VMware Escapology: How to Houdini The Hypervisor

DerbyCon 7.0 - Legacy

Presented by: Joshua Smith, Jasiel Spelman
Date: Friday September 22, 2017
Time: 14:00 - 14:50
Location: Track 3 - Teach Me

Over the past year, attacks targeting VMware desktop hypervisors (Workstation, Fusion etc) have been on the rise. Virtual machines play a crucial role in modern computing. They are often used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. VMs also remain important tools for pentesters. Conversely, customer virtualization can lead to dead ends during a pentest. This limitation could lead to situations where enterprises fail to understand the true risk to their virtualized environments. This presentation provides pentesters the information and Metasploit modules to weaken or escape the isolation imposed by VMware hypervisors.

Pwn2Own 2017 featured two full guest-to-host escapes, one of which also affects VMware ESXi. While a guest-to-host escape is the most eye-catching way to abuse a hypervisor, there are other, more subtle abuses as well. This presentation examines VMware guest-to-host communications, which occur through the self-titled Backdoor channel. We will also explore some of the functionalities exposed through the RPC Interface within Backdoor such as the Drag-n-Drop (DnD) and CopyPaste mechanisms. We demonstrate how to take advantage of these mechanisms – without VMware tools installed – to disclose sensitive information from the host. We’ll also take a look at the Host-To-Guest file system and demonstrate how it can be exploited to execute code in the context of the host. Last, we will analyze a Use-After-Free vulnerability that affects DnD and we’ll show the exploitation process used to achieve code execution on the host, from the guest.

Jasiel Spelman

Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin. Jasiel Spelman - @WanderingGlitch

Joshua Smith

Joshua Smith is a senior vulnerability researcher and "FuzzOps" manager with Trend Micro’s Zero Day Initiative (ZDI) program. He analyzes and performs root-cause analysis on vulnerabilities submitted to the ZDI bug bounty program. However, his current focus is managing the infrastructure and tool development used to maintain the program and enable increased internal vulnerability discoveries. Joshua was also an external developer for the Metasploit Framework. Prior to joining ZDI, Smith served in the U.S. Air Force in various roles including as a nuclear Intercontinental Ballistic Missile (ICBM) Crew Commander and Instructor, but more relevantly as a penetration tester for the former 92d Information Warfare Aggressor Squadron. Post-military, he became a security engineer at the John Hopkins University Applied Physics Laboratory, where he began contributing to the Metasploit Framework. Smith performed research into weapons systems vulnerabilities as well as evasion and obfuscation techniques to add depth and realism to security device tests. Josh - @kernelsmith


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats