Scribd Logo
Upload

Welcome to Scribd!

  • 29 views

    BHUSA09 Kortchinsky Cloudburst SLIDES

    Uploaded by

    Alancito Martinez
    This document discusses a vulnerability in VMware's emulated video device that allows escape from a virtual machine guest to the host system. It involves bugs in VMware's SVGA video driver that enable arbitrary read and write of the host's memory from a guest via the emulated video frame buffer and command queue. The vulnerability can be reliably exploited on recent versions of VMware Workstation, Fusion, and ESX Server to fully compromise the host system. Details are provided on the SVGA architecture, specific bugs involved, and an exploitation process.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    BHUSA09 Kortchinsky Cloudburst SLIDES

    Uploaded by

    Alancito Martinez
    29 views48 pages
    This document discusses a vulnerability in VMware's emulated video device that allows escape from a virtual machine guest to the host system. It involves bugs in VMware's SVGA video driver that enable arbitrary read and write of the host's memory from a guest via the emulated video frame buffer and command queue. The vulnerability can be reliably exploited on recent versions of VMware Workstation, Fusion, and ESX Server to fully compromise the host system. Details are provided on the SVGA architecture, specific bugs involved, and an exploitation process.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses a vulnerability in VMware's emulated video device that allows escape from a virtual machine guest to the host system. It involves bugs in VMware's SVGA video driver that enable arbitrary read and write of the host's memory from a guest via the emulated video frame buffer and command queue. The vulnerability can be reliably exploited on recent versions of VMware Workstation, Fusion, and ESX Server to fully compromise the host system. Details are provided on the SVGA architecture, specific bugs involved, and an exploitation process.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    29 views48 pages

    BHUSA09 Kortchinsky Cloudburst SLIDES

    Uploaded by

    Alancito Martinez
    This document discusses a vulnerability in VMware's emulated video device that allows escape from a virtual machine guest to the host system. It involves bugs in VMware's SVGA video driver that enable arbitrary read and write of the host's memory from a guest via the emulated video frame buffer and command queue. The vulnerability can be reliably exploited on recent versions of VMware Workstation, Fusion, and ESX Server to fully compromise the host system. Details are provided on the SVGA architecture, specific bugs involved, and an exploitation process.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 48

    CLOUDBURST

    AVMwareGuesttoHostEscapeStory Kostya Kortchinsky

    Immunity,Inc. BlackHatUSA2009,LasVegas

    06/29/09

    Introduction

    06/29/09

    VMwareArchitecture

    DevicesareemulatedontheHost

    06/29/09

    Whydevices?

    Idon'thaveenoughlowlevelsystemMojo TheyarecommontoallVMwareproducts TheyrunontheHost

    vmwarevmxprocess ThroughPortI/OormemorymappedI/O

    Theycanbeaccessedfromtheguest

    TheyarewritteninC/C++ Theysometimesparsesomecomplexdata!

    06/29/09

    DevicesonaVM
    1.Videoadapter 2.Floppycontroller 3.IDEcontroller 4.Keyboardcontroller 5.NetworkAdapter 6.COM/LPTcontroller 7.SCSIcontroller(s) 8.DMAcontroller 9.USBcontroller(WKS) 10.Audioadapter(WKS)
    Windows XP SP3 (ESX)
    06/29/09 5

    CLOUDBURST

    Combinationof3/4bugsintheVMware emulatedvideodevice

    HostmemoryleakintotheGuest HostarbitrarymemorywritefromtheGuest

    Relative Absolute

    AndsomeadditionalDEPfriendlygoodness

    ReliableGuesttoHostescapeonrecentVMware products:Workstation,Fusion?,ESXServer(4.0 RCHardfreeze)


    6

    06/29/09

    VMware SVGA II

    06/29/09

    VMwarePublications

    GPUVirtualizationonVMwaresHostedI/O ArchitecturebyMicahDowty,JeremySugerman

    Wewerenotawareofthispaperduringourresearch Goodinsightonthetechnology

    PreviousVMwaresecurityannouncementshave includeddevicedriverguest>host vulnerabilities,ashaveMicrosoftVirtualServer andXen Iamnotavirtualizationspecialist


