Asia-24-VictorV-Unveiling-the-Cracks-in-Virtualization-Mastering-the-Host-System.pdf

1、Unveiling the Cracks in Virtualization,Mastering the Host SystemVMware Workstation EscapeSpeaker:VictorV#BHASIA BlackHatEventsVMware Workstation Escape TianfuCup2018/2021/2023Zer0Con 2022HITB 2020Hyper-V EscapeCVE-2019-0887In 2021Bugs in SQLServer,RDP,QEMU,DNS,DHCP,Samba,ESXiTop 3 of MSRC 2023 Q3/Q4

2、 LeaderboardAbout Me:VictorV(vv474172261)#BHASIA BlackHatEvents目录CONTENTSVirtualization Basic InfoHistoric Bugs In UHCIExploit for TianfuCup 2023Summary#BHASIA BlackHatEventsVirtualization Basic InfoPART ONE#BHASIA BlackHatEventsVirtualization Basic InfoVMware Worksation Architecture#BHASIA BlackHat

3、EventsVirtualization Basic InfoVirtual Process Address and Guest Physical AddressGuest Virtual Address(GVA)Guest Physical Address(GPA)Host process Virtual Address(HVA)In Guest,use GVA access its physical memoryIn Host vmx,use HVA of GPA access Guest memory#BHASIA BlackHatEventsVirtualization Basic I

4、nfoVirtual Device and Guest Driver InteractionVMX processGuest SystemIO PortInsb/Inb/outb/outsbIO MemoryMap to GVA,Directly read and write#BHASIA BlackHatEventsIO port handler functionsIO Memory handler functionsVirtualization Basic InfoVM Escape and RCE exploit#BHASIA BlackHatEventssend dataCrack t

5、he structure,and leak datareceive infosend dataControl RIP,run ROPI/ORead/WriteRead/WriteUSB 1.xUHCIUSB 2.0EHCIUSB 3.xXHCIUSB 4.0FutureVirtualization Basic InfoUSB ControllerCVE-2021-22041CVE-2019-5519CVE-2019-5518CVE-2023-20870 CVE-2022-31705 CVE-2024-22252CVE-2021-22040CVE-2020-4004CVE-2020-3968CV

6、E-2017-4904#BHASIA BlackHatEventsVirtualization Basic InfoVirtual USB Controller Device Info#BHASIA BlackHatEventsVirtualization Basic InfoUHCI ControllerEjected XHCI#BHASIA BlackHatEventsVirtualization Basic InfoUHCI Controller#BHASIA BlackHatEvents0Virtualization Basic InfoUHCI Controlleru32*TD=dm