Asia-24-VictorV-Unveiling-the-Cracks-in-Virtualization-Mastering-the-Host-System.pdf
FranciscoDiazcthulhu
32 views
35 slides
Jun 07, 2024
Slide 1 of 35
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
About This Presentation
tecnicas para escapar de una vm vmware
Slide Content
Unveiling the Cracks in Virtualization,
Mastering the Host System
VMware Workstation Escape
Speaker: VictorV
#BHASIA @BlackHatEvents
Mastering the Host System
VMware Workstation Escape
Speaker: VictorV
#BHASIA @BlackHatEvents
VMware
Workstation
Escape
TianfuCup
2018/2021/2023
Zer0Con 2022
HITB 2020
Hyper-V Escape
CVE-2019-0887
In 2021
Bugs in
SQLServer, RDP,
QEMU, DNS,
DHCP, Samba,
ESXi…
Top 3 of MSRC
2023 Q3/Q4
Leaderboard
About Me : VictorV(@vv474172261)
#BHASIA @BlackHatEvents
Workstation
Escape
TianfuCup
2018/2021/2023
Zer0Con 2022
HITB 2020
Hyper-V Escape
CVE-2019-0887
In 2021
Bugs in
SQLServer, RDP,
QEMU, DNS,
DHCP, Samba,
ESXi…
Top 3 of MSRC
2023 Q3/Q4
Leaderboard
About Me : VictorV(@vv474172261)
#BHASIA @BlackHatEvents
目录 CONTENTS
Virtualization Basic Info
Historic Bugs In UHCI
Exploit for TianfuCup2023
Summary
#BHASIA @BlackHatEvents
Virtualization Basic Info
Historic Bugs In UHCI
Exploit for TianfuCup2023
Summary
#BHASIA @BlackHatEvents
Virtualization Basic Info
PART ONE
#BHASIA @BlackHatEvents
PART ONE
#BHASIA @BlackHatEvents
Virtualization Basic Info
VMware WorksationArchitecture
#BHASIA @BlackHatEvents
VMware WorksationArchitecture
#BHASIA @BlackHatEvents
Virtualization Basic Info
Virtual Process Address and Guest Physical Address
Guest Virtual Address(GVA)
Guest Physical Address(GPA)
Host process Virtual Address(HVA)
In Guest, use GVA access its
physical memory
In Host vmx, use HVA of GPA access
Guest memory
#BHASIA @BlackHatEvents
Virtual Process Address and Guest Physical Address
Guest Virtual Address(GVA)
Guest Physical Address(GPA)
Host process Virtual Address(HVA)
In Guest, use GVA access its
physical memory
In Host vmx, use HVA of GPA access
Guest memory
#BHASIA @BlackHatEvents
Virtualization Basic Info
Virtual Device and Guest Driver Interaction
VMX process
Guest System
IO Port
Insb/Inb/outb/outsb
IO Memory
Map to GVA, Directly read and write
#BHASIA @BlackHatEvents
IO port handler functions
IO Memory handler
functions
Virtual Device and Guest Driver Interaction
VMX process
Guest System
IO Port
Insb/Inb/outb/outsb
IO Memory
Map to GVA, Directly read and write
#BHASIA @BlackHatEvents
IO port handler functions
IO Memory handler
functions
Virtualization Basic Info
VM Escape and RCE exploit
#BHASIA @BlackHatEvents
send data
Crack the
structure, and
leak data
receive info
send data Control RIP, run
ROP
I/O
Read/Write
Read/Write
VM Escape and RCE exploit
#BHASIA @BlackHatEvents
send data
Crack the
structure, and
leak data
receive info
send data Control RIP, run
ROP
I/O
Read/Write
Read/Write
USB 1.x
UHCI
USB 2.0
EHCI
USB 3.x
XHCI
USB 4.0
Future
Virtualization Basic Info
USB Controller
CVE-2021-22041
CVE-2019-5519
CVE-2019-5518
CVE-2023-20870 …
CVE-2022-31705 … CVE-2024-22252
CVE-2021-22040
CVE-2020-4004
CVE-2020-3968
CVE-2017-4904 … #BHASIA @BlackHatEvents
UHCI
USB 2.0
EHCI
USB 3.x
XHCI
USB 4.0
Future
Virtualization Basic Info
USB Controller
CVE-2021-22041
CVE-2019-5519
CVE-2019-5518
CVE-2023-20870 …
CVE-2022-31705 … CVE-2024-22252