    8

    06/29/09

    VMwareSVGAII

    VMwarevirtualGPUtakestheformofan emulatedPCIdevice

    VMwareSVGAII Nophysicalinstanceofthecardexists Windowsonessupport3Dacceleration

    AdevicedriverisprovidedforcommonGuests

    Auserleveldeviceemulationprocessis responsibleforhandlingaccessestothePCI configurationandI/OspaceoftheSVGAdevice


    9

    06/29/09

    SVGADeviceArchitecture

    http://www.usenix.org/event/wiov08/tech/full_papers/dowty/dowty.pdf 06/29/09 10

    TheVirtualGraphicStacks

    http://www.usenix.org/event/wiov08/tech/full_papers/dowty/dowty.pdf 06/29/09 11

    MemorymappedI/O
    (fromWikipedia)

    MemorymappedI/O(MMIO)andportI/O(also calledportmappedI/OorPMIO)aretwo complementarymethodsofperforming input/outputbetweentheCPUandperipheral devicesinacomputer

    EachI/OdevicemonitorstheCPU'saddressbusand respondstoanyCPU'saccessofdeviceassigned addressspace PortmappedI/OusesaspecialclassofCPU instructionsspecificallyforperformingI/O


    12

    06/29/09

    MySimplifiedVersion
    vmware-vmx Process Host Virtual Machine Guest

    SVGA FIFO

    I/O Ports I/O Memory Mappings

    Frame Buffer

    Virtual Video Card

    06/29/09

    13

    VMwareSVGAI/O

    Frame Buffer SVGA FIFO

    I/O Ports

    Windows 2003 SP1 (WKS)


    06/29/09 14

    SVGA FIFO

    06/29/09

    15

    SVGAFIFO

    TheSVGAdeviceprocessescommands asynchronouslyviaalocklessFIFOqueue

    Thisqueue(severalMB)occupiesthebulkofthe FIFOMemoryregion

    Duringunaccelerated2Drendering:FIFO commandsareusedtomarkchangedregionsin theframebuffer During3Drendering:theFIFOactsasa transportlayerforanarchitectureindependent SVGA3Drenderingprotocol


    16

    06/29/09

    2DFIFOOperations

    Theycanbefoundinxf86videovmware Sample2Doperations:

    SVGA_CMD_UPDATE(1)

    FIFOlayout:X,Y,Width,Height FIFOlayout:Color,X,Y,Width,Height FIFOlayout:SourceX,SourceY,DestX,DestY,Width, Height

    SVGA_CMD_RECT_FILL(2)

    SVGA_CMD_RECT_COPY(3)

    ...
    17

    06/29/09

    SVGAFIFO2DOperations
    SVGA_CMD_INVALID_CMD SVGA_CMD_UPDATE SVGA_CMD_RECT_FILL SVGA_CMD_RECT_COPY SVGA_CMD_DEFINE_BITMAP SVGA_CMD_DEFINE_BITMAP_SCANLINE SVGA_CMD_DEFINE_PIXMAP SVGA_CMD_DEFINE_PIXMAP_SCANLINE SVGA_CMD_RECT_BITMAP_FILL SVGA_CMD_RECT_PIXMAP_FILL SVGA_CMD_RECT_BITMAP_COPY SVGA_CMD_RECT_PIXMAP_COPY SVGA_CMD_FREE_OBJECT SVGA_CMD_RECT_ROP_FILL SVGA_CMD_RECT_ROP_COPY SVGA_CMD_RECT_ROP_BITMAP_FILL SVGA_CMD_RECT_ROP_PIXMAP_FILL
    06/29/09

    SVGA_CMD_RECT_ROP_BITMAP_COPY SVGA_CMD_RECT_ROP_PIXMAP_COPY SVGA_CMD_DEFINE_CURSOR SVGA_CMD_DISPLAY_CURSOR SVGA_CMD_MOVE_CURSOR SVGA_CMD_DEFINE_ALPHA_CURSOR SVGA_CMD_DRAW_GLYPH SVGA_CMD_DRAW_GLYPH_CLIPPED SVGA_CMD_UPDATE_VERBOSE SVGA_CMD_SURFACE_FILL SVGA_CMD_SURFACE_COPY SVGA_CMD_SURFACE_ALPHA_BLEND SVGA_CMD_FRONT_ROP_FILL SVGA_CMD_FENCE SVGA_CMD_VIDEO_PLAY_OBSOLETE SVGA_CMD_VIDEO_END_OBSOLETE SVGA_CMD_ESCAPE
    18

    SVGA_CMD_RECT_COPY

    CopiesarectangleintheFrameBufferfroma sourceX,YtoadestinationX,Y
    Src

    Dst

    Frame Buffer
    06/29/09 19

    SVGA_CMD_RECT_COPY

    Boundarieschecksonthesourcelocationcanbe bypassed Src


    Dst

    Frame Buffer
    06/29/09 20

    SVGA_CMD_RECT_COPY

    Boundarieschecksonthedestinationlocation canbebypassed(toalowerextentthansource)
    Dst Src

    Frame Buffer
    06/29/09 21

    SVGAArbitraryRead&Write

    Guestcanreadandwriteintheframebuffer Framebufferismappedinthehostmemory SVGA_CMD_RECT_COPYbugsmean:

    Onecancopyhostprocessmemoryintotheframe bufferandreadit

    Defaultunlimitedarbitraryread

    Onecanwritedataintotheframebufferandcopyit intothehostprocessmemory

    Defaultlimitedarbitrarywrite

    Onlyintothepageprecedingtheframebuffer Mightbeexploitableinsomecases Dependsonwhatismappedbeforetheframebuffer


    22

    06/29/09

    SVGA_CMD_DRAW_GLYPH

    Drawsaglyphintotheframebuffer Requiressvga.yesGlyphs=TRUE

    Virtual Screen
    06/29/09 23

    SVGA_CMD_DRAW_GLYPH

    ThereisnocheckontheX,Ywheretheglyphis tobecopied

    Virtual Screen
    06/29/09 24

    ArbitraryWriteN

    Framebufferismappedinthehostmemory SVGA_CMD_DRAW_GLYPHbugmeans:

    Onecanwriteanydata,anywhereinthehost processmemory

    Writeaddressisrelativetothebaseoftheframebuffer

    PrettysteadyinESX CanbeleakedwithSVGA_CMD_RECT_COPYbug Fullyexploitable

    Nondefaultarbitrarywrite

    06/29/09

    25

    VMware&3D

    Experimental3DsupportappearedinVMware Workstation5.0(April2005)

    Disabledbydefault OptionhadtobeaddedtotheconfigfileoftheVM Accelerate3DGraphicscheckboxunderDisplay

    ItbecamedefaultwithWks6.5(andFusion?)

    Codeisreachableregardlessofcheckbox

    3DoperationsaredefaultandparsedunderESX 4.0RCHardfreeze
    26

    06/29/09

    SVGA3D

    TheSVGA3Dprotocolisasimplifiedand idealizedadaptationoftheDirect3DAPI Ithasaminimalnumberofdistinctcommands Itisnotpubliclydocumented(AFAIK)

    xf86videovmwarehasdefinitionsforsome constantsbutnoprototypesoffunctions StoredontheHost Holdrenderstates,lightdata,etc.

    ItusescontextslikeDirect3D

    06/29/09

    27

    SVGAFIFO3DOperations
    SVGA_CMD_SURFACE_DEFINE SVGA_CMD_SURFACE_DESTROY SVGA_CMD_SURFACE_COPY SVGA_CMD_SURFACE_DOWNLOAD SVGA_CMD_SURFACE_UPLOAD SVGA_CMD_INDEX_BUFFER_DEFINE SVGA_CMD_INDEX_BUFFER_DESTROY SVGA_CMD_INDEX_BUFFER_UPLOAD SVGA_CMD_VERTEX_BUFFER_DEFINE SVGA_CMD_VERTEX_BUFFER_DESTROY SVGA_CMD_VERTEX_BUFFER_UPLOAD SVGA_CMD_CONTEXT_DEFINE SVGA_CMD_CONTEXT_DESTROY SVGA_CMD_SETTRANSFORM SVGA_CMD_SETZRANGE SVGA_CMD_SETRENDERSTATE SVGA_CMD_SETRENDERTARGET
    06/29/09

