csw2017 qinghao tang+xinlei ying vmware_escape_final
TRANSCRIPT
![Page 1: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/1.jpg)
EscapefromVMwareWorksta2onbyusing"Hearthstone"
![Page 2: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/2.jpg)
AboutMarvelTeam
Focus on virtualization security ,
2015.6-2016.6
• fuzz qemu and xen and report 30+ vuls
• Report cve-2016-3710, the first one can be used to
escape from public cloud
• breakout from docker container
2016.7 – now
• fuzz vmware workstation and hyper-v
• Pwn the vmware workstation in pwnfest 2016
![Page 3: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/3.jpg)
Agenda
• BasicInforma2onAboutVmwareRpc
• RpcFuzzingFramework
• Hearthstone
• Exploita2onofHearthstone
• Q&A
![Page 4: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/4.jpg)
BasicInforma2onAboutVmwareRpc
![Page 5: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/5.jpg)
Environment
Vmwareworksta2on:12.5.1
VirtualmachineOS:windows10
HostmachineOS:windows10
![Page 6: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/6.jpg)
Vmwaretools
Path:C:\ProgramFiles\VMware\VMwareTools\rpctool.exe
Func2on:Enhancetheuserexperience
Models:rpc,backdoor,vmci,hgfs
TheImportantchanneltocommunicatewithhostmachine.
Reference:open-vm-toolsproject
![Page 7: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/7.jpg)
RpcmessagechannelisabigaWacksurface
Vmwaretools“rpc”
RPCrequestdatawrapper
Backdoorinstruc2on
….
Windowskernel
VMVmware-vmx.exe
ExecRpccommand
channel
I/ORequestPackage
VMwarekernelmodule
![Page 8: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/8.jpg)
Usebackdoortransportrpcmessage
Thanks:hWps://sites.google.com/site/chitchatvmback/backdoor
![Page 9: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/9.jpg)
Usebackdoortosendenhancedrpcmessage
![Page 10: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/10.jpg)
Userpcmessagetoallocateheapmemory
![Page 11: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/11.jpg)
Userpcmessagetocontroltheglobalvariables
unity.window.contents.start(serializingdata)allocatememory
unity.window.contents.start(serializingdata)filldatainmemory
![Page 12: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/12.jpg)
Userpcchanneltoallocateheapmemory
Features:
• 8channels
• maximumsize:0x10000
• DuringprocessingoftheChannelreceiverpc
message,Vmx.exeallocatethememory.
• Rpcmessagecanbefilledintothechannel
several2mes,whenthetotallengthofthe
rpcmessagesislessthanthechannel
memorylength,rpccommandwillnotbe
processedun2lthetwolengthsareequal.
![Page 13: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/13.jpg)
RpcFuzzingFramework
![Page 14: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/14.jpg)
Fuzzingframework
vmware-vmx.exe
monitor
Snapshotmanager
server
Vmware-rpc-afl-fuzz
Casebuilder
ConfigManager
Virtualmachine
vmrun.exe
win-afl
Casetester
client
![Page 15: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/15.jpg)
Hearthstone
![Page 16: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/16.jpg)
Hearthstone#uaf
Poc:
tools.capability.dnd_version4
vmx.capability.dnd_version
tools.capability.dnd_version2
vmx.capability.dnd_version
dnd.readyenablec:\1\
![Page 17: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/17.jpg)
Hearthstone#oob
outofcopypastemessage`sboundreadoutofglobal_block`sboundwrite
![Page 18: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/18.jpg)
Exploita2onofHearthstone
![Page 19: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/19.jpg)
CmdParamsdata
Blockwhichcanleak
Heapforoutofboundwrite
![Page 20: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/20.jpg)
Informa2onleakage
2(busyRPC)0x10000
3(busyRPC)0x10000
4(busyTRANSPORT)0x10000
5(busyRPC)0x10000
1(busyRPC)0x10000
Chunk4istransportchunkOthersareRPCchunks
![Page 21: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/21.jpg)
Informa2onleakage
2(busyRPC)
3(busyRPC)
4(busyTRANSPORT)
5(busyRPC)
1(busyRPC)LFHsubsegment
b
0x100BLOCK(busy)
objdata(free)
0x100BLOCK(free)
objdata(busy)
0x100BLOCK(free)
0x100BLOCK(free)
0x100BLOCK(free)
0x100BLOCK(busy)
0x100rpcreq(busy)
objdata(free)
objdata(free)
0x100BLOCK(busy)
objdata(free)
OOB
OOB OOB OOBOOB
![Page 22: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/22.jpg)
Informa2onleakage
3(busyRPC)
.........4(busyTRANSPROT)
5(busyRPC)
0x100RPCreq Outofbounddata
0x100RPCreq Outofbounddata
0x100RPCreq Outofbounddata
3(busyRPC)
.........4(busyother)
5(busyRPC)
0x100RPCreq Outofbounddata
0x100RPCreq Outofbounddata
0x100RPCreq Outofbounddata
FREEandmalloc
![Page 23: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/23.jpg)
Informa2onleakage
2(busyRPC)
3(busyRPC)
4(busyother)havesomeusefulmsg
5(busyRPC)
1(busyRPC)
2(free)
4(busyother)havesomeusefulmsg
5(busyRPC)
1(busyRPC)
FREE
FREE
![Page 24: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/24.jpg)
INDEX0x37
信息泄漏
2(busytransport)
4(busyother)havesomeusefulmsg
5(busyRPC)
1(busyRPC)
3(free)
2(busytransport)
4(busyother)havesomeusefulmsg
5(busyRPC)
1(busyRPC)
3(CmdParamsdata)
![Page 25: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/25.jpg)
Informa2onleakage
2(busytransport)
4(busyother)havesomeusefulmsg
5(busyRPC)
1(busyRPC)
3(busycmdargsbuffer)
0x30streamfilloutmemory
2(busytransport)(filledby0x30)
4(busyother)havesomeusefulmsg
5(busyRPC)
1(busyRPC)
3(CmdParamsdatabuffer)(coveredbyoverflowed0x30stream)
![Page 26: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/26.jpg)
Chunk4(busyother)
havesomeusefulmsg
Chunk3(busycmdargsbuffer)
(coveredbyoverflowed0x30stream)
data1data200data300000000…………
KeyvaluedataNdataN+1dataN+2…
0x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x30
……………………
0x300x300x300x300x300x300x30
![Page 27: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/27.jpg)
data1data200data300000000…………
KeyvaluedataNdataN+1dataN+2…
0x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x30
……………………
0x300x300x300x300x300x300x30
0x300x300x30……..data1data2
READ
data1data2
SAVE
RpcCommand:toolsAutoInstallGetParams
![Page 28: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/28.jpg)
data1data200data3000000…………
KeyvaluedataNdataN+1dataN+2…
0x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x30
……………………
0x300x300x300x300x300x300x30
0x30……..data1data20x30data3
READ
data1data200data3
SAVE
data1data2
30
![Page 29: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/29.jpg)
data1data20x30data30x300x30…………
KeyvaluedataNdataN+1dataN+2…
0x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x300x30
……………………
0x300x300x300x300x300x300x30
data1data20x00data3000000…………
KeyvaluedataNdataN+1dataN+2
GET30 30 30
![Page 30: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/30.jpg)
![Page 31: CSW2017 Qinghao tang+Xinlei ying vmware_escape_final](https://reader033.vdocuments.site/reader033/viewer/2022052514/58d0e9131a28abba558b58e7/html5/thumbnails/31.jpg)
Q&A