齐西斯·西亚尔韦拉斯_过去的错误VMware虚拟机管理程序上的漏洞狩猎之旅.pdf

1、#BHUSA BlackHatEventsBugs of yore:A bug hunting Bugs of yore:A bug hunting journey on VMwares hypervisorjourney on VMwares hypervisorZisis Sialveras,zisiscensus-,_zisis#BHUSA BlackHatEventsWHOAMI Computer security researcher at CENSUS Finding and exploiting bugs professionally since 2013 Reversed A

2、LOT of VMwares code Gave a few talks about VMware exploitation in the past#BHUSA BlackHatEventsHOW EVERYTHING STARTED Goal:Develop guest-to-host escape exploit for VMware Workstation 12(on Windows host)Skills:Developed a fair number of exploits Experienced with low-level stuff Disadvantages:Basic kn

3、owledge of how virtual machines work#BHUSA BlackHatEventsFIRST STEPS Map the attack surface Its early 2017,the VMware boom era has not yet started Useful resources:Cloudburst by Kostya Kortchinsky First public attempt for SVGA exploitation Out of the Truman Show:VM Escape in VMware Gracefully RPCI g

4、uest-to-host escape exploits Decided to go with SVGA#BHUSA BlackHatEventsVMWARE ARCHITECTURE#BHUSA BlackHatEventsSVGA SPECIFIC RESOURCES What is SVGA?Communication with the guest OS(SVGA FIFO)Useful resources:GPU Virtualization on VMwares Hosted I/O Architecture-Micah Dowty,Jeremy Sugerman Mini oper

5、ating systems for SVGA testing https:/ with them to understand how graphics work#BHUSA BlackHatEventsSVGA THREAD VMX host process Polls for SVGA commands from the guest Communication with the guest using SVGA FIFO(shared memory)#BHUSA BlackHatEventsSVGA3D PROTOCOL Objects MOB(Memory OBject)Surface C

6、ontext Shader Screentarget Operations Define Destroy Bind Readback More#BHUSA BlackHatEventsSVGA PROTOCOL EXAMPLE#BHUSA BlackHatEventsTHE FIRST BUG#BHUSA BlackHatEventsBLIT CUBE#BHUSA BlackHatEventsSMELLS LIKE UAF#BHUSA BlackHatEventsANALYSIS OF THE DEALLOCATION#BHUSA BlackHatEventsANALYSIS OF THE D