    SVGA_CMD_SETTEXTURESTATE SVGA_CMD_SETMATERIAL SVGA_CMD_SETLIGHTDATA SVGA_CMD_SETLIGHTENABLED SVGA_CMD_SETVIEWPORT SVGA_CMD_SETCLIPPLANE SVGA_CMD_CLEAR SVGA_CMD_PRESENT SVGA_CMD_DRAWPRIMITIVES SVGA_CMD_DRAWINDEXEDPRIMITIVES SVGA_CMD_SHADER_DEFINE SVGA_CMD_SHADER_DESTROY SVGA_CMD_SET_VERTEXSHADER SVGA_CMD_SET_PIXELSHADER SVGA_CMD_SET_SHADER_CONST SVGA_CMD_DRAWPRIMITIVES2 SVGA_CMD_DRAWINDEXEDPRIMITIVES2
    28

    3DBugs

    ManySETcommandsareflawed SETRENDERSTATE

    Thecode:
    loc_65EE25: ; CODE XREF: mov edi, [ecx+eax*8] ; mov ebx, [ecx+eax*8+4] ; add eax, 1 ; cmp eax, edx mov [esi+edi*4+50h], ebx jb short loc_65EE25 SetRenderStateInContext+25j Offset @ InputData[i] Data @ InputData[i+1] i++

    .text:0065EE25 .text:0065EE25 .text:0065EE25 .text:0065EE28 .text:0065EE2C .text:0065EE2F .text:0065EE31 .text:0065EE35

    Writeprimitiverelativetoesi
    It'sthecontextaddressinthehostmemory ItcanbeleakedintheguestthankstotheCOPYbug!

    06/29/09

    29

    RelativetoAbsolute

    SETLIGHTENABLED

    Thecode:
    mov mov mov mov shl sub mov mov mov ecx, [ebp+arg_4] eax, [ecx+4] ecx, [ecx+8] edx, eax edx, 4 edx, eax eax, [ebp+arg_0] eax, [eax+648h] [eax+edx*8], ecx

    .text:0065EF33 .text:0065EF36 .text:0065EF39 .text:0065EF3C .text:0065EF3E .text:0065EF41 .text:0065EF43 .text:0065EF46 .text:0065EF4C


    06/29/09

    ByoverwritingContext+648hwiththerelative write,wegetanabsolutewriteprimitive AlsoworkswithSETLIGHTDATAfor29*4bytes


    30

    MoarBugz

    Additionalbugsin:

    SETRENDERTARGET

    Signedboundschecking Noboundschecking Noboundschecking

    SETCLIPPLANE

    SETTRANSFORM

    06/29/09

    31

    Exploitation

    06/29/09

    32

    Requirements

    Wehavetobeabletoread/writedirectlyinto theframebufferandtheFIFO

    Direct3DhassomeAPIsforthat

    EverythingischeckedandsanitizedontheGuestside SitsontopofVMwarevideodriver

    Thesolutionistowriteourowndriver

    Itcanbestandalonethough Lesscodingtodothisway

    MapstheframebufferandFIFOfordirect,unrestricted access

    RequiresAdminrightsintheVM
    33

    06/29/09

    ExploitationProcess

    Step#1:leakthebaseaddressofthe framebufferintheHost

    Allfurtherleaksarerelativetothisaddress WindowsVista:relativememoryleak

    Somemethods:

    ThepagebeforetheFBcontainstheaddressoftheFB KeepleakinguntilyourfindtheELFheader ThenscantheFBforthedatawritten TheFBisbigenoughtonottriggeranaccessviolation


    34

    Ubuntu:relativeleakbruteforce

    WindowsXP/Vista:absolutememorywrite

    06/29/09

    ExploitationProcess

    Step#2:fingerprintVMwareversion

    WeleakthePE/ELFheaderforthat

    Theytendtobealwaysatthesameaddress

    Step#3to#n:exploit

    Leak/Overwrite/Trigger/Leak/Overwrite/Trigger Done!

    06/29/09

    35

    LeakExample

    We leak some data on the first line of the framebuffer (more visual)

    06/29/09

    36

    DealingwithDEP

    WhendealingwithXP/VistaDEPAlwaysOn,or ESX4.0asaHost,wehavetocareaboutNX vmwarevmxprovidesVirtualProtectwrappers


    OneforRE,oneforRW Theytaketheirparametersinthe.datasection!

    Easilyabusablewiththeabsolutewriteprimitive

    AlsoavailableformprotectunderLinux/ESX

    06/29/09

    37

    Vista12StepsExample:1to6
    LeaktheFrameBufferBaseaddressintheHost 2) LeakthePEHeaderofthevmwarevmx.exebinary 3) BasedontheTimestampinthePEHeader,setthecorrect addressesneeded 4) Leakthe1stpointerofthetheSVGAUserstructure 5) Leakthememorypointedbytheleakedpointertoretrieve theaddressoftheContext 6) OverwritetheVirtualProtectparameterssothatthe addressistheoneofthePEheaderandthesizeis1000h. OverwriteaswellthefunctionpointerfortheESCAPE commandwiththeaddressoftheRWVirtualAllocwrapper
    1)

    06/29/09

    38

    Vista12StepsExample:7to12
    TriggertheESCAPEcommand:thePEHeaderisnowRW 2) WritetheshellcodeintothePEHeader 3) Sameas6),exceptthatweoverwritetheESCAPEfunction pointerwiththeREVirtualAllocwrapper 4) TriggertheESCAPEcommand:thePEHeader(andour shellcode)isnowRE 5) OverwritetheESCAPEfunctionpointerwithapointerto ourshellcode. 6) TriggertheESCAPEcommand
    1)

    06/29/09

    39

    MOSDEF Over Direct3D


    (orhowtotunnelashelloverBMPimages)

    06/29/09

    40

    MOSDEF

    MOSDEF(mosedef)isshortforMost Definately MOSDEFisaretargetable,positionindependent code,Ccompilerthatsupportsdynamicremote codelinkingwritteninpurePython Inshort,afteryou'veoverflowedaprocessyou cancompileprogramstoruninsidethatprocess andreportbacktoyou

    06/29/09

    41

    PostExploitation

    EnsureHostGuestcommunicationpost exploitation,whilenotrelyingonextrafeatures suchas:


    Network:HostcanbeunreachablefromGuest VMCI:notenabledbydefault VMRPC:canbedisabled AndinRing3toaddsomeexcitement

    Idea:tunneltheshellovertheframebuffer

    06/29/09

    42

    GuestSide:Direct3DAPI

    Createandmanipulateobjects(surfaces)inthe videocardmemory,offscreen

    CreateOffscreenPlainSurface

    FormatbeingD3DFMT_A8R8G8B8(32bitsperpixel)

    D3DXLoadSurfaceFromMemory D3DXSaveSurfaceToFileInMemory

    Norawformat,useD3DXIFF_BMP WeparsetheBMPtorecoverourdata

    06/29/09

    43

    HostSide

    BindaMOSDEFlisteneronlocalhost Scanthevideocardmemoryforasignature

    Extractandparsethedata SendittothelocallyboundMOSDEF Receivetheresult Writeitbacktotheframebuffer

    MOSDEFactingsequentially,weshouldnot haveanyconcurrentaccessissue

    Weimplementalousysemaphoretobesure

    06/29/09

    44

    TheResult

    VirtualWoodenBridge overthe VirtualAirGap


    06/29/09 45

    Conclusion

    06/29/09

    46

    VMs,SecurityandYou

    06/29/09

    47

    VirtualizationMisconceptions

    VMwareisn'tanadditionalsecuritylayer

    It'sjustanotherlayertofindbugsin

    Giventhecorrectbugprimitives(memoryleak, memorywrite),everythingcanbedefeated

    ASLR,NX

    Tryingtopatchsilentlyin2009isridiculous Ifafeatureisnotneededforabranch,thecode shouldn'tbeincludedinit

    WhywouldESXeverneed3Dsupport...
    48

    06/29/09

    You might also like