URB Excalibur: The New VMware All-Platform VM Escapes
Virtual machine escape has always been a challenging task for hackers. VMware's hypervisor, as a popular closed-source commercial hypervisor, presents even greater difficulty in vulnerability discovery and exploitation. With each security update and the patching of old exploits, how can we find new vulnerabilities and write exploits to complete virtual machine escape?
This talk will first systematically introduce the current architecture and attack surfaces of VMware's hypervisor. We will then analyze the changes that have occurred in recent years, as well as the relevant security patches and mitigations.
Our new research focuses on the virtual USB controller, which is one of the main attack surfaces of hypervisor. A computer that can be used normally needs USB interfaces and related USB devices. Virtual machines also require USB, so there is a natural risk of security vulnerabilities when communicating with the virtual USB controller. We will, for the first time, systematically introduce VMware's virtual USB 2.0 controller (EHCI). Compared to QEMU's, it is more complex and interesting.
URB (USB Request Block) is an object used to transmit USB packets in VMware's hypervisor. Our research will be the first to reveal its powerful role and huge security risks in virtual machine escape exploitation. In this talk, we will detail the structure, function, and lifecycle of URB and related important objects. We also create new and general VMware VM escape exploitation flow and primitives based on URB.
Finally, we will present the details of a heap out-of-bounds write vulnerability (CVE-2022-31705) in the EHCI USB controller. We will also demonstrate how to escape from all VMware hypervisor products (ESXi, Workstation, and Fusion) through this vulnerability, and share the difficulties and solutions encountered in each exploitation.
At the GeekPwn 2022 competition, our team used the 0day vulnerability in this talk to successfully demonstrate the virtual machine escape of VMware Fusion and won the championship. This was the only publicly disclosed VMware VM escape in 2022, and it also won the “Pwnie for Best Privilege Escalation Bug" at the Pwnie Awards 2023.
About the Presenter: Yuhao Jiang
Yuhao Jiang (@danis_jiang) is a security researcher associated with Ant Group Light-Year Security Lab. During his university years, he was a ctfer and captain of Vidar-Team. Now he is focused on Virtualization Security. At GeekPwn 2022, in collaboration with Xinlei Ying, he achieved a VM escape from VMware Fusion, clinching the championship. This achievement also earned them the Best Privilege Escalation Award at the Pwnie Awards 2023. Building on this success, at Tianfu Cup 2023, Yuhao, along with Xinlei Ying and Ziming Zhang, accomplished another significant feat by successfully escaping from VMware ESXi, securing the Most Valuable Product Crack Award.
About the Presenter: Xinlei Ying
Xinlei Ying (@0x140ce) is a security researcher associated with Ant Group Light-Year Security Lab, specializing in the security of virtualization software. At PwnFest 2016 and Pwn2Own 2017, he escaped twice from VMware Workstation's VM. In 2021, he accomplished an escape from Parallels Desktop's VM. Collaborating with Yuhao Jiang in 2022, Xinlei achieved another VM escape from VMware Fusion at GeekPwn 2022, which also won the Best Privilege Escalation Award at the Pwnie Awards 2023. In 2023, the trio of Yuhao Jiang, Ziming Zhang, and Xinlei Ying continued their success by successfully escaping from VMware ESXi, earning them the Most Valuable Product Crack Award at Tianfu Cup 2023.
