URB 王者之剑：新型 VMware 全平台虚拟机逃逸.pdf

1、#BHASIA BlackHatEventsURB Excalibur:The New VMware All-Platform VM EscapesYuhao Jiang(danis_jiang)Xinlei Ying(0 x140ce)#BHASIA BlackHatEventsWho are we?Security researchers at Ant Group Light-Year Security LabEscaped from virtual machine many timesWon the Pwnie Awards at 2023Yuhao Jiang(danis_jiang)

2、Xinlei Ying(0 x140ce)#BHASIA BlackHatEventsTalk Roadmap1.Introduction2.A journey of finding vulnerabilities in VMwares hypervisor3.Exploit development of VMware VM escape#BHASIA BlackHatEventsIntroduction#BHASIA BlackHatEventsWhat is Virtual Machine escape and the danger of itEscape from the isolati

3、on sphereTake control over the whole hypervisorNetwork escapeOne of the most catastrophic threats to the Cloud#BHASIA BlackHatEventsVMwares Architecture#BHASIA BlackHatEventsVMware hypervisors attack surfaceVirtual DeviceHard DiskLSI LogicNVMENetwork AdapterE1000/E1000eVMXNET3USB ControllerUHCITianf

4、u Cup 2021 Workstation(CVE-2021-22041),Tianfu Cup 2023 Workstation(CVE-2024-22253,CVE-22255)EHCIGeekPwn 2022 Fusion(CVE-2022-31705)XHCITianfu Cup 2021 ESXi(CVE-2021-22040),Tianfu Cup 2023 ESXi(CVE-2024-22252)USB DeviceHID(mouse)BluetoothPwn2Own 2023 Workstation(CVE-2023-20869,CVE-2023-20870)GPUSVGA

5、2DSVGA 3DSound CardES1371TPMvTPMGuestRPCBackdoorVMM#BHASIA BlackHatEventsVulnerability DiscoveryA journey of finding vulnerabilities in VMwares hypervisor#BHASIA BlackHatEventsStart vulnerability discovery in VMwareFirst encounter with VMware,closed-source hypervisor1.Focusing on an interesting and

6、potentially risky attack surfaceHaving studied QEMU EHCI vulnerabilitiesInterested in VMwares EHCI implementation2.Reverse engineeringUsing string search as an entry pointUnderstanding EHCI specification and QEMU code while reverse engineering VMware#BHASIA BlackHatEventsEHCI/USB 2.0 ControllerVMwar