Hyper-V Entire Host Disk Access

Corey Hartman
3 min readMay 29, 2023

--

So I quickly wanted to cover a quick little issue I came across over the past week. If a general user with non-administrative privileges has an administrator open Hyper-V Manager for them to access/manage/create a VM, process inheritance can lead to entire disk access. If this non-administrator user attaches the C drive as a shared drive, within the VM they have complete disk access.

Lets see an example of this, if we run Hyper-V manager as an administrator from a non-admin account.

Opening Hyper-V Manager as admin

Then through connecting to the VM, we attach a local resource, in this case it is the C drive.

Attaching the C drive to the remote system.

Within the remote system, in this case my Ubuntu VM , I can open the C drive and read/write anywhere I want.

Accessing the C drive from the Ubuntu VM

As you can see below, within the C:/Windows directory I am able to write a test file.

Creating a file in C:/Windows

Then if we so wished to do so, I can also delete files, such as this file that was just created.

Deleting a file in C:/Windows

So what can we do to prevent this? Well it lies in user groups, for a user to access Hyper-V and perform task that wouldn't be considered outside of the scope of a general user needing to utilize Hyper-V, the user needs added to the “Hyper-V Administrators” group to prevent process inheritance from granting them entire disk access.

The group a user needs added to to mitigate this issue

So what do we have here specifically? In my opinion this is both a misconfiguration by an administrator, but also an issue with the way process inheritance is setup for this specific process. An administrator should technically just add the user to the Hyper-V Administrator group, however at the same time I can understand edge cases where the user normally doesn't utilized Hyper-V so an admin could easily and unknowingly give a user entire disk access as shown in this example. According to Microsoft, you can prevent child processes from inheriting some of its parents properties, so what really needs to happen is during the disk sharing process, if you need entire disk access from the remote/virtual system, that's when you should explicitly define such permissions rather than through inheritance.

Anyways, as always, I hope this was fun and you learned something.

--

--

Corey Hartman

Phd candidate who researches applying machine learning to reverse engineering