My BlackHat Europe 2017 Talk: THE GREAT ESCAPES OF VMWARE

This December 2017 Me & my colleague Yakun Zhang delivered a talk at Blackhat Europe 2017 Briefings on VMWare escapes. Blackhat Europe is an annual information security conference, scheduled on December 4 2017 to December 7, 2017, in the ExCeL London, located at 1 Western Gateway, London E16 1XL.We have talked about reverse engineering of vmware, attacking hypervisor isolation and some virtual machine escape attacks against vmware.


Talk Abstract

Virtual machine escape is the process of breaking out of the virtual machine and interacting with the host operating system. VMWare recently fixed several bugs in their products that were allowing malicious code to escape sandbox. Some of these issues were exploited and reported during exploitation contest and while others reported individually by researchers. For very obvious reason details of this bugs are undisclosed. This paper presents a case study of VMWare VM escape vulnerabilities based on the analysis of different patches released by VMWare in recent past. 

Looking at the advisories published by VMWare in the last few months, reveals that there are many surfaces, that are being targeted by security researchers. To summarize, the attack surfaces would be as follows: 

A) RPC Request handler.
B) Virtual Printer.
C) VMWare Graphics Implementation.

Talking about vulnerabilities fixed in VMWare RPC layer, we see several CVEs (CVE-2017-4901, CVE-2016-7461 etc.) fixing security issues in RPC layers. This talk will cover end to end RPC implementation in VMWare workstation. It will cover everything from VMWare Backdoor in guest OS to different RPC command handler in host OS. We will uncover some of these fixed bugs in VMWare RPC layer by performing binary diffing on VMWare Workstation binaries. This talk will also showcase some of the PoCs developed from different VMware workstation patches.


VMWare's EMF file handler is one of most popular attack surfaces, when it comes to guest to host escape. VMSA-2016-0014 fixed several security issues in EMF file handling mechanism. EMF format is composed of many EMR data structures. TPView.dll parses every EMR structure in EMF file. In VMware, COM1 port is used by Guest to interact with Host printing proxy. EMF files are spool file format used in printing by windows. When a printing EMF file request comes from Guest, in host TPView.dll render the printing page. The TPView.dll holds the actual code which parses the EMF file structures. In our talk, we will be diving deep into this attack surface & uncover some of the vulnerabilities fixed in this area recently by performing binary diffing on VMWare work station binaries.


VMSA-2017-0006 resolved several security vulnerabilities in Workstation, Fusion graphics implementation which allows Guest to Host Escape. These vulnerabilities were mostly present in VMWare SVGA implementation. In this section of our talk we will cover implementation of VMWare virtual GPU through reverse engineering different guest components (vmx_fb.dll - VMware SVGA II Display Driver, vmx_svga.sys - VMware SVGA II Miniport) as well as host component (vmware-vmx.exe) where virtualize GPU code exist. The VMware virtual GPU provides several memory ranges which is used by Guest OS to communicate with the emulated device. These memory ranges are 2D frame buffer and FIFO Memory Queue. In FIFO memory queue, we write command that we want our GPU to process. The way VMWare handles and process these commands is error prone. This talk will uncover some of these bugs in SVGA command processing code and try to understand anatomy of issues by bin-diffing through VMWare binaries.

Slides:


References:


  • https://www.blackhat.com/eu-17/briefings.html#the-great-escapes-of-vmware-a-retrospective-case-study-of-vmware-g2h-escape-vulnerabilities
  • https://www.blackhat.com/docs/eu-17/materials/eu-17-Mandal-The-Great-Escapes-Of-Vmware-A-Retrospective-Case-Study-Of-Vmware-G2H-Escape-Vulnerabilities.pdf



Comments

  1. I have been meaning to read this and just never obtained a chance. It’s an issue that I’m really interested in, I just started reading and I’m glad I did. You’re a fantastic blogger, one of the best that I’ve seen. This weblog undoubtedly has some facts on topic that I just wasn’t aware of. Thanks for bringing this stuff to light. Ssn lookup

    ReplyDelete
  2. hi, your website is really good. I truly do appreciate your good results slillpp

    ReplyDelete
  3. Thanks for sharing this information. I really like your blog post very much. You have really shared a informative and interesting blog post with people. Black hat forum

    ReplyDelete
  4. On the off chance that you live in a major city like New York, Boston or Los Angeles, good for you! You'll track down the least expensive trips to Europe from these urban communities. Europa-Road túlméretes szállítás

    ReplyDelete
  5. I think this web site has very superb composed subject material articles . pad printer

    ReplyDelete
  6. Thank you again for all the knowledge you distribute,Good post. I was very interested in the article, it's quite inspiring I should admit. I like visiting you site since I always come across interesting articles like this one.Great Job, I greatly appreciate that.Do Keep sharing! Regards, cinema near me

    ReplyDelete
  7. This is some thing very informative and point to point. There is no round and round in this article. Like this smplicity . This clears my old point of view. THANKS
    SANWELLS

    ReplyDelete
  8. You have done a great job on this article. It’s very readable and highly intelligent. You have even managed to make it understandable and easy to read. You have some real writing talent. Thank you
    Best Backlinks For SEO

    ReplyDelete
  9. The article was up to the point and described the information very effectively. Thanks to blog author for wonderful and informative post. Softech Source

    ReplyDelete

Post a Comment