Dragon SlayingGuide: Bug Hunting In VMware Device Virtualization

Presented at DEF CON 32 (2024), Aug. 11, 2024, 11 a.m. (45 minutes).

In this presentation, we will unveil a new attack surface: Device Virtualization in VMKernel. This isan unknown territory that has not been explored by security researchers to date. During the reverse engineering of the VMware Hypervisor, we discovered 8 vulnerabilities related to device virtualization, 3 of them have been assigned CVE number (some vulnerabilities have even been successfully exploited in Tianfu Cup), and the remaining 5 of our vulnerabilities have been officially confirmed by VMware. Firstly we will delve into the loading process of vmm, the implementation of data sharing between vmm and vmx, and VMware's UserRPC, which facilitates communication between the Hypervisor and the Host. These mechanisms are crucial in virtual device emulation. Then We will explain security issues in various parts of the USB system, including the host controller, VUsb middleware, and VUsb backend devices, based on the vulnerabilities we have unearthed. In the end, We will primarily discuss the similarities and differences in SCSI-related device emulation in the virtual disk system between VMware Workstation and ESXi Additionally, we will cover design flaws related to disk device emulation that we discovered in VMKernel. 1. [link](https://www.cardlogix.com/glossary/apdu-application-protocol-data-unit-smart-card/) 2. [link](https://www.zerodayinitiative.com/blog/2023/6/21/cve-2022-31696-an-analysis-of-a-vmware-esxi-tcp-socket-keepalive-type-confusion-lpe) 3. [link](https://keenlab.tencent.com/en/2018/04/23/A-bunch-of-Red-Pills-VMware-Escapes/) 4. [link](https://www.zerodayinitiative.com/blog/2018/1/19/automating-vmware-rpc-request-sniffing?rq=vmware) 5. [link](https://williamlam.com/2010/06/esxcli-part1-what-is-esxcli.html) 6. [link](https://www.usenix.org/system/files/woot19-paper_zhao.pdf) 7. [link](https://www.zerodayinitiative.com/blog/2017/6/26/use-after-silence-exploiting-a-quietly-patched-uaf-in-vmware?rq=vmware) 8. [link](https://github.com/vmware/open-vm-tools) 9. [link](https://www.zerodayinitiative.com/blog/2019/5/7/taking-control-of-vmware-through-the-universal-host-controller-interface-part-1?rq=vmware) 10. [link](https://papers.put.as/papers/macosx/2016/50_Shades_Of_Fuzzing.pdf) 11. [link](https://nafod.net/blog/2020/02/29/zdi-19-421-uhci.html) 12. [link](https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/ESXi_architecture.pdf) 13. [link](https://www.zerodayinitiative.com/blog/2017/12/21/vmwares-launch-escape-system) 14. [link](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-patch-of-a-virtual-machine-escape-on-vmware/) 15. [link](https://www.blackhat.com/docs/eu-17/materials/eu-17-Mandal-The-Great-Escapes-Of-Vmware-A-Retrospective-Case-Study-Of-Vmware-G2H-Escape-Vulnerabilities.pdf) 17. [link](https://www.zerodayinitiative.com/blog/2018/3/1/vmware-exploitation-through-uninitialized-buffers?rq=vmware) 18. [link](https://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-PAPER.pdf) conferences, including Usenix 2021, ACM CCS 2022, EuroS&P 2022, HITBSecConf2022, BlackHat Asia 2024.

Presenters:

  • JiaQing Huang - Security Researcher, TianGong Team of Legendsec at QI-ANXIN Group
    JiaQing Huang is a security researcher at TianGong Team of Legendsec at QI-ANXIN Group. He is currently focused on IoT and Virtualization security, having submitted multiple security vulnerabilities to VMware. In 2023, he and his teammate successfully escaped the Parallels Desktop at GeekCon2023.
  • Hao Zheng - Security Researcher, TianGong Team of Legendsec at QI-ANXIN Group
    Hao Zheng is a security researcher at TianGong Team of Legendsec at QI-ANXIN Group. His focus is on Virtualization Security, having submitted multiple security vulnerabilities to VMware. In 2023, he and his teammate successfully escaped the Parallels Desktop at GeekCon2023.
  • Yue Liu - Security Researcher at QI-ANXIN Group
    Yue Liu is a Security Researcher at QI-ANXIN Group, and the team leader of QI-ANXIN TianGong Team. He and his team has found lots of bugs in Windows/Android/ChromeOS/IoT Devices and cracked multiple targets in Tianfu Cup 2019/2020, GeekPwn 2020/2021/2022, GeekCon 2023. He has published his work in various conferences, including Usenix 2021, ACM CCS 2022, EuroS&P 2022, HITBSecConf2022, BlackHat Asia 2024.

Similar Presentations: