CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
-
Upload
cansecwest -
Category
Internet
-
view
1.797 -
download
3
Transcript of CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
EscapefromVMwareWorksta2onbyusing"Hearthstone"
AboutMarvelTeam
Focus on virtualization security ,
2015.6-2016.6
• fuzz qemu and xen and report 30+ vuls
• Report cve-2016-3710, the first one can be used to
escape from public cloud
• breakout from docker container
2016.7 – now
• fuzz vmware workstation and hyper-v
• Pwn the vmware workstation in pwnfest 2016
Agenda
• BasicInforma2onAboutVmwareRpc
• RpcFuzzingFramework
• Hearthstone
• Exploita2onofHearthstone
• Q&A
BasicInforma2onAboutVmwareRpc
Environment
Vmwareworksta2on:12.5.1
VirtualmachineOS:windows10
HostmachineOS:windows10
Vmwaretools
Path:C:\ProgramFiles\VMware\VMwareTools\rpctool.exe
Func2on:Enhancetheuserexperience
Models:rpc,backdoor,vmci,hgfs
TheImportantchanneltocommunicatewithhostmachine.
Reference:open-vm-toolsproject
RpcmessagechannelisabigaWacksurface
Vmwaretools“rpc”
RPCrequestdatawrapper
Backdoorinstruc2on
….
Windowskernel
VMVmware-vmx.exe
ExecRpccommand
channel
I/ORequestPackage
VMwarekernelmodule
Usebackdoortransportrpcmessage
Thanks:hWps://sites.google.com/site/chitchatvmback/backdoor
Usebackdoortosendenhancedrpcmessage
Userpcmessagetoallocateheapmemory
Userpcmessagetocontroltheglobalvariables
unity.window.contents.start(serializingdata)allocatememory
unity.window.contents.start(serializingdata)filldatainmemory
Userpcchanneltoallocateheapmemory
Features:
• 8channels
• maximumsize:0x10000
• DuringprocessingoftheChannelreceiverpc
message,Vmx.exeallocatethememory.
• Rpcmessagecanbefilledintothechannel
several2mes,whenthetotallengthofthe
rpcmessagesislessthanthechannel
memorylength,rpccommandwillnotbe
processedun2lthetwolengthsareequal.
RpcFuzzingFramework
Fuzzingframework
vmware-vmx.exe
monitor
Snapshotmanager
server
Vmware-rpc-afl-fuzz
Casebuilder
ConfigManager
Virtualmachine
vmrun.exe
win-afl
Casetester
client
Hearthstone
Hearthstone#uaf
Poc:
tools.capability.dnd_version4
vmx.capability.dnd_version
tools.capability.dnd_version2
vmx.capability.dnd_version
dnd.readyenablec:\1\
Hearthstone#oob
outofcopypastemessage`sboundreadoutofglobal_block`sboundwrite
Exploita2onofHearthstone
CmdParamsdata
Blockwhichcanleak
Heapforoutofboundwrite
Informa2onleakage
2(busyRPC)0x10000
3(busyRPC)0x10000
4(busyTRANSPORT)0x10000
5(busyRPC)0x10000
1(busyRPC)0x10000
Chunk4istransportchunkOthersareRPCchunks
Informa2onleakage
2(busyRPC)
3(busyRPC)
4(busyTRANSPORT)
5(busyRPC)
1(busyRPC)LFHsubsegment
b
0x100BLOCK(busy)
objdata(free)
0x100BLOCK(free)
objdata(busy)
0x100BLOCK(free)
0x100BLOCK(free)
0x100BLOCK(free)
0x100BLOCK(busy)
0x100rpcreq(busy)
objdata(free)
objdata(free)
0x100BLOCK(busy)
objdata(free)
OOB
OOB OOB OOBOOB
Informa2onleakage
3(busyRPC)
.........4(busyTRANSPROT)
5(busyRPC)
0x100RPCreq Outofbounddata
0x100RPCreq Outofbounddata
0x100RPCreq Outofbounddata
3(busyRPC)
.........4(busyother)
5(busyRPC)
0x100RPCreq Outofbounddata
0x100RPCreq Outofbounddata
0x100RPCreq Outofbounddata
FREEandmalloc
Informa2onleakage
2(busyRPC)
3(busyRPC)
4(busyother)havesomeusefulmsg
5(busyRPC)
1(busyRPC)
2(free)
4(busyother)havesomeusefulmsg
5(busyRPC)
1(busyRPC)
FREE
FREE
INDEX0x37
信息泄漏
2(busytransport)
4(busyother)havesomeusefulmsg
5(busyRPC)
1(busyRPC)
3(free)
2(busytransport)
4(busyother)havesomeusefulmsg
5(busyRPC)
1(busyRPC)
3(CmdParamsdata)
Informa2onleakage
2(busytransport)
4(busyother)havesomeusefulmsg
5(busyRPC)
1(busyRPC)
3(busycmdargsbuffer)
0x30streamfilloutmemory
2(busytransport)(filledby0x30)
4(busyother)havesomeusefulmsg
5(busyRPC)
1(busyRPC)
3(CmdParamsdatabuffer)(coveredbyoverflowed0x30stream)
Chunk4(busyother)
havesomeusefulmsg
Chunk3(busycmdargsbuffer)
(coveredbyoverflowed0x30stream)
data1data200data300000000…………
KeyvaluedataNdataN+1dataN+2…
0x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x30
……………………
0x300x300x300x300x300x300x30
data1data200data300000000…………
KeyvaluedataNdataN+1dataN+2…
0x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x30
……………………
0x300x300x300x300x300x300x30
0x300x300x30……..data1data2
READ
data1data2
SAVE
RpcCommand:toolsAutoInstallGetParams
data1data200data3000000…………
KeyvaluedataNdataN+1dataN+2…
0x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x30
……………………
0x300x300x300x300x300x300x30
0x30……..data1data20x30data3
READ
data1data200data3
SAVE
data1data2
30
data1data20x30data30x300x30…………
KeyvaluedataNdataN+1dataN+2…
0x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x30
……………………
0x300x300x300x300x300x300x30
data1data20x00data3000000…………
KeyvaluedataNdataN+1dataN+2
GET30 30 30
Q&A