CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

31
Escape from VMware Worksta2on by using "Hearthstone"

Transcript of CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Page 1: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

EscapefromVMwareWorksta2onbyusing"Hearthstone"

Page 2: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

AboutMarvelTeam

Focus on virtualization security ,

2015.6-2016.6

•  fuzz qemu and xen and report 30+ vuls

•  Report cve-2016-3710, the first one can be used to

escape from public cloud

•  breakout from docker container

2016.7 – now

•  fuzz vmware workstation and hyper-v

•  Pwn the vmware workstation in pwnfest 2016

Page 3: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Agenda

•  BasicInforma2onAboutVmwareRpc

•  RpcFuzzingFramework

•  Hearthstone

•  Exploita2onofHearthstone

•  Q&A

Page 4: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

BasicInforma2onAboutVmwareRpc

Page 5: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Environment

Vmwareworksta2on:12.5.1

VirtualmachineOS:windows10

HostmachineOS:windows10

Page 6: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Vmwaretools

Path:C:\ProgramFiles\VMware\VMwareTools\rpctool.exe

Func2on:Enhancetheuserexperience

Models:rpc,backdoor,vmci,hgfs

TheImportantchanneltocommunicatewithhostmachine.

Reference:open-vm-toolsproject

Page 7: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

RpcmessagechannelisabigaWacksurface

Vmwaretools“rpc”

RPCrequestdatawrapper

Backdoorinstruc2on

….

Windowskernel

VMVmware-vmx.exe

ExecRpccommand

channel

I/ORequestPackage

VMwarekernelmodule

Page 8: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Usebackdoortransportrpcmessage

Thanks:hWps://sites.google.com/site/chitchatvmback/backdoor

Page 9: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Usebackdoortosendenhancedrpcmessage

Page 10: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Userpcmessagetoallocateheapmemory

Page 11: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Userpcmessagetocontroltheglobalvariables

unity.window.contents.start(serializingdata)allocatememory

unity.window.contents.start(serializingdata)filldatainmemory

Page 12: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Userpcchanneltoallocateheapmemory

Features:

•  8channels

•  maximumsize:0x10000

•  DuringprocessingoftheChannelreceiverpc

message,Vmx.exeallocatethememory.

•  Rpcmessagecanbefilledintothechannel

several2mes,whenthetotallengthofthe

rpcmessagesislessthanthechannel

memorylength,rpccommandwillnotbe

processedun2lthetwolengthsareequal.

Page 13: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

RpcFuzzingFramework

Page 14: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Fuzzingframework

vmware-vmx.exe

monitor

Snapshotmanager

server

Vmware-rpc-afl-fuzz

Casebuilder

ConfigManager

Virtualmachine

vmrun.exe

win-afl

Casetester

client

Page 15: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Hearthstone

Page 16: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Hearthstone#uaf

Poc:

tools.capability.dnd_version4

vmx.capability.dnd_version

tools.capability.dnd_version2

vmx.capability.dnd_version

dnd.readyenablec:\1\

Page 17: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Hearthstone#oob

outofcopypastemessage`sboundreadoutofglobal_block`sboundwrite

Page 18: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Exploita2onofHearthstone

Page 19: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

CmdParamsdata

Blockwhichcanleak

Heapforoutofboundwrite

Page 20: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Informa2onleakage

2(busyRPC)0x10000

3(busyRPC)0x10000

4(busyTRANSPORT)0x10000

5(busyRPC)0x10000

1(busyRPC)0x10000

Chunk4istransportchunkOthersareRPCchunks

Page 21: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Informa2onleakage

2(busyRPC)

3(busyRPC)

4(busyTRANSPORT)

5(busyRPC)

1(busyRPC)LFHsubsegment

b

0x100BLOCK(busy)

objdata(free)

0x100BLOCK(free)

objdata(busy)

0x100BLOCK(free)

0x100BLOCK(free)

0x100BLOCK(free)

0x100BLOCK(busy)

0x100rpcreq(busy)

objdata(free)

objdata(free)

0x100BLOCK(busy)

objdata(free)

OOB

OOB OOB OOBOOB

Page 22: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Informa2onleakage

3(busyRPC)

.........4(busyTRANSPROT)

5(busyRPC)

0x100RPCreq Outofbounddata

0x100RPCreq Outofbounddata

0x100RPCreq Outofbounddata

3(busyRPC)

.........4(busyother)

5(busyRPC)

0x100RPCreq Outofbounddata

0x100RPCreq Outofbounddata

0x100RPCreq Outofbounddata

FREEandmalloc

Page 23: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Informa2onleakage

2(busyRPC)

3(busyRPC)

4(busyother)havesomeusefulmsg

5(busyRPC)

1(busyRPC)

2(free)

4(busyother)havesomeusefulmsg

5(busyRPC)

1(busyRPC)

FREE

FREE

Page 24: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

INDEX0x37

信息泄漏

2(busytransport)

4(busyother)havesomeusefulmsg

5(busyRPC)

1(busyRPC)

3(free)

2(busytransport)

4(busyother)havesomeusefulmsg

5(busyRPC)

1(busyRPC)

3(CmdParamsdata)

Page 25: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Informa2onleakage

2(busytransport)

4(busyother)havesomeusefulmsg

5(busyRPC)

1(busyRPC)

3(busycmdargsbuffer)

0x30streamfilloutmemory

2(busytransport)(filledby0x30)

4(busyother)havesomeusefulmsg

5(busyRPC)

1(busyRPC)

3(CmdParamsdatabuffer)(coveredbyoverflowed0x30stream)

Page 26: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Chunk4(busyother)

havesomeusefulmsg

Chunk3(busycmdargsbuffer)

(coveredbyoverflowed0x30stream)

data1data200data300000000…………

KeyvaluedataNdataN+1dataN+2…

0x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x30

……………………

0x300x300x300x300x300x300x30

Page 27: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

data1data200data300000000…………

KeyvaluedataNdataN+1dataN+2…

0x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x30

……………………

0x300x300x300x300x300x300x30

0x300x300x30……..data1data2

READ

data1data2

SAVE

RpcCommand:toolsAutoInstallGetParams

Page 28: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

data1data200data3000000…………

KeyvaluedataNdataN+1dataN+2…

0x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x30

……………………

0x300x300x300x300x300x300x30

0x30……..data1data20x30data3

READ

data1data200data3

SAVE

data1data2

30

Page 29: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

data1data20x30data30x300x30…………

KeyvaluedataNdataN+1dataN+2…

0x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x30

……………………

0x300x300x300x300x300x300x30

data1data20x00data3000000…………

KeyvaluedataNdataN+1dataN+2

GET30 30 30

Page 30: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
Page 31: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final

Q&A