Upload File

cloudburst - immunity inc · cloudburst combination of 3/4 bugs in the vmware emulated video device...

  • Home
  • Documents
  • CLOUDBURST - Immunity Inc · CLOUDBURST Combination of 3/4 bugs in the VMware emulated video device – Host memory leak into the Guest – Host arbitrary memory write from the Guest
51
05/26/10 1 CLOUDBURST A VMware Guest to Host Escape Story Kostya Kortchinsky Immunity, Inc.

Upload: others

Post on 19-Feb-2021

3 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • 05/26/10 1

    CLOUDBURSTA VMware Guest to Host Escape Story

    Kostya KortchinskyImmunity, Inc.

    http://www.immunityinc.com/

  • 05/26/10 2

    DisclaimerDisclaimer

    ● All the vulnerabilities described in this talk are patched as of January 2009

  • 05/26/10 3

    Introduction

  • 05/26/10 4

    VMware ArchitectureVMware Architecture

    Devices are emulated on the Host

  • 05/26/10 5

    Why devices?Why devices?

    ● I don't have enough lowlevel system Mojo ☹● They are common to all VMware products● They “run” on the Host

    – vmwarevmx process● They can be accessed from the guest

    – Through Port I/O or memorymapped I/O● They are written in C/C++● They sometimes parse some complex data!

  • 05/26/10 6

    Devices on a VMDevices on a VM

    Windows XP SP3 (ESX)

    1.Video adapter2.Floppy controller3.IDE controller4.Keyboard controller5.Network Adapter6.COM/LPT controller7.SCSI controller(s)8.DMA controller9.USB controller (WKS)10.Audio adapter (WKS) 

  • 05/26/10 7

    CLOUDBURSTCLOUDBURST

    ● Combination of 3/4 bugs in the VMware emulated video device– Host memory leak into the Guest– Host arbitrary memory write from the Guest

    ● Relative● Absolute

    – And some additional DEP friendly goodness● Reliable Guest to Host escape on all VMware 

    products: Workstation, Fusion?, ESX Server

  • 05/26/10 8

    VMware SVGA II

  • 05/26/10 9

    VMware PublicationsVMware Publications

    ● GPU Virtualization on VMware’s Hosted I/O Architecture by Micah Dowty, Jeremy Sugerman– We were not aware of this paper during our research– Good insight on the technology

    ● Previous VMware security announcements have included device driver guest   host →vulnerabilities, as have Microsoft VirtualServer and Xen

    ● I am not a virtualization specialist

  • 05/26/10 10

    VMware SVGA IIVMware SVGA II

    ● VMware virtual GPU takes the form of an emulated PCI device– VMware SVGA II– No physical instance of the card exists

    ● A device driver is provided for common Guests– Windows ones support 3D acceleration

    ● A userlevel device emulation process is responsible for handling accesses to the PCI configuration and I/O space of the SVGA device

  • 05/26/10 11

    SVGA Device ArchitectureSVGA Device Architecture

    http://www.usenix.org/event/wiov08/tech/full_papers/dowty/dowty.pdf

    http://www.usenix.org/event/wiov08/tech/full_papers/dowty/dowty.pdf

  • 05/26/10 12

    The Virtual Graphic StacksThe Virtual Graphic Stacks

    http://www.usenix.org/event/wiov08/tech/full_papers/dowty/dowty.pdf

    http://www.usenix.org/event/wiov08/tech/full_papers/dowty/dowty.pdf

  • 05/26/10 13

    Memorymapped I/OMemorymapped I/O(from Wikipedia)(from Wikipedia)

    ● Memorymapped I/O (MMIO) and port I/O (also called portmapped I/O or PMIO) are two complementary methods of performing input/output between the CPU and peripheral devices in a computer– Each I/O device monitors the CPU's address bus and 

    responds to any CPU's access of deviceassigned address space

    – Portmapped I/O uses a special class of CPU instructions specifically for performing I/O

  • 05/26/10 14

    My Simplified VersionMy Simplified VersionHost

    vmware-vmx process memoryGuest

    Virtual Machine

    SVGA FIFO

    Frame Buffer

    Virtual Video Card

    ●I/O Ports●I/O Memory Mappings

    0x00000000

    0x7fffffff

    Virtual Video Card

  • 05/26/10 15

    VMware SVGA I/OVMware SVGA I/O

    Frame BufferSVGA FIFO

    I/O Ports

    Windows 2003 SP1 (WKS)

  • 05/26/10 16

    SVGA FIFO

  • 05/26/10 17

    SVGA FIFOSVGA FIFO

    ● The SVGA device processes commands asynchronously via a lockless FIFO queue– This queue (several MB) occupies the bulk of the 

    FIFO Memory region● During unaccelerated 2D rendering: FIFO 

    commands are used to mark changed regions in the frame buffer

    ● During 3D rendering: the FIFO acts as a transport layer for an architecture independent SVGA3D rendering protocol

  • 05/26/10 18

    2D FIFO Operations2D FIFO Operations

    ● They can be found in xf86videovmware● Sample 2D operations:

    – SVGA_CMD_UPDATE (1)● FIFO layout: X, Y, Width, Height

    – SVGA_CMD_RECT_FILL (2)● FIFO layout: Color, X, Y, Width, Height

    – SVGA_CMD_RECT_COPY (3)● FIFO layout: Source X, Source Y, Dest X, Dest Y, Width, 

    Height– ...

    http://cgit.freedesktop.org/xorg/driver/xf86-video-vmware/tree/src

  • 05/26/10 19

    SVGA FIFO 2D OperationsSVGA FIFO 2D Operations

    SVGA_CMD_INVALID_CMDSVGA_CMD_UPDATESVGA_CMD_RECT_FILLSVGA_CMD_RECT_COPYSVGA_CMD_DEFINE_BITMAPSVGA_CMD_DEFINE_BITMAP_SCANLINESVGA_CMD_DEFINE_PIXMAPSVGA_CMD_DEFINE_PIXMAP_SCANLINESVGA_CMD_RECT_BITMAP_FILLSVGA_CMD_RECT_PIXMAP_FILLSVGA_CMD_RECT_BITMAP_COPYSVGA_CMD_RECT_PIXMAP_COPYSVGA_CMD_FREE_OBJECTSVGA_CMD_RECT_ROP_FILLSVGA_CMD_RECT_ROP_COPYSVGA_CMD_RECT_ROP_BITMAP_FILLSVGA_CMD_RECT_ROP_PIXMAP_FILL

    SVGA_CMD_RECT_ROP_BITMAP_COPYSVGA_CMD_RECT_ROP_PIXMAP_COPYSVGA_CMD_DEFINE_CURSORSVGA_CMD_DISPLAY_CURSORSVGA_CMD_MOVE_CURSORSVGA_CMD_DEFINE_ALPHA_CURSORSVGA_CMD_DRAW_GLYPHSVGA_CMD_DRAW_GLYPH_CLIPPEDSVGA_CMD_UPDATE_VERBOSESVGA_CMD_SURFACE_FILLSVGA_CMD_SURFACE_COPYSVGA_CMD_SURFACE_ALPHA_BLENDSVGA_CMD_FRONT_ROP_FILLSVGA_CMD_FENCESVGA_CMD_VIDEO_PLAY_OBSOLETESVGA_CMD_VIDEO_END_OBSOLETESVGA_CMD_ESCAPE

  • 05/26/10 20

    SVGA_CMD_RECT_COPYSVGA_CMD_RECT_COPY

    ● Copies a rectangle in the Frame Buffer from a source X, Y to a destination X, Y

    Frame Buffer

    Src

    Dst

    00

    widthheight

  • 05/26/10 21

    SVGA_CMD_RECT_COPYSVGA_CMD_RECT_COPY

    ● Boundaries checks on the source location can be bypassed

    Frame Buffer

    Src

    Dst

    -a-b

  • 05/26/10 22

    SVGA_CMD_RECT_COPYSVGA_CMD_RECT_COPY

    ● Boundaries checks on the destination location can be bypassed (to a lower extent than source)

    Frame Buffer

    Src

    Dst

  • 05/26/10 23

    SVGA Arbitrary Read&WriteSVGA Arbitrary Read&Write

    ● Guest can read and write in the frame buffer● Frame buffer is mapped in the host memory● SVGA_CMD_RECT_COPY bugs mean:

    – One can copy host process memory into the frame buffer and read it

    ● Default unlimited arbitrary read– One can write data into the frame buffer and copy it 

    into the host process memory● Default limited arbitrary write

    – Only into the page preceding the frame buffer– Might be exploitable in some cases

    ● Depends on what is mapped before the frame buffer

  • 05/26/10 24

    SVGA_CMD_DRAW_GLYPHSVGA_CMD_DRAW_GLYPH

    ● Draws a glyph into the frame buffer● Requires svga.yesGlyphs=”TRUE”

    Virtual Screen

    xy

  • 05/26/10 25

    SVGA_CMD_DRAW_GLYPHSVGA_CMD_DRAW_GLYPH

    ● There is no check on the X, Y where the glyph is to be copied

    Virtual Screen

  • 05/26/10 26

    Arbitrary WriteNArbitrary WriteN

    ● Frame buffer is mapped in the host memory● SVGA_CMD_DRAW_GLYPH bug means:

    – One can write any data, anywhere in the host process memory

    ● Write address is relative to the base of the frame buffer– Pretty steady in ESX– Can be leaked with SVGA_CMD_RECT_COPY bug

    ● Nondefault arbitrary write– Fully exploitable

  • 05/26/10 27

    VMware & 3DVMware & 3D

    ● Experimental 3D support appeared in VMware Workstation 5.0 (April 2005)– Disabled by default– Option had to be added to the config file of the VM

    ● It became default with Wks 6.5 (and Fusion?)– “Accelerate 3D Graphics” checkbox under Display

    ● Code is reachable regardless of checkbox ● 3D operations are default and parsed under ESX 

    4.0 RC Hardfreeze

  • 05/26/10 28

    SVGA3DSVGA3D

    ● The SVGA3D protocol is a simplified and idealized adaptation of the Direct3D API

    ● It has a minimal number of distinct commands● It is not publicly documented (AFAIK)

    – xf86videovmware has definitions for some constants but no prototypes of functions

    ● It uses “contexts” like Direct3D– Stored on the Host– Hold render states, light data, etc.

    http://cgit.freedesktop.org/xorg/driver/xf86-video-vmware/tree/src

  • 05/26/10 29

    SVGA FIFO 3D OperationsSVGA FIFO 3D Operations

    SVGA_CMD_SURFACE_DEFINESVGA_CMD_SURFACE_DESTROYSVGA_CMD_SURFACE_COPYSVGA_CMD_SURFACE_DOWNLOADSVGA_CMD_SURFACE_UPLOADSVGA_CMD_INDEX_BUFFER_DEFINESVGA_CMD_INDEX_BUFFER_DESTROYSVGA_CMD_INDEX_BUFFER_UPLOADSVGA_CMD_VERTEX_BUFFER_DEFINESVGA_CMD_VERTEX_BUFFER_DESTROYSVGA_CMD_VERTEX_BUFFER_UPLOADSVGA_CMD_CONTEXT_DEFINESVGA_CMD_CONTEXT_DESTROYSVGA_CMD_SETTRANSFORMSVGA_CMD_SETZRANGESVGA_CMD_SETRENDERSTATESVGA_CMD_SETRENDERTARGET

    SVGA_CMD_SETTEXTURESTATESVGA_CMD_SETMATERIALSVGA_CMD_SETLIGHTDATASVGA_CMD_SETLIGHTENABLEDSVGA_CMD_SETVIEWPORTSVGA_CMD_SETCLIPPLANESVGA_CMD_CLEARSVGA_CMD_PRESENTSVGA_CMD_DRAWPRIMITIVESSVGA_CMD_DRAWINDEXEDPRIMITIVESSVGA_CMD_SHADER_DEFINESVGA_CMD_SHADER_DESTROYSVGA_CMD_SET_VERTEXSHADERSVGA_CMD_SET_PIXELSHADERSVGA_CMD_SET_SHADER_CONSTSVGA_CMD_DRAWPRIMITIVES2SVGA_CMD_DRAWINDEXEDPRIMITIVES2

  • 05/26/10 30

    3D Bugs3D Bugs

    ● Many SET commands are flawed● SETRENDERSTATE

    – The code: .text:0065EE25 .text:0065EE25 loc_65EE25: ; CODE XREF: SetRenderStateInContext+25j .text:0065EE25 mov edi, [ecx+eax*8] ; Offset @ InputData[i] .text:0065EE28 mov ebx, [ecx+eax*8+4] ; Data @ InputData[i+1] .text:0065EE2C add eax, 1 ; i++ .text:0065EE2F cmp eax, edx .text:0065EE31 mov [esi+edi*4+50h], ebx .text:0065EE35 jb short loc_65EE25

    – Write primitive relative to esi● It's the context address in the host memory● It can be leaked in the guest thanks to the COPY bug!

  • 05/26/10 31

    Relative to AbsoluteRelative to Absolute

    ● SETLIGHTENABLED– The code:

    .text:0065EF33 mov ecx, [ebp+arg_4] .text:0065EF36 mov eax, [ecx+4] .text:0065EF39 mov ecx, [ecx+8] .text:0065EF3C mov edx, eax .text:0065EF3E shl edx, 4 .text:0065EF41 sub edx, eax .text:0065EF43 mov eax, [ebp+arg_0] .text:0065EF46 mov eax, [eax+648h] .text:0065EF4C mov [eax+edx*8], ecx

    – By overwriting Context+648h with the relative write, we get an absolute write primitive

    – Also works with SETLIGHTDATA for 29*4 bytes

  • 05/26/10 32

    Moar BugzMoar Bugz

    ● Additional bugs in:– SETRENDERTARGET

    ● Signed bounds checking– SETCLIPPLANE

    ● No bounds checking– SETTRANSFORM

    ● No bounds checking

  • 05/26/10 33

    Exploitation

  • 05/26/10 34

    RequirementsRequirements

    ● We have to be able to read/write directly into the framebuffer and the FIFO– Direct3D has some APIs for that

    ● Everything is checked and sanitized on the Guest side– The solution is to write our own driver

    ● Sits on top of VMware video driver– It can be standalone though– Less coding to do this way

    ● Maps the framebuffer and FIFO for direct, unrestricted  access

    ● Requires Admin rights in the VM

  • 05/26/10 35

    Exploitation ProcessExploitation Process

    ● Step #1: leak the base address of the framebuffer in the Host– All further leaks are relative to this address

    ● Some methods:– Windows Vista: relative memory leak

    ● The page before the FB contains the address of the FB– Ubuntu: relative leak bruteforce

    ● Keep leaking until your find the ELF header– Windows XP/Vista: absolute memory write

    ● Then scan the FB for the data written● The FB is big enough to not trigger an access violation

  • 05/26/10 36

    Exploitation ProcessExploitation Process

    ● Step #2: fingerprint VMware version– We leak the PE/ELF header for that

    ● They tend to be always at the same address● Step #3 to #n: exploit 

    – Leak/Overwrite/Trigger/Leak/Overwrite/Trigger – Done!

  • 05/26/10 37

    Leak ExampleLeak Example

    We leak somedata on thefirst line of theframebuffer(more visual)

  • 05/26/10 38

    Dealing with DEPDealing with DEP

    ● When dealing with XP/Vista DEP AlwaysOn, or ESX 4.0 as a Host, we have to care about NX

    ● vmwarevmx provides VirtualProtect wrappers– One for RE, one for RW– They take their parameters in the .data section!

    ● Easily abusable with the absolute write primitive– Also available for mprotect under Linux/ESX

  • 05/26/10 39

    Vista 12 Steps Example: 1 to 6Vista 12 Steps Example: 1 to 6

    1) Leak the Frame Buffer Base address in the Host2) Leak the PE Header of the vmwarevmx.exe binary3) Based on the Timestamp in the PE Header, set the correct 

    addresses needed4) Leak the 1st pointer of the theSVGAUser structure5) Leak the memory pointed by the leaked pointer to retrieve 

    the address of the Context6) Overwrite the VirtualProtect parameters so that the 

    address is the one of the PE header and the size is 1000h. Overwrite as well the function pointer for the ESCAPE command with the address of the RW VirtualAlloc wrapper

