Professional Documents
Culture Documents
BHUSA09 Kortchinsky Cloudburst SLIDES
BHUSA09 Kortchinsky Cloudburst SLIDES
BHUSA09 Kortchinsky Cloudburst SLIDES
Immunity,Inc. BlackHatUSA2009,LasVegas
06/29/09
Introduction
06/29/09
VMwareArchitecture
DevicesareemulatedontheHost
06/29/09
Whydevices?
vmwarevmxprocess ThroughPortI/OormemorymappedI/O
Theycanbeaccessedfromtheguest
TheyarewritteninC/C++ Theysometimesparsesomecomplexdata!
06/29/09
DevicesonaVM
1.Videoadapter 2.Floppycontroller 3.IDEcontroller 4.Keyboardcontroller 5.NetworkAdapter 6.COM/LPTcontroller 7.SCSIcontroller(s) 8.DMAcontroller 9.USBcontroller(WKS) 10.Audioadapter(WKS)
Windows XP SP3 (ESX)
06/29/09 5
CLOUDBURST
Combinationof3/4bugsintheVMware emulatedvideodevice
HostmemoryleakintotheGuest HostarbitrarymemorywritefromtheGuest
Relative Absolute
AndsomeadditionalDEPfriendlygoodness
06/29/09
VMware SVGA II
06/29/09
VMwarePublications
GPUVirtualizationonVMwaresHostedI/O ArchitecturebyMicahDowty,JeremySugerman
Wewerenotawareofthispaperduringourresearch Goodinsightonthetechnology
06/29/09
VMwareSVGAII
VMwarevirtualGPUtakestheformofan emulatedPCIdevice
AdevicedriverisprovidedforcommonGuests
06/29/09
SVGADeviceArchitecture
http://www.usenix.org/event/wiov08/tech/full_papers/dowty/dowty.pdf 06/29/09 10
TheVirtualGraphicStacks
http://www.usenix.org/event/wiov08/tech/full_papers/dowty/dowty.pdf 06/29/09 11
MemorymappedI/O
(fromWikipedia)
06/29/09
MySimplifiedVersion
vmware-vmx Process Host Virtual Machine Guest
SVGA FIFO
Frame Buffer
06/29/09
13
VMwareSVGAI/O
I/O Ports
SVGA FIFO
06/29/09
15
SVGAFIFO
TheSVGAdeviceprocessescommands asynchronouslyviaalocklessFIFOqueue
Thisqueue(severalMB)occupiesthebulkofthe FIFOMemoryregion
06/29/09
2DFIFOOperations
Theycanbefoundinxf86videovmware Sample2Doperations:
SVGA_CMD_UPDATE(1)
SVGA_CMD_RECT_FILL(2)
SVGA_CMD_RECT_COPY(3)
...
17
06/29/09
SVGAFIFO2DOperations
SVGA_CMD_INVALID_CMD SVGA_CMD_UPDATE SVGA_CMD_RECT_FILL SVGA_CMD_RECT_COPY SVGA_CMD_DEFINE_BITMAP SVGA_CMD_DEFINE_BITMAP_SCANLINE SVGA_CMD_DEFINE_PIXMAP SVGA_CMD_DEFINE_PIXMAP_SCANLINE SVGA_CMD_RECT_BITMAP_FILL SVGA_CMD_RECT_PIXMAP_FILL SVGA_CMD_RECT_BITMAP_COPY SVGA_CMD_RECT_PIXMAP_COPY SVGA_CMD_FREE_OBJECT SVGA_CMD_RECT_ROP_FILL SVGA_CMD_RECT_ROP_COPY SVGA_CMD_RECT_ROP_BITMAP_FILL SVGA_CMD_RECT_ROP_PIXMAP_FILL
06/29/09
SVGA_CMD_RECT_ROP_BITMAP_COPY SVGA_CMD_RECT_ROP_PIXMAP_COPY SVGA_CMD_DEFINE_CURSOR SVGA_CMD_DISPLAY_CURSOR SVGA_CMD_MOVE_CURSOR SVGA_CMD_DEFINE_ALPHA_CURSOR SVGA_CMD_DRAW_GLYPH SVGA_CMD_DRAW_GLYPH_CLIPPED SVGA_CMD_UPDATE_VERBOSE SVGA_CMD_SURFACE_FILL SVGA_CMD_SURFACE_COPY SVGA_CMD_SURFACE_ALPHA_BLEND SVGA_CMD_FRONT_ROP_FILL SVGA_CMD_FENCE SVGA_CMD_VIDEO_PLAY_OBSOLETE SVGA_CMD_VIDEO_END_OBSOLETE SVGA_CMD_ESCAPE
