Presented at
Black Hat Europe 2017,
Dec. 7, 2017, 2 p.m.
(60 minutes).
Virtual machine escape is the process of breaking out of the virtual machine and interacting with the host operating system. VMWare recently fixed several bugs in their products that were allowing malicious code to escape sandbox. Some of these issues were exploited and reported during exploitation contest and while others reported individually by researchers. For very obvious reason details of this bugs are undisclosed. This paper presents a case study of VMWare VM escape vulnerabilities based on the analysis of different patches released by VMWare in recent past.
Looking at the advisories published by VMWare in the last few months, reveals that there are many surfaces, that are being targeted by security researchers. To summarize, the attack surfaces would be as follows:
A) RPC Request handler.
B) EMF Handler.
C) VMWare Graphics Implementation.
Talking about vulnerabilities fixed in VMWare RPC layer, we see several CVEs (CVE-2017-4901, CVE-2016-7461 etc.) fixing security issues in RPC layers. This talk will cover end to end RPC implementation in VMWare workstation. It will cover everything from VMWare Backdoor in guest OS to different RPC command handler in host OS. We will uncover some of these fixed bugs in VMWare RPC layer by performing binary diffing on VMWare Workstation binaries. This talk will also showcase some of the PoCs developed from different VMware workstation patches.
VMWare's EMF file handler is one of most popular attack surfaces, when it comes to guest to host escape. VMSA-2016-0014 fixed several security issues in EMF file handling mechanism. EMF format is composed of many EMR data structures. TPView.dll parses every EMR structure in EMF file. In VMware, COM1 port is used by Guest to interact with Host printing proxy. EMF files are spool file format used in printing by windows. When a printing EMF file request comes from Guest, in host TPView.dll render the printing page. The TPView.dll holds the actual code which parses the EMF file structures. In our talk, we will be diving deep into this attack surface & uncover some of the vulnerabilities fixed in this area recently by performing binary diffing on VMWare work station binaries.
VMSA-2017-0006 resolved several security vulnerabilities in Workstation, Fusion graphics implementation which allows Guest to Host Escape. These vulnerabilities were mostly present in VMWare SVGA implementation. In this section of our talk we will cover implementation of VMWare virtual GPU through reverse engineering different guest components (vmx_fb.dll - VMware SVGA II Display Driver, vmx_svga.sys - VMware SVGA II Miniport) as well as host component (vmware-vmx.exe) where virtualize GPU code exist. The VMware virtual GPU provides several memory ranges which is used by Guest OS to communicate with the emulated device. These memory ranges are 2D frame buffer and FIFO Memory Queue. In FIFO memory queue, we write command that we want our GPU to process. The way VMWare handles and process these commands is error prone. This talk will uncover some of these bugs in SVGA command processing code and try to understand anatomy of issues by bin-diffing through VMWare binaries.
Presenters:
-
Yakun Zhang
- Security Researcher, McAfee
Yakun Zhang is a security researcher on McAfee's intrusion detection research team. He examines security vulnerabilities and intrusion protection systems. Zhang worked at Qihoo 360, Kaspersky Lab, and Trend Micro before joining McAfee.
-
Debasish Mandal
- Security Researcher, McAfee
Debasish Mandal is a security researcher and currently working in McAfee IPS Vulnerability Research Team. He has been working in information security industry for past 5 years. Initial few years of his career was mostly focused into Penetration Testing of Different Web Application & Networks. Last two years at Intel Security, his primary focus has been shifted to Vulnerability Research, where he spends most of his time, Reverse Engineering different vulnerabilities , exploits , attack techniques and writing detection logic for them. Besides doing research, he's passionate about security bug hunting (Fuzzing), programming, technical blog writing.
Some of his work can be found here http://www.debasish.in/ & https://securingtomorrow.mcafee.com/author/debasish-mandal/.
Links:
Similar Presentations: