POSTED BY: Zisis Sialveras / 11.01.2019

Straight outta VMware (Microsoft BlueHat v18, Black Hat Europe 2018)

This post provides a short summary of my conference presentations at Microsoft's BlueHat v18 (Redmond, USA) and at Black Hat Europe 2018 (London, UK) on VMware workstation exploitation,

During the conferences I had the opportunity to present my research on modern exploitation of VMware Workstation virtualization software for guest-to-host escape exploits. My study is focused on the virtual graphics device (also known as SVGA device) of VMware Workstation; specifically, the one found in version 14.1.3.

In my talk I gave a brief overview of the VMware architecture and the graphics pipeline. The host userland process of VMware (named vmware-vmx.exe) is responsible for the emulation of the virtual devices. This process will spawn a dedicated thread which will receive commands that are sent from the guest operating system. After that, I discussed about the SVGA3D protocol, which is the communication protocol between the guest and the frontend interface of the virtual graphics device and I pointed out the two available ways that guest users can send SVGA3D commands to the SVGA device.

The second section of the presentations was about reusable techniques which can be used by a malicious guest user for guest-to-host exploit development. Specifically, I showed some parts of pseudocode, that was the result of my reverse engineering efforts, of the SVGA3D command handlers which were associated with the shaders objects. Furthermore, there was a discussion of how the guest user can (ab)use the shaders in order to allocate multiple controllable buffers into the heap of the host process and hence affect its memory layout. This step is a prerequisite for any successful exploitation attempt of a memory corruption vulnerability.

Additionally, I examined another object of the SVGA3D protocol; the surface. Once again, by reversing vmware-vmx I discovered that surfaces are often correlated with a specific data structure of the backend interface of the SVGA device that is enabled for Windows operating systems. At that point, I delved into the internals of VMware to explain the methodology of how to abuse these data structures if you have a memory corruption vulnerability. By abusing them, a guest user may leak information from the heap of the host process and call corrupted function pointers at the host process context.

I concluded by demonstrating the escape exploit I developed for an old and fixed vulnerability of VMware.

You may find the related presentation material below:
  • Slides from the Microsoft Blue Hat v18 presentation (updated)
  • Video of Microsoft Blue Hat v18 presentation
  • Slides from the Black Hat Europe 2018 presentation
  • White paper for the Black Hat Europe 2018 presentation (updated)

I would like to thank both the organizers and volunteers of Microsoft and Blackhat for their help in facilitating these talks.