virtualization.info Editors

– New Graphical Installer
ESX Server 2.1 includes a new graphical installer for new installations and upgrades from older server versions. The new installer includes the functionality of the ESX Server 2.0.1 text-based installer, and also new functionality like serial number entry, disk partition creation, and memory sizing. Once the installation is complete, only a single server reboot is necessary before new virtual machines can be created.

– Enhanced Support for Scripted Installations
Through the management interface, the scripted installation feature allows you to set up an installation script to deploy or provision more ESX Server systems, where the ESX Server CD-ROM is in the CD-ROM drive of the original ESX Server system or the installation files are hosted on a separate server.

– Support for Virtual Local Area Networks
Virtual Local Area Networks (VLANs) support enables you to configure multiple virtual networks within your ESX server, which communicate securely among themselves as if connected to a common isolated physical network. Virtual networks with VLAN support are able to manage traffic by switching VLAN traffic to and from virtual machines, including traffic external to the ESX Server. Virtual machine VLANs are configured through the management interface.

– Redesigned Network Connections Management Through the Management Interface
Through the management interface, you can review current external, VLAN, and internal network connections, create new networks and edit existing network configurations, and review network adapter status and edit existing adapter configurations.

– ESX Server and Virtual Machine Memory Resources
Through the management interface, you can view the memory utilization page, which shows how much memory is being used by the ESX Server and how memory resources are allocated to virtual machines.

– Virtual Machine Startup and Shutdown Options through the VMware Management Interface
Through the management interface, new configuration options for starting and shutting down virtual machines are available. You can determine which virtual machines start and stop with the system, set the delay time between starting and stopping one virtual machine and starting and stopping the next, and determine the global order in which virtual machines start and stop. Virtual machine configuration options can be set for each individual virtual machine or can be set system-wide.

– Support for Preboot Execution Environment (PXE)
Virtual machines created with VMware ESX Server 2.1 have built-in support for Preboot Execution Environment (PXE), using either the vlance or vmxnet virtual network devices. PXE allows a computer without an operating system installed to power on and download an operating system image from a PXE server on the network.

– Expanded Support for SAN Storage Arrays
ESX Server 2.1 RC includes failover support for EMC CLARiiON CX Series storage systems, including multipathing with HBA failover and multipathing with storage port failover.

Linux security exploit, CAN-2003-0961
(Previously released as patch p6991)

VMware GSX Server is enterprise-class virtual machine software for software development and testing operations as well as departmental server consolidation projects.

New in GSX Server 3:

– VMware VirtualCenter support
– Virtual machine mobility
– Better Usability
– New unified console
– Snapshots
– VM Auto-start/Auto-shutdown
– PXE Support
– Improved Performance and Scalability
– Enhanced Windows Integration
– New Host OS Support
– New Guest OS Support

Overview of Changes:

– Security enhancements – Virtual Server now uses file system access control lists (ACLs) to manage access to virtual machines, virtual disks, and virtual networks.

– SCSI support – Small computer system interface (SCSI) support is now enabled for four buses with seven devices per bus, and each SCSI drive can be up to 2 terabytes in size.

– Improved large memory support – Virtual Server now includes improved support for running large numbers of virtual machines on physical computers that have up to 64 gigabytes (GB) of memory, provided Physical Address Extension (PAE) is enabled on the host operating system.

– Global Resource Allocation Page – Virtual Server now includes a Global Resource Allocation Page providing all virtual machine resource allocation settings on a single page.

– Globalization – Virtual Server now supports host operating systems that use double-byte characters.

– Named Password Authority service – Virtual Server now includes a Named Password Authority service. This supports automatic virtual machine startup because you can specify the logon credentials for a virtual machine.

– Clustering support – Clustering is now enabled for simple failover between two virtual machines.

*Not all of these features/changes are exclusive to the ‘2005’ build, some were present in previous betas.

The basic idea is that the communication is done through a special I/O port specific to the VMware virtual machines. The following sequence is used to call VMware?s environment:

MOV EAX, 564D5868h ; Magic Number
MOV EBX, COMMAND_SPECIFIC_PARAMETER
MOV ECX, BACKDOOR_COMMAND_NUMBER
MOV DX, 5658h ; Port Number

IN EAX, DX

Though it may appear to be an ordinary I/O access routine at first glance, several VMware specific mechanisms are involved in this. What is not apparent from this example is that data can be transferred to both directions with this routine. As shown in the example, the Magic number is stored in EAX and other certain values are stored in EBX and ECX prior to executing IN instruction. Although values in these registers have no effect on IN instruction in real machines, VMware?s environments use these values as their input parameters. Also some functions return their results in EBX, ECX and EDX as well as in EAX. Consequently, you can not use C library functions to access this Backdoor port (e.g. _inp() function in MSVC runtime library), because those functions never expect these registers to be changed by IN instruction.

Technical Details:
As the above I/O port doesn’t exist on non-VMware environments, a malicious code can detect whether it runs under VMware or not, and act accordingly.

Proof of Concept:
Andrew Hintz has created a small Linux based program that detects whether it runs under the VMware environment:
/*
* 4tphi-vmchk.c
* Detects if you are in a VMWare virtual machine.
*
* Written by Andrew Hintz
* and AAron Walters
* Fortify Research Laboratories
*
* “Oft at the hives of his tame bees
* They would their sugary thirst appease.”
*
* This program is based on info and code from:
* http://chitchat.tripod.co.jp/vmware/
* by [email protected]
*
* Notes:
* The program can be run as a normal user.
* We tested the program only in x86 Linux.
* The m4dn3ss lives on!
*/

#include
#include

#if __INTSIZE == 2 /* 16 bit environment */
typedef unsigned int uint16;
typedef unsigned long uint32;
#else /* 32 bit environment */
typedef unsigned short uint16;
typedef unsigned int uint32;
#endif /* __INTSIZE */

void segfault(){
printf(“Not running inside VMware.\n”);
exit(1);
}

int main(){
uint32 verMajor, verMinor, magic, dout;

signal(SIGSEGV, segfault);

__asm__ __volatile__ (”
mov $0x564D5868, %%eax; /* magic number */
mov $0x3c6cf712, %%ebx; /* random number */
mov $0x0000000A, %%ecx; /* specifies command */
mov $0x5658, %%edx; /* VMware I/O port */

in %%dx, %%eax;

mov %%eax, %0;
mov %%ebx, %1;
mov %%ecx, %2;
mov %%edx, %3;
”
: “=r”(verMajor), “=r”(magic), “=r”(verMinor), “=r”(dout)
);

if (magic == 0x564D5868) {
printf(“Running inside VMware. “);
printf(“(Version %lu,%lu)\n”, verMajor, verMinor);
/* I’m not really sure what the versions mean. */
}

return 0;

}/* end main */