  • 05/26/10 40

    Vista 12 Steps Example: 7 to 12Vista 12 Steps Example: 7 to 12

    1) Trigger the ESCAPE command: the PE Header is now RW2) Write the shellcode into the PE Header3) Same as 6), except that we overwrite the ESCAPE function 

    pointer with the RE VirtualAlloc wrapper4) Trigger the ESCAPE command: the PE Header (and our 

    shellcode) is now RE5) Overwrite the ESCAPE function pointer with a pointer to 

    our shellcode.6) Trigger the ESCAPE command

  • 05/26/10 41

    MOSDEF Over Direct3D(or how to tunnel a shell over BMP images because a regular connect 

    back shell is too boring)

  • 05/26/10 42

    MOSDEFMOSDEF

    ● MOSDEF (mosedef) is short for “Most Definately”

    ● MOSDEF is a retargetable, position independent code, C compiler that supports dynamic remote code linking written in pure Python

    ● In short, after you've overflowed a process you can compile programs to run inside that process and report back to you

  • 05/26/10 43

    Post ExploitationPost Exploitation

    ● Ensure Host  Guest communication post exploitation, while not relying on extra features such as:– Network: Host can be unreachable from Guest– VMCI: not enabled by default– VMRPC: can be disabled

    ● Idea: tunnel the shell over the framebuffer– And in Ring3 to add some excitement

  • 05/26/10 44

    Guest Side: Direct3D APIGuest Side: Direct3D API

    ● Create and manipulate objects (surfaces) in the video card memory, off screen– CreateOffscreenPlainSurface

    ● Format being D3DFMT_A8R8G8B8 (32 bits per pixel)– D3DXLoadSurfaceFromMemory– D3DXSaveSurfaceToFileInMemory

    ● No “raw” format, use D3DXIFF_BMP● We parse the BMP to recover our data

  • 05/26/10 45

    Host SideHost Side

    ● Bind a MOSDEF listener on localhost● Scan the video card memory for a “signature”

    – Extract and parse the data– Send it to the locally bound MOSDEF– Receive the result– Write it back to the framebuffer

    ● MOSDEF acting sequentially, we should not have any concurrent access issue– We implement a lousy “semaphore” to be sure

  • 05/26/10 46

    NSA's NetTop ...NSA's NetTop ...

  • 05/26/10 47

    … … revisitedrevisited

    “Virtual Wooden Bridge”over the

    “Virtual Air Gap”

  • 05/26/10 48

    Conclusion

  • 05/26/10 49

    VMs, Security and YouVMs, Security and You

  • 05/26/10 50

    Virtualization & Security LessonsVirtualization & Security Lessons

    ● VMware isn't an additional security layer– It's just another layer to find bugs in

    ● Given the correct bug primitives (memory leak, memory write), everything can be defeated– ASLR, NX

    ● Trying to patch silently in 2009 is ridiculous● If a feature is not needed for a branch, the code 

    shouldn't be included in it– Why would ESX ever need 3D support ...

  • 05/26/10 51

    ““The Next Wave”The Next Wave”Vol 17 No 3  2008Vol 17 No 3  2008

    “Using seven analysts over a ten week period and with some limited input from VMware developers, we explored the ability of the core NetTop technologies – VMware running on a Linux host – to maintain isolation [...].

    The results of this first study were encouraging – no apparent showstopping flaws were identified.”

    Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 51


Lanthanide-Mediated Supramolecular Cages and Host Guest ... · host guest interactions within lanthanide-mediated supramole-cular assemblies. The consequences of this minor structural

Special Guest Host That KONY Guy

Virtualization Host Configuration and Guest Installation Guide

Photoactive Anthraquinone-Based Host-Guest Assembly for

Cloudburst 2008

cell imaging Host–guest interaction enhanced aggregation ... · Host–guest interaction enhanced aggregation-induced emission and its application in cell imaging Jiong Zhou, Bin

Synthesis, Structure, and Host-Guest Investigations … Structure, and Host-Guest Investigations on Self-Assembled Nonwater-Soluble and Water-Soluble Multiple Bridged Platinacyclophanes

