当前位置:首页 > 报告详情

齐西斯·西亚尔韦拉斯_过去的错误VMware虚拟机管理程序上的漏洞狩猎之旅.pdf

上传人: 张** 编号:175528 2024-09-13 45页 3.62MB

1、#BHUSA BlackHatEventsBugs of yore:A bug hunting Bugs of yore:A bug hunting journey on VMwares hypervisorjourney on VMwares hypervisorZisis Sialveras,zisiscensus-,_zisis#BHUSA BlackHatEventsWHOAMI Computer security researcher at CENSUS Finding and exploiting bugs professionally since 2013 Reversed A

2、LOT of VMwares code Gave a few talks about VMware exploitation in the past#BHUSA BlackHatEventsHOW EVERYTHING STARTED Goal:Develop guest-to-host escape exploit for VMware Workstation 12(on Windows host)Skills:Developed a fair number of exploits Experienced with low-level stuff Disadvantages:Basic kn

3、owledge of how virtual machines work#BHUSA BlackHatEventsFIRST STEPS Map the attack surface Its early 2017,the VMware boom era has not yet started Useful resources:Cloudburst by Kostya Kortchinsky First public attempt for SVGA exploitation Out of the Truman Show:VM Escape in VMware Gracefully RPCI g

4、uest-to-host escape exploits Decided to go with SVGA#BHUSA BlackHatEventsVMWARE ARCHITECTURE#BHUSA BlackHatEventsSVGA SPECIFIC RESOURCES What is SVGA?Communication with the guest OS(SVGA FIFO)Useful resources:GPU Virtualization on VMwares Hosted I/O Architecture-Micah Dowty,Jeremy Sugerman Mini oper

5、ating systems for SVGA testing https:/ with them to understand how graphics work#BHUSA BlackHatEventsSVGA THREAD VMX host process Polls for SVGA commands from the guest Communication with the guest using SVGA FIFO(shared memory)#BHUSA BlackHatEventsSVGA3D PROTOCOL Objects MOB(Memory OBject)Surface C

6、ontext Shader Screentarget Operations Define Destroy Bind Readback More#BHUSA BlackHatEventsSVGA PROTOCOL EXAMPLE#BHUSA BlackHatEventsTHE FIRST BUG#BHUSA BlackHatEventsBLIT CUBE#BHUSA BlackHatEventsSMELLS LIKE UAF#BHUSA BlackHatEventsANALYSIS OF THE DEALLOCATION#BHUSA BlackHatEventsANALYSIS OF THE D

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
Zisis Sialveras是一位计算机安全研究员,自2013年以来一直以专业身份发现和利用漏洞。他在VMware的hypervisor上进行了一项名为“Bugs of yore”的研究,目标是开发一个针对VMware Workstation 12的guest-to-host逃逸漏洞。他通过研究SVGA(显卡虚拟化协议)来实现这一目标。SVGA是VMware主机与虚拟机之间进行图形通信的协议。 Sialveras首先研究了SVGA协议及其在VMware中的实现,然后发现了利用SVGA进行逃逸的多个漏洞。他通过编写内核驱动程序来触发这些漏洞,并利用这些漏洞泄露了VMware主机上的信息,最终实现了任意代码执行。 在这个过程中,他遇到了一些挑战,比如VMware的代码复杂性、SVGA协议的不断变化以及ASLR(地址空间布局随机化)的保护机制。但他通过不断学习和实践,掌握了这些挑战,并成功找到了利用VMware漏洞的方法。 他的研究为我们提供了宝贵的经验,即在复杂的软件中寻找漏洞可能会很困难,但只要我们坚持不懈,就会变得越来越高效。同时,识别出健壮和可重用的利用原语在长期来看将非常有价值。
如何实现虚拟机逃逸?" 揭秘VMware中的安全漏洞" VMware漏洞利用全程解析"
客服
商务合作
小程序
服务号
折叠