VMware Escapology: How to Houdini The Hypervisor

Presented at DerbyCon 7.0 Legacy (2017), Sept. 22, 2017, 2 p.m. (50 minutes).

"Over the past year, attacks targeting VMware desktop hypervisors (Workstation, Fusion etc) have been on the rise. Virtual machines play a crucial role in modern computing. They are often used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. VMs also remain important tools for pentesters. Conversely, customer virtualization can lead to dead ends during a pentest. This limitation could lead to situations where enterprises fail to understand the true risk to their virtualized environments. This presentation provides pentesters the information and Metasploit modules to weaken or escape the isolation imposed by VMware hypervisors. Pwn2Own 2017 featured two full guest-to-host escapes, one of which also affects VMware ESXi. While a guest-to-host escape is the most eye-catching way to abuse a hypervisor, there are other, more subtle abuses as well. This presentation examines VMware guest-to-host communications, which occur through the self-titled Backdoor channel. We will also explore some of the functionalities exposed through the RPC Interface within Backdoor such as the Drag-n-Drop (DnD) and CopyPaste mechanisms. We demonstrate how to take advantage of these mechanisms - without VMware tools installed - to disclose sensitive information from the host. We’ll also take a look at the Host-To-Guest file system and demonstrate how it can be exploited to execute code in the context of the host. Last, we will analyze a Use-After-Free vulnerability that affects DnD and we’ll show the exploitation process used to achieve code execution on the host, from the guest." AbdulAziz Hariri is a security researcher with Trend Micro’s Zero Day Initiative (ZDI) program. In this role, Hariri analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the ZDI program, which represents the world’s largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis, fuzzing, and exploit development. Prior to joining ZDI, Hariri worked as an independent security researcher and threat analyst for Morgan Stanley emergency response team. During his time as an independent researcher, Hariri was profiled by Wired magazine in their 2012 article, “Portrait of a Full-Time Bug Hunter.” Joshua Smith is a senior vulnerability researcher and "FuzzOps" manager with Trend Micro’s Zero Day Initiative (ZDI) program. He analyzes and performs root-cause analysis on vulnerabilities submitted to the ZDI bug bounty program. However, his current focus is managing the infrastructure and tool development used to maintain the program and enable increased internal vulnerability discoveries. Joshua was also an external developer for the Metasploit Framework. Prior to joining ZDI, Smith served in the U.S. Air Force in various roles including as a nuclear Intercontinental Ballistic Missile (ICBM) Crew Commander and Instructor, but more relevantly as a penetration tester for the former 92d Information Warfare Aggressor Squadron. Post-military, he became a security engineer at the John Hopkins University Applied Physics Laboratory, where he began contributing to the Metasploit Framework. Smith performed research into weapons systems vulnerabilities as well as evasion and obfuscation techniques to add depth and realism to security device tests. AbdulAziz - @abdhariri Josh - @kernelsmith

Presenters:

Links:

Similar Presentations: