CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Post on 21-Mar-2017

1.797 views 3 download

Preview:

Click to see full reader
Report this document
SHARE

Transcript of CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

EscapefromVMwareWorksta2onbyusing"Hearthstone"

AboutMarvelTeam

Focus on virtualization security ,

2015.6-2016.6

•  fuzz qemu and xen and report 30+ vuls

•  Report cve-2016-3710, the first one can be used to

escape from public cloud

•  breakout from docker container

2016.7 – now

•  fuzz vmware workstation and hyper-v

•  Pwn the vmware workstation in pwnfest 2016

Agenda

•  BasicInforma2onAboutVmwareRpc

•  RpcFuzzingFramework

•  Hearthstone

•  Exploita2onofHearthstone

•  Q&A

BasicInforma2onAboutVmwareRpc

Environment

Vmwareworksta2on:12.5.1

VirtualmachineOS:windows10

HostmachineOS:windows10

Vmwaretools

Path:C:\ProgramFiles\VMware\VMwareTools\rpctool.exe

Func2on:Enhancetheuserexperience

Models:rpc,backdoor,vmci,hgfs

TheImportantchanneltocommunicatewithhostmachine.

Reference:open-vm-toolsproject

RpcmessagechannelisabigaWacksurface

Vmwaretools“rpc”

RPCrequestdatawrapper

Backdoorinstruc2on

….

Windowskernel

VMVmware-vmx.exe

ExecRpccommand

channel

I/ORequestPackage

VMwarekernelmodule

Usebackdoortransportrpcmessage

Thanks:hWps://sites.google.com/site/chitchatvmback/backdoor

Usebackdoortosendenhancedrpcmessage

Userpcmessagetoallocateheapmemory

Userpcmessagetocontroltheglobalvariables

unity.window.contents.start(serializingdata)allocatememory

unity.window.contents.start(serializingdata)filldatainmemory

Userpcchanneltoallocateheapmemory

Features:

•  8channels

•  maximumsize:0x10000

•  DuringprocessingoftheChannelreceiverpc

message,Vmx.exeallocatethememory.

•  Rpcmessagecanbefilledintothechannel

several2mes,whenthetotallengthofthe

rpcmessagesislessthanthechannel

memorylength,rpccommandwillnotbe

processedun2lthetwolengthsareequal.

RpcFuzzingFramework

Fuzzingframework

vmware-vmx.exe

monitor

Snapshotmanager

server

Vmware-rpc-afl-fuzz

Casebuilder

ConfigManager

Virtualmachine

vmrun.exe

win-afl

Casetester

client

Hearthstone

Hearthstone#uaf

Poc:

tools.capability.dnd_version4

vmx.capability.dnd_version

tools.capability.dnd_version2

vmx.capability.dnd_version

dnd.readyenablec:\1\

Hearthstone#oob

outofcopypastemessage`sboundreadoutofglobal_block`sboundwrite

Exploita2onofHearthstone

CmdParamsdata

Blockwhichcanleak

Heapforoutofboundwrite

Informa2onleakage

2(busyRPC)0x10000

3(busyRPC)0x10000

4(busyTRANSPORT)0x10000

5(busyRPC)0x10000

1(busyRPC)0x10000

Chunk4istransportchunkOthersareRPCchunks

Informa2onleakage

2(busyRPC)

3(busyRPC)

4(busyTRANSPORT)

5(busyRPC)

1(busyRPC)LFHsubsegment

b

0x100BLOCK(busy)

objdata(free)

0x100BLOCK(free)

objdata(busy)

0x100BLOCK(free)

0x100BLOCK(free)

0x100BLOCK(free)

0x100BLOCK(busy)

0x100rpcreq(busy)

objdata(free)

objdata(free)

0x100BLOCK(busy)

objdata(free)

OOB

OOB OOB OOBOOB

Informa2onleakage

3(busyRPC)

.........4(busyTRANSPROT)

5(busyRPC)

0x100RPCreq Outofbounddata

0x100RPCreq Outofbounddata

0x100RPCreq Outofbounddata

3(busyRPC)

.........4(busyother)

5(busyRPC)

0x100RPCreq Outofbounddata

0x100RPCreq Outofbounddata

0x100RPCreq Outofbounddata

FREEandmalloc

Informa2onleakage

2(busyRPC)

3(busyRPC)

4(busyother)havesomeusefulmsg

5(busyRPC)

1(busyRPC)

2(free)

4(busyother)havesomeusefulmsg

5(busyRPC)

1(busyRPC)

FREE

FREE

INDEX0x37

信息泄漏

2(busytransport)

