Скачать или смотреть #HITB2024BKK

VMware Workstation/ESXi is one of the most popular commercial virtualization software on the market. Its complex virtualization system design and critical position in infrastructure have made it a top target for hackers over the long term. For security researchers, discovering virtualization escape vulnerabilities in the VMware hypervisor is as challenging as confronting a dragon in a role-playing game.

In this presentation, we will unveil a new attack surface: Device Virtualization in VMKernel. This is an unknown territory that has not been explored by security researchers to date. Furthermore, this attack perspective has not been considered in VMware’s defense system, and its existing sandbox mechanisms are theoretically incapable of defending against attacks initiated from VMKernel.

During the analysis of this attack surface and reverse engineering of the VMware Hypervisor, we discovered 8 vulnerabilities related to device virtualization, 3 of them have been assigned CVE number (some vulnerabilities have even been successfully exploited in Tianfu Cup), and the remaining 5 of our vulnerabilities have been officially confirmed by VMware.

About how we discover the attack surface of VMKernel and find 8 unknown vulnerabilities, we will progressively explain from three parts:

VMware Virtualization Details

We will delve into the loading process of vmm, the implementation of data sharing between vmm and vmx, and VMware’s UserRPC, which facilitates communication between the Hypervisor and the Host. These mechanisms are crucial in virtual device emulation.

USB Virtualization Bug Hunting

We will address security issues in various parts of the USB system, including the host controller, VUsb middleware, and VUsb backend devices, based on the vulnerabilities we have unearthed.

SCSI Virtualization Bug Hunting

We will primarily discuss the similarities and differences in SCSI-related device emulation in the virtual disk system between VMware Workstation and ESXi. Additionally, we will cover design flaws related to disk device emulation that we discovered in VMKernel.

===

JiaQing Huang is a security researcher at TianGong Team of Legendsec at QI-ANXIN Group. He is currently focused on IoT and Virtualization security, having submitted multiple security vulnerabilities to VMware. In 2023, he with his teammate successfully escaped the Parallels Desktop at GeekCon2023.

---

Yue Liu is a Security Researcher at QI-ANXIN Group, and the team leader of QI-ANXIN TianGong Team. He and his team has found lots of bugs in Windows/Android/ChromeOS/IoT Devices and cracked multiple targets in Tianfu Cup 2019/2020, GeekPwn 2020/2021/2022, GeekCon 2023. He is published his work in various conferences, including Usenix 2021, ACM CCS 2022, EuroS&P 2022, HITBSecConf2022, BlackHat Asia 2024.

---

Hao Zheng is a security researcher at TianGong Team of Legendsec at QI-ANXIN Group.His focus is on Virtualization Security, having submitted multiple security vulnerabilities to VMware. In 2023, he with his teammate successfully escaped the Parallels Desktop at GeekCon2023.

---

Zibo Li is a security researcher at TianGong Team of Qi-AnXin Group. He focused on binary and IoT security.