Security Experts Demonstrate VM Escape and Host Compromise in VMware Workstation

In this video, security experts Kang Jang and Jenry from Theory's vulnerability research team present a detailed demonstration of how they successfully escaped a virtual machine (VM) environment in VMware Workstation and compromised the host. Their presentation is divided into three main sections: exploiting vulnerabilities in VMware and Windows, the exploit chain, and the final demonstration of their exploit. The first part of the video focuses on the vulnerabilities discovered in VMware Workstation. The researchers first explain the basic concepts of hypervisors, which are technologies that enable the creation and management of virtual machines. They distinguish between two types of hypervisors: type 1 hypervisors, which run directly on the host's hardware, and type 2 hypervisors, which run as applications on the host's operating system. VMware Workstation, their research target, is a type 2 hypervisor. The researchers identified two key vulnerabilities: an information leak vulnerability in the VMCI implementation and a use-after-free vulnerability in VMware's virtual Bluetooth functionality. The first vulnerability allowed reading sensitive data from the host's memory by exploiting uninitialized memory in the HGFS shared file reading function. The second vulnerability allowed executing arbitrary code by manipulating URB (USB Request Blocks) objects in the virtual Bluetooth functionality. To exploit these vulnerabilities, the researchers had to overcome several challenges, including VMware's CFG (Control Flow Guard) protection, which limits the functions that can be called indirectly. They bypassed this protection by using ROP (Return-Oriented Programming) gadgets to redirect execution to specific addresses. By combining these exploits, they succeeded in obtaining the base address of the VMX module of VMware, crucial information for further exploitation. The second part of the video focuses on a Windows kernel vulnerability in the cloud file filter driver, used by Microsoft OneDrive. This vulnerability allowed a heap overflow by manipulating reparse point data. The researchers exploited this vulnerability to create powerful primitives, such as out-of-bounds read and write, using WNF (Windows Notification Facility) objects and mailslot objects. By combining these exploits, the researchers succeeded in elevating their privileges on the host's Windows system. They used heap spraying techniques to align objects in memory and manipulated data structures to obtain critical addresses, such as those of process and thread objects. Using this information, they were able to perform a token exchange to gain elevated privileges. The final part of the video shows how the researchers chained these exploits to execute shell code on the host. They used conventional memory, located at the bottom of physical memory, to store their Windows kernel exploit. By executing this code, they succeeded in compromising the host and obtaining an elevated system shell. In conclusion, this video provides a fascinating insight into the advanced exploitation techniques used to compromise virtual machine environments and host operating systems. The researchers demonstrated how seemingly minor vulnerabilities can be exploited to gain full control of the system, highlighting the importance of security in virtualized environments. To learn more, watch the full video here: https://www.youtube.com/watch?v=DtoeGNhybgE