VMDK Has Left the Building — Denial of Service

Almost all of our presentations and write-ups on the VMDK File Inclusion Vulnerability contained a slide stating something like

“we’re rather sure that DoS is possible as well ;-)”

including the following screenshot of the ESX purple screen of death:

So it seems like we still owe you that one — sorry for the delay! However the actual attack to trigger this purple screen was rather simple: Just include multiple VMDK raw files that cannot be aligned with 512 Byte blocks — e.g. several files of 512 * X + [0 < Y < 512] Bytes. Writing to a virtual hard drive composed of such single files for a short amount of time (typically one to three minutes, this is what we observed in our lab) triggered the purple screen on both ESXi4 and ESXi5 — at least for a patch level earlier than Releasebuild-515841/March 2012: it seems like this vulnerability was patched in Patch ESXi500-201203201-UG.


Pascal & Matthias