VM Escapes

Ring √(−1)

Agenda

HOST

HYPERVISOR

GUEST

HYPERVISORS

TYPE 1

(baremetal)

TYPE 2

(hosted)

ESXi

Hyper-V

KVM

VirtualBox

VMware Workstation

ARCHITECTURE

ISOLATION

PARTITIONS

1 root partition (for management)

ARCHITECTURE

ARCHITECTURE

VECTOR

😈

VECTOR

Graphic Interfaces

Ethernet Interfaces

USB Interfaces

HyperVisor Kernel

ESXi

USER WORLDS

USER WORLD API

VMM

VMkernel

RESOURCE SCHEDULING

I/O STACKS

DRIVERS

SSHD

VMX

ESXi

GUEST OS

ESXi

VMX

USER WORLD API

VMM

VMkernel

RESOURCE SCHEDULING

I/O STACKS

DRIVERS

VIRTUAL HARDWARE

GUEST OS

ESXi

VMX

USER WORLD API

VMM

VMkernel

RESOURCE SCHEDULING

I/O STACKS

DRIVERS

VIRTUAL HARDWARE

GUEST OS

😈

SHELL CODE

ESXi

VMX

USER WORLD API

VMM

VMkernel

RESOURCE SCHEDULING

I/O STACKS

DRIVERS

VIRTUAL HARDWARE

GUEST OS

😈

SHELL CODE

Exploit

Exploit

void __usercall VMXNET3_REG_CMD() {
	PhysMemPage page; //memory mapping
    ...
    case 4: // VMXNET3_CMD_UPDATE_MAC_FILTERS
    	DMA_MEM_CREATE(..., &page);
        VMXNET3_CMD_UPDATE_MAC_FILTERS(v6, &page, a5);
        PhysMemRelease(&page);
        
        break;
    ...
}

Exploit

void __fastcall DMA_MEM_CREATE(unsigned addr, uint64 size, ..., PhysMemPage *page) {
	//check the address
    if (addr > ... || size || size > ... - addr + 1)
    	return 0;
    PhyMemSetupPage(addr, size, a3, a4, page);
    return 1;
}

PhysMemPage

translate_size

page_offset

page_count

addr

pate_array

...

Exploit

void __usercall VMXNET3_REG_CMD() {
	PhysMemPage page; //memory mapping
    ...
    case 4: // VMXNET3_CMD_UPDATE_MAC_FILTERS
    	DMA_MEM_CREATE(..., &page);
        VMXNET3_CMD_UPDATE_MAC_FILTERS(v6, &page, a5);
        PhysMemRelease(&page);
        
        break;
    ...
}

Exploit

void PhysMemRelease(PhysMemPage *page) {
	if(page->page_count == 0)
    	free(page->page_array); //free the pointer on the stack
	else {
    	...
    }
}

Exploit

second part

vmware-rpctool 'info-get guestinfo.a'

second part

third part

third part

third part

third part

QUESTIONS

?

references

Made with Slides.com