Mobius Band: Explore Hyper-V Attack Interface through Vulnerabilities Internals

Presented at Black Hat USA 2021, Aug. 4, 2021, 2:30 p.m. (30 minutes).

In recent years, Microsoft regards the cloud as an important development direction in the future. Hyper-V is Microsoft Azure's virtualization solution and the cornerstone of Microsoft cloud virtualization. However, virtualization software like Hyper-V is not absolutely secure after all, and even a trivial vulnerability can cause immeasurable losses.

In this talk, I will explain 3 Hyper-V RCE vulnerabilities that I found and have been fixed so far. All of the vulnerabilities could allow an attacker to run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. Two of these vulnerabilities affect the vmswitch component and vhdmp component in Windows Host Ring0 respectively, and the remaining one affects the vmwp component in Windows Host Ring3. I will also introduce the Hyper-V attack interface through the internal details of these vulnerabilities.

To understand these vulnerabilities, I will first introduce the differences between Hyper-V exploit and traditional Windows EOP exploit, then I will explain how the data in the Guest is transferred to the Hyper-V component in the Host and how to parse it. Here I categorize Hyper-V data transmission methods into two different data paths, namely the data distributed to the kernel mode and the data distributed to the user mode. The next is to introduce the internal details of several undisclosed Hyper-V RCE vulnerabilities where you will learn about the multiple attack interfaces of Hyper-V through these vulnerabilities.

Finally, I will share the takeaways from this research, and explain other potential attack interfaces related to Hyper-V.


Presenters:

  • Zhenhao Hong - Hyper-V Researcher, Ant Group Light-Year Security Lab
    Zhenhao Hong is a Hyper-V Researcher who won a $540,000 Hyper-V bug bounty in total. He has been working on virtualization security, Windows kernel and Hyper-V security research for many years. He was twice rewarded the highest MSRC bug bounties. He was also awarded the 2019 MSRC Most Valuable Security Researchers (Ranked 42) and the 2020 MSRC Most Valuable Security Researchers (Ranked 59).
  • Chuanjian Liao - Technical Director, IceSword Lab, Qihoo 360
    Liao is a Technical Director at 360 and leads the IceSwordLab whose primary focuses are operating system kernels, virtualization technology and computer security. 

Links:

Similar Presentations: