This post provides a short summary of my conference presentations at Microsoft's
BlueHat v18 (Redmond, USA) and at Black Hat Europe 2018 (London, UK) on VMware workstation exploitation,
During the conferences I had the opportunity to present my research on modern exploitation of VMware Workstation virtualization software for guest-to-host escape exploits. My study is focused on the virtual graphics device (also known as SVGA device) of VMware Workstation; specifically, the one found in version 14.1.3.
In my talk I gave a brief overview of the VMware architecture and the graphics
pipeline. The host userland process of VMware (named vmware-vmx.exe) is
responsible for the emulation of the virtual devices. This process will spawn
a dedicated thread which will receive commands that are sent from the guest
operating system. After that, I discussed about the SVGA3D protocol,
which is the communication protocol between the guest and the frontend interface
of the virtual graphics device and I pointed out the two available ways that
guest users can send SVGA3D commands to the SVGA device.
The second section of the presentations was about reusable techniques which
can be used by a malicious guest user for guest-to-host exploit development.
Specifically, I showed some parts of pseudocode, that was the result of my
reverse engineering efforts, of the SVGA3D command handlers which were
associated with the shaders objects. Furthermore, there was a discussion
of how the guest user can (ab)use the shaders in order to allocate multiple
controllable buffers into the heap of the host process and hence
affect its memory layout. This step is a prerequisite for any successful exploitation
attempt of a memory corruption vulnerability.
Additionally, I examined another object of the SVGA3D protocol; the surface.
Once again, by reversing vmware-vmx I discovered that surfaces are often
correlated with a specific data structure of the backend interface of
the SVGA device that is enabled for Windows operating systems. At that point, I
delved into the internals of VMware to explain the methodology of how to abuse
these data structures if you have a memory corruption vulnerability. By
abusing them, a guest user may leak information from the heap of the host process and
call corrupted function pointers at the host process context.
I concluded by demonstrating the escape exploit I developed for an
old and fixed vulnerability of VMware.
You may find the related presentation material below:
- Slides from the Microsoft Blue Hat v18 presentation (updated)
- Video of Microsoft Blue Hat v18 presentation
- Slides from the Black Hat Europe 2018 presentation
- White paper for the Black Hat Europe 2018 presentation (updated)
I would like to thank both the organizers and volunteers of Microsoft
and Blackhat for their help in facilitating these talks.