Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

3,424 views

Published on

CanSecWest2017

Published in: Internet
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

  1. 1. Escape from VMware Worksta2on by using "Hearthstone"
  2. 2. About Marvel Team Focus on virtualization security , 2015.6-2016.6 •  fuzz qemu and xen and report 30+ vuls •  Report cve-2016-3710, the first one can be used to escape from public cloud •  breakout from docker container 2016.7 – now •  fuzz vmware workstation and hyper-v •  Pwn the vmware workstation in pwnfest 2016
  3. 3. Agenda •  Basic Informa2on About Vmware Rpc •  Rpc Fuzzing Framework •  Hearthstone •  Exploita2on of Hearthstone •  Q&A
  4. 4. Basic Informa2on About Vmware Rpc
  5. 5. Environment Vmware worksta2on: 12.5.1 Virtual machine OS: windows 10 Host machine OS: windows 10
  6. 6. Vmware tools Path: C:Program FilesVMwareVMware Toolsrpctool.exe Func2on: Enhance the user experience Models: rpc, backdoor, vmci, hgfs The Important channel to communicate with host machine. Reference: open-vm-tools project
  7. 7. Rpc message channel is a big aWack surface Vmware tools “rpc” RPC request data wrapper Backdoor instruc2on …. Windows kernel VMVmware-vmx.exe Exec Rpc command channel I/O Request Package VMware kernel module
  8. 8. Use backdoor transport rpc message Thanks: hWps://sites.google.com/site/chitchatvmback/backdoor
  9. 9. Use backdoor to send enhanced rpc message
  10. 10. Use rpc message to allocate heap memory
  11. 11. Use rpc message to control the global variables unity.window.contents.start (serializing data) allocate memory unity.window.contents.start (serializing data) fill data in memory
  12. 12. Use rpc channel to allocate heap memory Features: •  8 channels •  maximum size: 0x10000 •  During processing of the Channel receive rpc message, Vmx.exe allocate the memory. •  Rpc message can be filled into the channel several 2mes, when the total length of the rpc messages is less than the channel memory length, rpc command will not be processed un2l the two lengths are equal.
  13. 13. Rpc Fuzzing Framework
  14. 14. Fuzzing framework vmware-vmx.exe monitor Snapshot manager server Vmware-rpc-afl-fuzz Case builder Config Manager Virtual machine vmrun.exe win-afl Case tester client
  15. 15. Hearthstone
  16. 16. Hearthstone #uaf Poc: tools.capability.dnd_version 4 vmx.capability.dnd_version tools.capability.dnd_version 2 vmx.capability.dnd_version dnd.ready enable c:1
  17. 17. Hearthstone #oob out of copypaste message`s bound read out of global_block`s bound write
  18. 18. Exploita2on of Hearthstone
  19. 19. Cmd Params data Block which can leak Heap for out of bound write
  20. 20. Informa2on leakage 2(busy RPC) 0x10000 3(busy RPC) 0x10000 4(busy TRANSPORT) 0x10000 5(busy RPC) 0x10000 1(busy RPC) 0x10000 Chunk 4 is transport chunk Others are RPC chunks
  21. 21. Informa2on leakage 2(busy RPC) 3(busy RPC) 4(busy TRANSPORT) 5(busy RPC) 1(busy RPC) LFH subsegment b 0x100 BLOCK (busy) obj data (free) 0x100 BLOCK (free) obj data (busy) 0x100 BLOCK (free) 0x100 BLOCK (free) 0x100 BLOCK (free) 0x100 BLOCK (busy) 0x100 rpc req (busy) obj data (free) obj data (free) 0x100 BLOCK (busy) obj data (free) OOB OOB OOB OOB OOB
  22. 22. Informa2on leakage 3(busy RPC) ... ... ... 4(busy TRANSPROT) 5(busy RPC) 0x100 RPC req Out of bound data 0x100 RPC req Out of bound data 0x100 RPC req Out of bound data 3(busy RPC) ... ... ... 4(busy other) 5(busy RPC) 0x100 RPC req Out of bound data 0x100 RPC req Out of bound data 0x100 RPC req Out of bound data FREE and malloc
  23. 23. Informa2on leakage 2(busy RPC) 3(busy RPC) 4(busy other) have some useful msg 5(busy RPC) 1(busy RPC) 2(free) 4(busy other) have some useful msg 5(busy RPC) 1(busy RPC) FREE FREE
  24. 24. INDEX 0x37 信息泄漏 2(busy transport) 4(busy other) have some useful msg 5(busy RPC) 1(busy RPC) 3(free) 2(busy transport) 4(busy other) have some useful msg 5(busy RPC) 1(busy RPC) 3(Cmd Params data)
  25. 25. Informa2on leakage 2(busy transport) 4(busy other) have some useful msg 5(busy RPC) 1(busy RPC) 3(busy cmd args buffer) 0x30 stream fill out memory 2(busy transport) (filled by 0x30) 4(busy other) have some useful msg 5(busy RPC) 1(busy RPC) 3(Cmd Params data buffer) (covered by overflowed 0x30 stream)
  26. 26. Chunk 4 (busy other) have some useful msg Chunk 3 (busy cmd args buffer) (covered by overflowed 0x30 stream) data1 data2 00 data3 00 00 00 00 …… …… Key value dataN dataN+1 dataN+2 … 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 …… …… …… …… 0x30 0x30 0x30 0x30 0x30 0x30 0x30
  27. 27. data1 data2 00 data3 00 00 00 00 …… …… Key value dataN dataN+1 dataN+2 … 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 …… …… …… …… 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 …….. data1 data2 READ data1 data2 SAVE Rpc Command: toolsAutoInstallGetParams
  28. 28. data1 data2 00 data3 00 00 00 …… …… Key value dataN dataN+1 dataN+2 … 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 …… …… …… …… 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 …….. data1 data2 0x30 data3 READ data1 data2 00 data3 SAVE data1 data2 30
  29. 29. data1 data2 0x30 data3 0x30 0x30 …… …… Key value dataN dataN+1 dataN+2 … 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 …… …… …… …… 0x30 0x30 0x30 0x30 0x30 0x30 0x30 data1 data2 0x00 data3 00 00 00 …… …… Key value dataN dataN+1 dataN+2 GET30 30 30
  30. 30. Q&A

×