting Windows running in a virtual machine.

Kortchinsky demonstrates an attack on a Vista SP1 host running Windows XP as the guest in this video http://www.immunityinc.com/documentation/cloudburst-vista.html .

However he explains that the same exploit is present and can be used on a guest Windows machine running on a Mac, with VMWare Fusion.

Kortchinsky explained:
"The vulnerability is also present in VMware Fusion and as such would allow a guest (Windows or Linux) to run code on the Mac OS X host, we didn't implement this exploit though, but will probably in a near future."

Commentating on the bug, Kortchinsky wrote, "This is indeed a guest-to-host exploit, it uses several vulnerabilities in the 'Display functions' (as VMware put it) that allow [someone] to read and write arbitrary memory in the host. Thus the guest can run some code on the host, effectively bypassing ASLR and DEP on Vista SP1."

VMWare has issued a Security Advisory and a number of patches relating to the exploit. Alarming it looks like the bug is also present in other VMWare products. From the advisory:

1. Summary

   Updated VMware Hosted products and patches for ESX and ESXi resolve a
   critical security vulnerability.

2. Relevant releases

   VMware Workstation 6.5.1 and earlier,
   VMware Player 2.5.1 and earlier,
   VMware ACE 2.5.1 and earlier,
   VMware Server 2.0,
   VMware Server 1.0.8 and earlier,
   VMware Fusion 2.0.3 and earlier,

   VMware ESXi 3.5 without patch ESXe350-200904201-O-SG,

   VMware ESX 3.5 without patch ESX350-200904201-SG,

   VMware ESX 3.0.3 without patch ESX303-200904403-SG,

   VMware ESX 3.0.2 without patch ESX-1008421.


Continues: http://www.vmware.com/security/advisories/VMSA-2009-0006.html

In theory the exploit would allow an attacker to take over not only the Guest operating system, but also the underlying host, which in the case of a system running ESX, would allow an attacker to take over a number of guest machines, and possibly the whole VMWare infrastructure at this point, depending on how it has been configured. 

Exploits of this kind put into question the technique of Honeypotting, which is used to run Virtual machines to attract malicious software and hacking attempts. As VMWare is deemed secure, the technique, when run on a secure network, poses no threat to either the host operating system other other guest operating systems running on the same system.

However if guest machine can be exploited in such a way as to gain control of the underlying host, the implications should be taken into consideration when honeypotting is being used.