18
SVGA_CMD_RECT_COPY
CopiesarectangleintheFrameBufferfroma sourceX,YtoadestinationX,Y
Src
Dst
Frame Buffer
06/29/09 19
SVGA_CMD_RECT_COPY
Frame Buffer
06/29/09 20
SVGA_CMD_RECT_COPY
Boundarieschecksonthedestinationlocation canbebypassed(toalowerextentthansource)
Dst Src
Frame Buffer
06/29/09 21
SVGAArbitraryRead&Write
Onecancopyhostprocessmemoryintotheframe bufferandreadit
Defaultunlimitedarbitraryread
Onecanwritedataintotheframebufferandcopyit intothehostprocessmemory
Defaultlimitedarbitrarywrite
06/29/09
SVGA_CMD_DRAW_GLYPH
Drawsaglyphintotheframebuffer Requiressvga.yesGlyphs=TRUE
Virtual Screen
06/29/09 23
SVGA_CMD_DRAW_GLYPH
ThereisnocheckontheX,Ywheretheglyphis tobecopied
Virtual Screen
06/29/09 24
ArbitraryWriteN
Framebufferismappedinthehostmemory SVGA_CMD_DRAW_GLYPHbugmeans:
Onecanwriteanydata,anywhereinthehost processmemory
Writeaddressisrelativetothebaseoftheframebuffer
Nondefaultarbitrarywrite
06/29/09
25
VMware&3D
Experimental3DsupportappearedinVMware Workstation5.0(April2005)
ItbecamedefaultwithWks6.5(andFusion?)
Codeisreachableregardlessofcheckbox
3DoperationsaredefaultandparsedunderESX 4.0RCHardfreeze
26
06/29/09
SVGA3D
ItusescontextslikeDirect3D
06/29/09
27
SVGAFIFO3DOperations
SVGA_CMD_SURFACE_DEFINE SVGA_CMD_SURFACE_DESTROY SVGA_CMD_SURFACE_COPY SVGA_CMD_SURFACE_DOWNLOAD SVGA_CMD_SURFACE_UPLOAD SVGA_CMD_INDEX_BUFFER_DEFINE SVGA_CMD_INDEX_BUFFER_DESTROY SVGA_CMD_INDEX_BUFFER_UPLOAD SVGA_CMD_VERTEX_BUFFER_DEFINE SVGA_CMD_VERTEX_BUFFER_DESTROY SVGA_CMD_VERTEX_BUFFER_UPLOAD SVGA_CMD_CONTEXT_DEFINE SVGA_CMD_CONTEXT_DESTROY SVGA_CMD_SETTRANSFORM SVGA_CMD_SETZRANGE SVGA_CMD_SETRENDERSTATE SVGA_CMD_SETRENDERTARGET
06/29/09
SVGA_CMD_SETTEXTURESTATE SVGA_CMD_SETMATERIAL SVGA_CMD_SETLIGHTDATA SVGA_CMD_SETLIGHTENABLED SVGA_CMD_SETVIEWPORT SVGA_CMD_SETCLIPPLANE SVGA_CMD_CLEAR SVGA_CMD_PRESENT SVGA_CMD_DRAWPRIMITIVES SVGA_CMD_DRAWINDEXEDPRIMITIVES SVGA_CMD_SHADER_DEFINE SVGA_CMD_SHADER_DESTROY SVGA_CMD_SET_VERTEXSHADER SVGA_CMD_SET_PIXELSHADER SVGA_CMD_SET_SHADER_CONST SVGA_CMD_DRAWPRIMITIVES2 SVGA_CMD_DRAWINDEXEDPRIMITIVES2
28
3DBugs
ManySETcommandsareflawed SETRENDERSTATE
Thecode:
loc_65EE25: ; CODE XREF: mov edi, [ecx+eax*8] ; mov ebx, [ecx+eax*8+4] ; add eax, 1 ; cmp eax, edx mov [esi+edi*4+50h], ebx jb short loc_65EE25 SetRenderStateInContext+25j Offset @ InputData[i] Data @ InputData[i+1] i++
Writeprimitiverelativetoesi
It'sthecontextaddressinthehostmemory ItcanbeleakedintheguestthankstotheCOPYbug!
