当前位置:首页 > 报告详情

黑暗角落:一个失败的补丁如何让 VMware ESXi 虚拟机暴露长达两年之久.pdf

上传人: 竿*** 编号:981967 2025-11-29 55页 2.50MB

1、#BHUSA BlackHatEventsDark Corners:How a Failed Patch Dark Corners:How a Failed Patch Left VMware ESXi VM Escapes Left VMware ESXi VM Escapes Open for Two YearsOpen for Two YearsYuhao Jiang,0 x140ce,Ezrak1e#BHUSA BlackHatEvents Security researchers at Ant Group Light-Year Security Lab Escaped from vi

2、rtual machine many times Won the Pwnie Awardsin 2023Who are we?#BHUSA BlackHatEvents Introduction Escape VM First Escape ESXi Sandbox DemoTalk Roadmap#BHUSA BlackHatEventsIntroduction#BHUSA BlackHatEventsVMware announced a 0day which has occurred in the wild.We exploited VMware ESXi on Tianfu Cup 20

3、23.Lets share some interesting things behind that story.The Wake-Up Call#BHUSA BlackHatEvents Pretty same as VMware Workstation But the host OS is replaced as VMkernel Has sandboxESXi Architecture Overview#BHUSA BlackHatEventsEscape VM First#BHUSA BlackHatEventsAttack SurfaceVirtual DeviceHard DiskL

4、SI LogicPVSCSIPwn2Own 2025 Workstation(CVE-2025-41238)NVMENetwork AdapterE1000/E1000eVMXNET3Pwn2Own 2025 ESXi(CVE-2025-41236)USB ControllerUHCI(USB 1)Tianfu Cup 2021 Workstation(CVE-2021-22041),Tianfu Cup 2023 Workstation(CVE-2024-22253,CVE-22255)EHCI(USB 2)GeekPwn 2022 Fusion(CVE-2022-31705)XHCI(US

5、B 3)Tianfu Cup 2021 ESXi(CVE-2021-22040),Tianfu Cup 2023 ESXi(CVE-2024-22252)USB DeviceHID(mouse)BluetoothPwn2Own 2023 Workstation(CVE-2023-20869,CVE-2023-20870),Pwn2Own 2024 Workstation(CVE-2024-22267,CVE-2024-22269)GPUSVGA 2DSVGA 3DSound CardES1371TPMvTPMVMCIVMCIOccurred in the wild(CVE-2025-22224

6、),Pwn2Own 2025 ESXi(CVE-2025-41237)GuestRPCBackdoorHGFSPwn2Own 2024 Workstation(CVE-2024-22270),Occurred in the wild(CVE-2025-22226)VMM#BHUSA BlackHatEventsCVE-2021-22040(Found by Wei of Kunlun Lab on Tianfu Cup 2021).The“Ancient”VulnerabilityDiff the PatchWe diffed v16.2.1 with v16.2.0.Good,only 7

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,全文主要内容概括如下: 1. **VMware ESXi漏洞**:研究人员发现VMware ESXi存在一个0day漏洞,该漏洞在野外存在两年,直到2023年底才被报告。 2. **CVE-2021-22040**:该漏洞是CVE-2021-22040,通过修改xHCI命令环处理函数,实现了使用后释放(UAF)攻击。 3. **漏洞利用**:研究人员通过构造UAF,利用hashmap和heap技巧,最终实现了对ESXi沙盒的逃逸。 4. **CVE-2025-22224**:另一个漏洞CVE-2025-22224允许直接从虚拟机内存中获取值以执行数据包大小验证。 5. **ESXi沙盒**:文章详细介绍了ESXi沙盒的工作原理,包括syscall沙盒和domain沙盒。 6. **CVE-2024-22254**:研究人员发现CBT驱动程序中的漏洞(CVE-2024-22254),通过OOB写入和heap技巧逃逸沙盒。 7. **总结**:文章强调了小驱动程序可能带来的安全风险,并展示了如何通过漏洞利用获得对系统的完全控制。
**ESXi漏洞揭秘** **虚拟机逃逸大揭秘** **沙箱逃逸技术解析**
客服
商务合作
小程序
服务号
折叠