CVE-2021-22040
CVE-2020-4004
CVE-2020-3968
CVE-2017-4904 … #BHASIA @BlackHatEvents
Virtualization Basic Info
Virtual USB Controller Device Info
#BHASIA @BlackHatEvents
Virtual USB Controller Device Info
#BHASIA @BlackHatEvents
Virtualization Basic Info
UHCI Controller
EjectedXHCI
#BHASIA @BlackHatEvents
UHCI Controller
EjectedXHCI
#BHASIA @BlackHatEvents
Virtualization Basic Info
UHCI Controller
#BHASIA @BlackHatEvents
0
UHCI Controller
#BHASIA @BlackHatEvents
0
Virtualization Basic Info
UHCI Controller
u32 * TD = dmaAlloc(0x10, &TD_GPA);
buffer = dmaAlloc(0x10, &buffer_GPA);
frame_list[0] = TD_GPA | 1;
TD[0] = 1;// end
TD[1] = 1 << 23;// active
TD[2] = (2 << 8) | (0 << 15) | (7 << 21) | 0x2d;
//dev_id: 2, ep_id: 0, length: 8(7+1), type: setup(0x2d)
TD[3] = buffer_GPA;
buffer[0] =XXX;
#BHASIA @BlackHatEvents
UHCI Controller
u32 * TD = dmaAlloc(0x10, &TD_GPA);
buffer = dmaAlloc(0x10, &buffer_GPA);
frame_list[0] = TD_GPA | 1;
TD[0] = 1;// end
TD[1] = 1 << 23;// active
TD[2] = (2 << 8) | (0 << 15) | (7 << 21) | 0x2d;
//dev_id: 2, ep_id: 0, length: 8(7+1), type: setup(0x2d)
TD[3] = buffer_GPA;
buffer[0] =XXX;
#BHASIA @BlackHatEvents
Historic Bugs In UHCI
PART TWO
#BHASIA @BlackHatEvents
PART TWO
#BHASIA @BlackHatEvents
CVE-2019-5519 TOCTOU
Found by Amat Cama and Richard Zhu
#BHASIA @BlackHatEvents
Found by Amat Cama and Richard Zhu
#BHASIA @BlackHatEvents
CVE-2021-22041 TOCTOU
If frame_start= 0x3ff,
i=0x400,
frame_index=
(0x400+0x3ff)&0x3ff = 0x3ff;
ret = 1
frame[(0+0x3ff)&0x3ff] ==
frame[(0x400+0x3ff)&0x3ff]
transfer_tagwill match
#BHASIA @BlackHatEvents
Found by me, used in TianfuCup2021
If frame_start= 0x3ff,
i=0x400,
frame_index=
(0x400+0x3ff)&0x3ff = 0x3ff;
ret = 1
frame[(0+0x3ff)&0x3ff] ==
frame[(0x400+0x3ff)&0x3ff]
transfer_tagwill match
#BHASIA @BlackHatEvents
Found by me, used in TianfuCup2021
CVE-2021-22041 TOCTOU
1. Access frame[0x3ff]
2. Change frame[0x3ff] in SVGA thread
3. Access frame[(0x400+0x3ff)&0x3ff]
again
Get a new GPA
#BHASIA @BlackHatEvents
Found by me, used in TianfuCup2021
1. Access frame[0x3ff]
2. Change frame[0x3ff] in SVGA thread
3. Access frame[(0x400+0x3ff)&0x3ff]
again
Get a new GPA
#BHASIA @BlackHatEvents
Found by me, used in TianfuCup2021
CVE-2023-20870 UninitializeLeak
struct urb{
+0h reference;
+4h buffer size;
+8h count size;
+Ch size can read to vm; default 0
...
+18h endpoint;
...
+78h buffer start;
+80h cur_buff;
char buffer[xxx]; size is determined by input size
}
#BHASIA @BlackHatEvents
Found by Thach Nguyen Hoangof STAR Labs, Wei and me also found it.
struct urb{
+0h reference;
+4h buffer size;
+8h count size;
+Ch size can read to vm; default 0
...
+18h endpoint;
...
+78h buffer start;
+80h cur_buff;
char buffer[xxx]; size is determined by input size
}
#BHASIA @BlackHatEvents
Found by Thach Nguyen Hoangof STAR Labs, Wei and me also found it.
CVE-2023-20870 UninitializeLeak
Fix:
Set urb->Ch = 8 in Bluetooth handler
#BHASIA @BlackHatEvents
Found by Thach Nguyen Hoangof STAR Labs, Wei and me also found it.
Fix:
Set urb->Ch = 8 in Bluetooth handler
#BHASIA @BlackHatEvents
Found by Thach Nguyen Hoangof STAR Labs, Wei and me also found it.
CVE-2024-22255 UninitializeLeak
struct urb{
+0h reference;
+4h buffer size;
+8h count size;
+Ch size can read to vm; default 0
...
+18h endpoint;
...