06/29/09
29
RelativetoAbsolute
SETLIGHTENABLED
Thecode:
mov mov mov mov shl sub mov mov mov ecx, [ebp+arg_4] eax, [ecx+4] ecx, [ecx+8] edx, eax edx, 4 edx, eax eax, [ebp+arg_0] eax, [eax+648h] [eax+edx*8], ecx
06/29/09
MoarBugz
Additionalbugsin:
SETRENDERTARGET
SETCLIPPLANE
SETTRANSFORM
06/29/09
31
Exploitation
06/29/09
32
Requirements
Wehavetobeabletoread/writedirectlyinto theframebufferandtheFIFO
Direct3DhassomeAPIsforthat
EverythingischeckedandsanitizedontheGuestside SitsontopofVMwarevideodriver
Thesolutionistowriteourowndriver
Itcanbestandalonethough Lesscodingtodothisway
MapstheframebufferandFIFOfordirect,unrestricted access
RequiresAdminrightsintheVM
33
06/29/09
ExploitationProcess
Step#1:leakthebaseaddressofthe framebufferintheHost
Allfurtherleaksarerelativetothisaddress WindowsVista:relativememoryleak
Somemethods:
Ubuntu:relativeleakbruteforce
WindowsXP/Vista:absolutememorywrite
06/29/09
ExploitationProcess
Step#2:fingerprintVMwareversion
WeleakthePE/ELFheaderforthat
Theytendtobealwaysatthesameaddress
Step#3to#n:exploit
Leak/Overwrite/Trigger/Leak/Overwrite/Trigger Done!
06/29/09
35
LeakExample
We leak some data on the first line of the framebuffer (more visual)
06/29/09
36
DealingwithDEP
OneforRE,oneforRW Theytaketheirparametersinthe.datasection!
Easilyabusablewiththeabsolutewriteprimitive
AlsoavailableformprotectunderLinux/ESX
06/29/09
37
Vista12StepsExample:1to6
LeaktheFrameBufferBaseaddressintheHost 2) LeakthePEHeaderofthevmwarevmx.exebinary 3) BasedontheTimestampinthePEHeader,setthecorrect addressesneeded 4) Leakthe1stpointerofthetheSVGAUserstructure 5) Leakthememorypointedbytheleakedpointertoretrieve theaddressoftheContext 6) OverwritetheVirtualProtectparameterssothatthe addressistheoneofthePEheaderandthesizeis1000h. OverwriteaswellthefunctionpointerfortheESCAPE commandwiththeaddressoftheRWVirtualAllocwrapper
1)
06/29/09
38
Vista12StepsExample:7to12
TriggertheESCAPEcommand:thePEHeaderisnowRW 2) WritetheshellcodeintothePEHeader 3) Sameas6),exceptthatweoverwritetheESCAPEfunction pointerwiththeREVirtualAllocwrapper 4) TriggertheESCAPEcommand:thePEHeader(andour shellcode)isnowRE 5) OverwritetheESCAPEfunctionpointerwithapointerto ourshellcode. 6) TriggertheESCAPEcommand
1)
06/29/09
39
06/29/09
40
MOSDEF
06/29/09
41
PostExploitation
Idea:tunneltheshellovertheframebuffer
06/29/09
42
GuestSide:Direct3DAPI
Createandmanipulateobjects(surfaces)inthe videocardmemory,offscreen
CreateOffscreenPlainSurface
FormatbeingD3DFMT_A8R8G8B8(32bitsperpixel)
D3DXLoadSurfaceFromMemory D3DXSaveSurfaceToFileInMemory
Norawformat,useD3DXIFF_BMP WeparsetheBMPtorecoverourdata
06/29/09
43
HostSide
BindaMOSDEFlisteneronlocalhost Scanthevideocardmemoryforasignature
MOSDEFactingsequentially,weshouldnot haveanyconcurrentaccessissue
Weimplementalousysemaphoretobesure
06/29/09
44
TheResult
Conclusion
06/29/09
46
VMs,SecurityandYou
06/29/09
47
VirtualizationMisconceptions
VMwareisn'tanadditionalsecuritylayer
It'sjustanotherlayertofindbugsin
Giventhecorrectbugprimitives(memoryleak, memorywrite),everythingcanbedefeated
ASLR,NX
WhywouldESXeverneed3Dsupport...
48
06/29/09