VM Escapes
Ring √(−1)
Agenda
HOST
HYPERVISOR
GUEST
HYPERVISORS
TYPE 1
(baremetal)
TYPE 2
(hosted)
ESXi
Hyper-V
KVM
VirtualBox
VMware Workstation
ARCHITECTURE
ISOLATION
PARTITIONS
1 root partition (for management)
ARCHITECTURE
ARCHITECTURE
VECTOR
😈
VECTOR
Graphic Interfaces
Ethernet Interfaces
USB Interfaces
HyperVisor Kernel
ESXi
USER WORLDS
USER WORLD API
VMM
VMkernel
RESOURCE SCHEDULING
I/O STACKS
DRIVERS
SSHD
VMX
ESXi
GUEST OS
ESXi
VMX
USER WORLD API
VMM
VMkernel
RESOURCE SCHEDULING
I/O STACKS
DRIVERS
VIRTUAL HARDWARE
GUEST OS
ESXi
VMX
USER WORLD API
VMM
VMkernel
RESOURCE SCHEDULING
I/O STACKS
DRIVERS
VIRTUAL HARDWARE
GUEST OS
😈
SHELL CODE
ESXi
VMX
USER WORLD API
VMM
VMkernel
RESOURCE SCHEDULING
I/O STACKS
DRIVERS
VIRTUAL HARDWARE
GUEST OS
😈
SHELL CODE
Exploit
Exploit
void __usercall VMXNET3_REG_CMD() {
PhysMemPage page; //memory mapping
...
case 4: // VMXNET3_CMD_UPDATE_MAC_FILTERS
DMA_MEM_CREATE(..., &page);
VMXNET3_CMD_UPDATE_MAC_FILTERS(v6, &page, a5);
PhysMemRelease(&page);
break;
...
}Exploit
void __fastcall DMA_MEM_CREATE(unsigned addr, uint64 size, ..., PhysMemPage *page) {
//check the address
if (addr > ... || size || size > ... - addr + 1)
return 0;
PhyMemSetupPage(addr, size, a3, a4, page);
return 1;
}PhysMemPage
translate_size
page_offset
page_count
addr
pate_array
...
Exploit
void __usercall VMXNET3_REG_CMD() {
PhysMemPage page; //memory mapping
...
case 4: // VMXNET3_CMD_UPDATE_MAC_FILTERS
DMA_MEM_CREATE(..., &page);
VMXNET3_CMD_UPDATE_MAC_FILTERS(v6, &page, a5);
PhysMemRelease(&page);
break;
...
}Exploit
void PhysMemRelease(PhysMemPage *page) {
if(page->page_count == 0)
free(page->page_array); //free the pointer on the stack
else {
...
}
}Exploit
second part
vmware-rpctool 'info-get guestinfo.a'
second part
third part
third part
third part
third part
QUESTIONS
?
references
Minimal
By apl3b