+78h buffer start;
+80h cur_buff;
char buffer[xxx]
}
U8(buffer, 0) = 0x21;
U8(buffer, 1) = 9;// CASE
U16(buffer, 6) = buffer size -8;
#BHASIA @BlackHatEvents
Found by Wei and me
struct urb{
+0h reference;
+4h buffer size;
+8h count size;
+Ch size can read to vm; default 0
...
+18h endpoint;
...
+78h buffer start;
+80h cur_buff;
char buffer[xxx]
}
U8(buffer, 0) = 0x21;
U8(buffer, 1) = 9;// CASE
U16(buffer, 6) = buffer size -8;
#BHASIA @BlackHatEvents
Found by Wei and me
CVE-2024-22253 UAF
Found by me, used at TianfuCup2023
#BHASIA @BlackHatEvents
Found by me, used at TianfuCup2023
#BHASIA @BlackHatEvents
Exploit for TianfuCup2023
PART THREE
#BHASIA @BlackHatEvents
PART THREE
#BHASIA @BlackHatEvents
Old Exploit primitives-Straight outta VMware
#BHASIA @BlackHatEvents
#BHASIA @BlackHatEvents
Old Exploit primitives-Straight outta VMware
Move to mksSandbox.exe
#BHASIA @BlackHatEvents
Move to mksSandbox.exe
#BHASIA @BlackHatEvents
Old Exploit primitives-Breakout Script of the Westworld
Move to mksSandbox.exe
#BHASIA @BlackHatEvents
Move to mksSandbox.exe
#BHASIA @BlackHatEvents
Old Exploit primitives-Breakout Script of the Westworld
Move to mksSandbox.exe
can’t be heap
#BHASIA @BlackHatEvents
Move into vector
Move to mksSandbox.exe
can’t be heap
#BHASIA @BlackHatEvents
Move into vector
Exploit primitives-UHCI Endpoint
#BHASIA @BlackHatEvents
#BHASIA @BlackHatEvents
Exploit primitives-Leak address by Urb bug
struct urb{
...
+70h vmxrelated process address
+78h buffer start;
+80h cur_buff;
char buffer[xxx]; size is determined by input
size
}
Get a urb heap address
Get VMX related address
#BHASIA @BlackHatEvents
struct urb{
...
+70h vmxrelated process address
+78h buffer start;
+80h cur_buff;
char buffer[xxx]; size is determined by input
size
}
Get a urb heap address
Get VMX related address
#BHASIA @BlackHatEvents
Exploit primitives-R/W Everywhere by Endpoint primitive and urb
#BHASIA @BlackHatEvents
#BHASIA @BlackHatEvents
Exploit primitives-R/W Everywhere by Endpoint primitive and urb
#BHASIA @BlackHatEvents
#BHASIA @BlackHatEvents
Exploit Demo
#BHASIA @BlackHatEvents
#BHASIA @BlackHatEvents
Summary
PART FOUR
#BHASIA @BlackHatEvents
PART FOUR
#BHASIA @BlackHatEvents
Bug
Bug Research Tips
•TOCTOU, data of HVA can complete
•UAF, Notice reset operation, similar bug: cve-2020-4004
Exp
Exploit Tips
•Urb to leak data
•Endpoint to write arbitrary anywhere
Defense
Defense Escape Attack
•Remove unnecessary virtual devices: Usb, Sound, CDrom
•Disable SVGA 3D
•Keep your software newest
Black Hat Sound Bytes
#BHASIA @BlackHatEvents
Bug Research Tips
•TOCTOU, data of HVA can complete
•UAF, Notice reset operation, similar bug: cve-2020-4004
Exp
Exploit Tips
•Urb to leak data
•Endpoint to write arbitrary anywhere
Defense
Defense Escape Attack
•Remove unnecessary virtual devices: Usb, Sound, CDrom
•Disable SVGA 3D
•Keep your software newest
Black Hat Sound Bytes
#BHASIA @BlackHatEvents
https://census-labs.com/media/straightouttavmware-wp.pdf
Zero Day Initiative —Taking Control of VMware Through the Universal Host Control Interface:
Part 2
https://github.com/474172261/slides/blob/main/Breakout%20Script%20of%20the%20Westworld-
new%5B1088%5D.pdf
Universal Host Controller Interface (UHCI) Design Guide
参考
#BHASIA @BlackHatEvents
Zero Day Initiative —Taking Control of VMware Through the Universal Host Control Interface:
Part 2
https://github.com/474172261/slides/blob/main/Breakout%20Script%20of%20the%20Westworld-
new%5B1088%5D.pdf
Universal Host Controller Interface (UHCI) Design Guide
参考
#BHASIA @BlackHatEvents
THANKS
Q&A
#BHASIA @BlackHatEvents
Q&A
#BHASIA @BlackHatEvents
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 32
- Slides 35
- Age 542 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views