Scavenger: Misuse Error Handling Leading to Qemu/KVM Escape

Presented at Black Hat Asia 2021 Virtual, May 7, 2021, 11:20 a.m. (40 minutes)

<div><span>Error handling code is used extensively in hypervisors, which is designed to capture unexpected behaviors and avoid crashing the vm, such as invalid inputs from guest users and insufficient memory. However, we find that incorrect use of error handling code or missing error propagation can lead to security problems such as privilege escalation. In this briefing, we demonstrate how to achieve a full guest-to-host escape exploitation through a misuse error handling code. Besides, we show that how the userspace memory can provide a reading/writing exploit primitive for information leak and code execution with the help of the natural hypervisor design principles. As far as we know, this is the first guest-to-host escape exploit in the context of error handling code.</span></div><div><span><br><br></span></div><div><span>Remarkably, Scavenger is based on an uninitialized free vulnerability (Affected prior to Qemu 5.2.0), discovered in the nvme device, which is used to provide virtual solid-state drives (SSDs) service for the guest machine. And this is the first public virtual machine escape exploit in the drive device. The uninitialized variable resides on the heap. Its value can be controlled by heap Fengshui. Here are the procedures:</span></div><div><span>(i) Firstly, Scavenger sprays heap with pointers to user memory; Therefore, we can control the object of free as a guest allocated buffer, turning arbitrary free to UAF.</span></div><div><span>(ii) Secondly, when the guest allocated buffer freed by the host's process, we can obtain the leaked information in the guest's memory in order to bypass ASLR.</span></div><div><span>(iii) Finally, we hijack the control flow by manipulating data pointers and overwriting it.</span></div><div><span><br><br></span></div><div><span>Few virtualization developers and security researchers pay attention to the security impact of the error handling code on virtualization. We found this vulnerability by performing error handling code directed fuzzing. In this talk, we will demonstrate how to apply the error handling code target fuzzing technique to virtualization.</span></div><div><span><br><br></span></div><div><span>We believe that the technique insights we present will benefit the researchers working in the same area: (1) The error handling fuzzing technique on virtualization; (2) How userspace memory could help to craft an exploit.</span></div>

Presenters:

• Chunming Wu - Professor, Zhejiang University
  Chunming Wu is a professor and doctoral supervisor of the College of Computer Science and Technology, Zhejiang University. His current research interests include Software-Defined Network (SDN), reconfigurable networks, data center networks, network virtualization, SDN and cloud security, proactive network defense, intelligent cloud networks, and the architecture of next-generation Internet. He has published more than 90 papers in a series of international journals, magazines as well as conferences, e.g., IEEE/ACM Transactions on Networking (ToN), IEEE Communications Magazine, Computer Networks, Journal of Network and Computer Applications, INFOCOM, Open Networking Summit (ONS), ICC, IET Electronics Letters, IET Proc. Communications, GLOBECOM, etc. In 2004, the Chinese Government honored him with the first prize National Scientific and Technological Progress Award. In 2014, owing to significant research achievements in reconfigurable networks, the Chinese Government honored him with the second prize National Scientific and Technological Progress Award.
• Jiashui Wang - Staff Security Engineer, Ant Security Light-Year Lab
  Jiashui Wang is the head and main founder of Ant Security Light-Year Lab. His major experience includes vulnerability hunting and mobile security. He has shared his research at conferences including Black Hat USA, Black Hat Asia, CanSecWest, HITCON, ZeroNights, and more. In the past, he found several serious vulnerabilities and also received acknowledgements from Samsung, Google, Twitter and more. He used to lead the team to pwn several high targets in some top competitions, including some new phones, browsers, IoT devices, etc.
• Xinlei Ying - Senior Security Engineer, Ant Security Light-Year Lab
  Xinlei Ying is a senior security engineer from Ant Security Light-Year Lab. His research focuses on virtualization security and office software security.
• Xingwei Lin - Security Engineer, Ant Security Light-Year Lab
  Xingwei Lin is a security researcher from Ant Security Light-Year Lab. His research area includes virtualization security, macOS & Windows system security, and fuzzing technique. He has published papers in top academic conferences at CCS. His research has been acknowledged by vendors, including Apple, Qemu, Microsoft, and Oracle.
• Gaoning Pan - PhD postgraduate, Zhejiang University & Ant Security Light-Year Lab
  Gaoning Pan is a PhD student at Zhejiang University, China, under the supervision of Chunming Wu. He is a member of the AAA CTF Team. He also plays CTFs as a member of A*0*E. He is also a research intern in Ant Security Light-Year Lab. His research focuses on System Security, especially Virtualization Security. He has reported several vulnerabilities in Qemu and Virtualbox, which were confirmed and credited in multiple advisories.

Links:

• https://www.blackhat.com/asia-21/briefings/schedule/#scavenger-misuse-error-handling-leading-to-qemukvm-escape-21971

Similar Presentations:

• Black Hat USA 2021 / Chip Chop - Smashing the Mobile Phone Secure Chip for Fun and Digital Forensics
• Black Hat Asia 2021 Virtual / "We Are About to Land": How CloudDragon Turns a Nightmare Into Reality
• Black Hat Asia 2021 Virtual / Wideshears: Investigating and Breaking Widevine on QTEE