当前位置:首页 > 报告详情

URB 王者之剑:新型 VMware 全平台虚拟机逃逸.pdf

上传人: 鲁** 编号:615421 2025-03-03 41页 4.93MB

1、#BHASIA BlackHatEventsURB Excalibur:The New VMware All-Platform VM EscapesYuhao Jiang(danis_jiang)Xinlei Ying(0 x140ce)#BHASIA BlackHatEventsWho are we?Security researchers at Ant Group Light-Year Security LabEscaped from virtual machine many timesWon the Pwnie Awards at 2023Yuhao Jiang(danis_jiang)

2、Xinlei Ying(0 x140ce)#BHASIA BlackHatEventsTalk Roadmap1.Introduction2.A journey of finding vulnerabilities in VMwares hypervisor3.Exploit development of VMware VM escape#BHASIA BlackHatEventsIntroduction#BHASIA BlackHatEventsWhat is Virtual Machine escape and the danger of itEscape from the isolati

3、on sphereTake control over the whole hypervisorNetwork escapeOne of the most catastrophic threats to the Cloud#BHASIA BlackHatEventsVMwares Architecture#BHASIA BlackHatEventsVMware hypervisors attack surfaceVirtual DeviceHard DiskLSI LogicNVMENetwork AdapterE1000/E1000eVMXNET3USB ControllerUHCITianf

4、u Cup 2021 Workstation(CVE-2021-22041),Tianfu Cup 2023 Workstation(CVE-2024-22253,CVE-22255)EHCIGeekPwn 2022 Fusion(CVE-2022-31705)XHCITianfu Cup 2021 ESXi(CVE-2021-22040),Tianfu Cup 2023 ESXi(CVE-2024-22252)USB DeviceHID(mouse)BluetoothPwn2Own 2023 Workstation(CVE-2023-20869,CVE-2023-20870)GPUSVGA

5、2DSVGA 3DSound CardES1371TPMvTPMGuestRPCBackdoorVMM#BHASIA BlackHatEventsVulnerability DiscoveryA journey of finding vulnerabilities in VMwares hypervisor#BHASIA BlackHatEventsStart vulnerability discovery in VMwareFirst encounter with VMware,closed-source hypervisor1.Focusing on an interesting and

6、potentially risky attack surfaceHaving studied QEMU EHCI vulnerabilitiesInterested in VMwares EHCI implementation2.Reverse engineeringUsing string search as an entry pointUnderstanding EHCI specification and QEMU code while reverse engineering VMware#BHASIA BlackHatEventsEHCI/USB 2.0 ControllerVMwar

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
本文介绍了来自蚂蚁集团Light-Year Security Lab的安全研究人员姜宇豪(Yuhao Jiang,@danis_jiang)和应星乐(Xinlei Ying,@0x140ce)在VMware虚拟机逃逸方面的研究。他们多次赢得Pwnie Awards,并在2023年展示了VMware VM escape的技术。文章首先解释了虚拟机逃逸的定义及其危险性,然后详细描述了VMware架构、VMware虚拟化器的攻击面以及虚拟设备。研究人员从VMware的EHCI实现入手,找到了多个漏洞,并开发了相应的利用代码。他们还讨论了如何通过USB设备逃逸虚拟机,并分享了在VMware Workstation和ESXi上执行逃逸的演示。最后,文章强调了在寻找利用原语时关注与漏洞相关的对象,尤其是与USB相关的虚拟设备。
"VMware VM Escape 漏洞详解" "如何利用 VMware 漏洞控制虚拟机" 如何防范虚拟机逃逸攻击"
客服
商务合作
小程序
服务号
折叠