4(busyother)havesomeusefulmsg

5(busyRPC)

1(busyRPC)

3(free)

2(busytransport)

4(busyother)havesomeusefulmsg

5(busyRPC)

1(busyRPC)

3(CmdParamsdata)

Informa2onleakage

2(busytransport)

4(busyother)havesomeusefulmsg

5(busyRPC)

1(busyRPC)

3(busycmdargsbuffer)

0x30streamfilloutmemory

2(busytransport)(filledby0x30)

4(busyother)havesomeusefulmsg

5(busyRPC)

1(busyRPC)

3(CmdParamsdatabuffer)(coveredbyoverflowed0x30stream)

Chunk4(busyother)

havesomeusefulmsg

Chunk3(busycmdargsbuffer)

(coveredbyoverflowed0x30stream)

data1data200data300000000…………

KeyvaluedataNdataN+1dataN+2…

0x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x30

……………………

0x300x300x300x300x300x300x30

data1data200data300000000…………

KeyvaluedataNdataN+1dataN+2…

0x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x30

……………………

0x300x300x300x300x300x300x30

0x300x300x30……..data1data2

READ

data1data2

SAVE

RpcCommand:toolsAutoInstallGetParams

data1data200data3000000…………

KeyvaluedataNdataN+1dataN+2…

0x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x30

……………………

0x300x300x300x300x300x300x30

0x30……..data1data20x30data3

READ

data1data200data3

SAVE

data1data2

30

data1data20x30data30x300x30…………

KeyvaluedataNdataN+1dataN+2…

0x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x30

……………………

0x300x300x300x300x300x300x30

data1data20x00data3000000…………

KeyvaluedataNdataN+1dataN+2

GET30 30 30

Q&A

Top related

Welcome [] to government... · Contributors. Cross Timbers Procurement Center. Henry Vinson. Counselor. Xinlei (Tracy) Qiu. Business . Development. Spelile Rivas. Business. Development.
 Documents
CSW2017 Scott kelly secureboot-csw2017-v1
 Internet
Xinlei Sun - Tomographic Inversion for Three-dimensional Anisotrophy of Earth's Inner Core
 Documents
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
 Internet
ESTRATEGIAS(GALÉNICAS(DE(LOS(SÍNDROMES(DE…147.96.70.122/Web/TFG/TFG/Poster/XINLEI QIU.pdf · ESTRATEGIAS(GALÉNICAS(DE(LOS(SÍNDROMES(DE(MALABSORCIÓN(ORAL(Autora:(XINLEIQIU (
 Documents
CSW2017 chuanda ding_state of windows application security
 Internet
Characteristics and Formation Mechanisms of Fine ...atmosphere Article Characteristics and Formation Mechanisms of Fine Particulate Nitrate in Typical Urban Areas in China Xinlei Ge
 Documents
CSW2017 Harri hursti csw17 final
 Internet
Laser-Based Mass Spectrometric Determination of ... · Laser-Based Mass Spectrometric Determination of Aggregation Numbers for Petroleum- and Coal-Derived Asphaltenes Qinghao Wu,†
 Documents
CSW2017 Privilege escalation on high-end servers due to implementation gaps in CPU Hot-Add flow
 Internet
Iterative Visual Reasoning Beyond Convolutions...Iterative Visual Reasoning Beyond Convolutions Xinlei Chen1 Li-Jia Li2 Li Fei-Fei2 Abhinav Gupta1 1Carnegie Mellon University 2Google
 Documents
Mind’s Eye: A Recurrent Visual Representation for …...Mind’s Eye: A Recurrent Visual Representation for Image Caption Generation Xinlei Chen1, C. Lawrence Zitnick2 1Carnegie
 Documents
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 Internet
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cybersecurity
 Internet
xinlei-packaging-China Emulsion pumps
 Sales
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
 Internet
Cytochrome P450 enzymes affected by artemisinin …Cytochrome P450 enzymes affected by artemisinin antimalarials INTRODUCTION The artemisinin antimalarials Background The plant ´qinghao´
 Documents
Yang, Chenxi; Chen, Yang; Gong, Qingyuan; He, Xinlei; Xiao ... · review styles, and spatiotemporal patterns. In addition, we construct a classification model to accurately recognize
 Documents
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
 Internet
Drug Discoveries Therapeutics - ddtjournal.com TAN (Nanjing, China) Stephen G. WARD ... Benny K. H. TAN (Singapore, Singapore) ... Chinese scientists isolated artemisinin from Qinghao
 Documents

Copyright © 2022 FDOCUMENTS