Cyclic voltammetry study of the host-guest …10.1038...Performance summary of selected high-performance host-guest LECs Host Guest Electrolyte l CIE (x, y) Bipolar doping Trap symmetry

Combined Printing and Creation of A “Host Guest Functional

GUEST-HOST ENCOUNTERS IN DIASPORA-HERITAGE TOURISM: …

Host−guest complexation-mediated codelivery of …Host−guest complexation-mediated codelivery of anticancer drug and photosensitizer for cancer photochemotherapy Guocan Yua,1,

Halogen bonding and host guest chemistry between N ... · Halogen bonding and host–guest chemistry between N-alkylammonium resorcinarene halides, diiodoperfluorobutane and neutral

A DFT Investigation of The Host-Guest Interactions Between

Selenacalix[3]triazines: Synthesis and Host Guest Chemistry · S1 Electronic Supplementary Information Selenacalix[3]triazines: Synthesis and Host‒Guest Chemistry Joice Thomas,a

07b - IBM Cloudburst

Host-guest Interaction at Molecular Interfaces: Binding of ...summit.sfu.ca/system/files/iritems1/17450/2017_jpcchost...1 Host-guest Interaction at Molecular Interfaces: Binding of

IBM CloudBurst 2 CloudBurst Delivers from the Factory

Guest-Host-Communication Interface (GHCI) for Intel® Trust

Chapter Three: Guest/Host Relationships using Chiral ...thesis.library.caltech.edu/2412/4/RHA03_Chiral_SDA.pdf75 Chapter Three: Guest/Host Relationships using Chiral Imidazolium Structure

Host Guest Chemistry in Supramolecular …Key words: Host–Guest Chemistry, Supramolecular Theranostics 1. Introduction Different from traditional molecular chemistry on the basis

Dendritic macromolecules : host-guest chemistry and self ... · Host– Guest Chemistry of Dendritic Molecules Abstract: In this chapter the contribution of dendritic macromolecules

Host–guest supramolecular interactions between a

Supramolecular chiral host–guest nanoarchitecture …iramis.cea.fr/Pisp/fabien.silly/ERCmagnetals/Publi/PDF/65...Letter Supramolecular chiral host–guest nanoarchitecture induced

CLOUDBURST - Immunity Inc 1 CLOUDBURST A VMware Guest to Host Escape Story Kostya Kortchinsky Immunity, Inc

HOST-GUEST MOLECULAR INTERACTIONS: FROM CHEMISTRY TO … · Symposium on Host-Guest Molecular Interactions: from Chemistry to Editors: Derek J. Chadwick (Organizer) and Kate Widdows

Membuat Jaringan Guest Host

Menghubungkan Internet Host ke Guest dan Instalasi aplikasi...Menghubungkan Internet Host ke Guest dan Instalasi aplikasi Cara menghubungkan Internet dari computer host ke computer

Guest-Host Interactions in Symmetrical Carboxy Heptamethine … · 2021. 1. 27. · Research Article Guest-Host Interactions in Symmetrical Carboxy Heptamethine Cyanine Dyes-Titanium

Supporting Information Dynamic Host-Guest Interaction ... · Supporting Information Dynamic Host-Guest Interaction Enables Autonomous Single Molecule Blinking and Super-Resolution

Cloudburst: Hacking 3D (and Breaking Out of VMware) … 1 CLOUDBURST A VMware Guest to Host Escape Story Kostya Kortchinsky Immunity, Inc. BlackHat USA 2009, Las Vegas

Host-Guest Accelerated Photodimerisation of Anthracene ...Host-Guest Accelerated Photodimerisation of Anthracene-labeled Macromolecules in Water Frank Biedermann, Ian Ross, and Oren

Host-Guest Complexation Studied by Fluorescence ......systems by standard fluorescence spectroscopy is still challenging. Figure 1. Fluorescent labelling of a host-guest complex (a)

The strength of the - unipd.it lezione... · The strength of the interaction Host Guest Supramolecule (host-guest complex) • When is the host capable to ... C‐O bond 81 kcal/mol

Host-Guest S elf-assembly in Block Copolymer Blends

Sports tuesday with host steve manderson & guest, joshua lobdell