breaking turtles all the way down
play

Breaking Turtles All the Way Down An Exploit Chain to Break Out of - PowerPoint PPT Presentation

Jun 11, 2023 •321 likes •700 views

Breaking Turtles All the Way Down An Exploit Chain to Break Out of VMware ESXi Hanqing Zhao, Yanyu Zhang , Kun Yang, Taesoo Kim Chaitin Security Research Lab Georgia Institute of Technology Tsinghua University 1 What is ESXi? Bare-metal

  1. Breaking Turtles All the Way Down An Exploit Chain to Break Out of VMware ESXi Hanqing Zhao, Yanyu Zhang , Kun Yang, Taesoo Kim Chaitin Security Research Lab Georgia Institute of Technology Tsinghua University 1

  2. What is ESXi? ● Bare-metal hypervisor ● Widely used in private cloud 2

  3. What is VM Escape? ... Guest OS Guest OS ... Guest OS 0 1 N exploitation VMM Excute arbitrary codes network connection on the host Host OS 3

  4. Attack I/O devices (Pwn2Own 2017) Graphic (TianfuCup Ethernet 2018) USB (Pwn2Own 2019) SATA SCSI Several Workstation escape COM have been demonstrated 4

  5. No ESXi Escape? What makes it so challenging? (Pwn2Own 2017) Graphic There has been no escape of (TianfuCup Ethernet 2018) ESXi !!! USB (Pwn2Own 2019) SATA SCSI COM 5

  6. The customized architecture has not been studied RPC ● VMKernel RPC VMX handlers ○ VMM(hypervisor) guest OS virtual ○ User world API hardwares ○ VMFS ○ Drivers PIO/ Sandbox MMIO ● VMX Process #VM launch #VM-exit ○ Virtual hardwares #VM resume ○ RPC handlers USER API VM-Exit handlers VMM VMKernel Physical Hardware 6

  7. Limited attack surfaces ● VM-Exit handlers RPC RPC host Ring3 VMX handlers ● Virtual Hardwares guest OS virtual ● RPC hardwares ● compact VMX Sandbox process #VM launch I/O #VM-exit #VM resume USER API VMM VM-Exit handlers host Ring0 7

  8. Challenging mitigations and protections RPC RPC host Ring3 VMX ● ASLR handlers guest OS virtual ● NX/DEP hardwares ● sandboxing PIO/ Sandbox MMIO #VM launch #VM-exit #VM resume USER API VM-Exit handlers VMM host Ring0 8

  9. Overview: VulnerabilitIes and Exploitation VMX Uninitialized Stack Usage (CVE-2018-6981) Sandbox Uninitialized Stack Read (CVE-2018-6982) 9

  10. Overview: VulnerabilitIes and Exploitation VMX Uninitialized Stack Usage → Arbitrary Address Free Sandbox Uninitialized Stack Read → Information Leakage 10

  11. Overview: VulnerabilitIes and Exploitation VMX Uninitialized Stack Usage → Arbitrary Address Free Sandbox Uninitialized Stack Read → Information Leakage Arbitrary Shellcode Execution in VMX process 11

  12. Overview: VulnerabilitIes and Exploitation VMX VMX Uninitialized Stack Usage → Arbitrary Address Free Sandbox Sandbox Escape Uninitialized Stack Read → Information Leakage Arbitrary Shellcode Execution in VMX process 12

  13. CVE-2018-6981: Uninitialized Stack Variable void destruct_page_struct(page_struct * a1 ) void __usercall vmxnet3_reg_cmd() { { ... if(page_count == 1) case 4: // VMXNET3_CMD_UPDATE_MAC_FILTERS free(a1->addr) * dma_memory_create(..., &page); // free the pointer on stack vmxnet3_cmd_update_mac_filters(v6, &page, a5); else * destruct_page_struct(&page); free(a1->page_array); } } break; page ... } char __fastcall dma_memory_create( unsigned addr , uint64 translate_size size , … , page_struct * page ) page_offset { // check the addr page_count * if ( addr > v5 || !size || size > v5 - addr + 1 ) addr 0x10 * return 0; set_page_struct(addr, size, a3, a4, page); page_array 0x18 return 1; } ... 13 a struct on stack for address translation

  14. CVE-2018-6981: Uninitialized Stack Variable void destruct_page_struct(page_struct * a1 ) void __usercall vmxnet3_reg_cmd() { { ... if(page_count == 1) case 4: // VMXNET3_CMD_UPDATE_MAC_FILTERS free(a1->addr) * dma_memory_create(..., &page); // free the pointer on stack vmxnet3_cmd_update_mac_filters(v6, &page, a5); else * destruct_page_struct(&page); free(a1->page_array); } } break; page try to initialize the “page” structure on stack ... } char __fastcall dma_memory_create( unsigned addr , uint64 translate_size size , … , page_struct * page ) page_offset { // check the addr page_count * if ( addr > v5 || !size || size > v5 - addr + 1 ) addr 0x10 * return 0; set_page_struct(addr, size, a3, a4, page); page_array 0x18 return 1; } ... 14 a struct on stack for address translation

  15. CVE-2018-6981: Uninitialized Stack Variable void destruct_page_struct(page_struct * a1 ) void __usercall vmxnet3_reg_cmd() { { ... if(page_count == 1) case 4: // VMXNET3_CMD_UPDATE_MAC_FILTERS free(a1->addr) * dma_memory_create(..., &page); // free the pointer on stack vmxnet3_cmd_update_mac_filters(v6, &page, a5); else * destruct_page_struct(&page); free(a1->page_array); } } break; check the size and addr page ... } char __fastcall dma_memory_create( unsigned addr , uint64 translate_size size , … , page_struct * page ) page_offset { // check the addr page_count * if ( addr > v5 || !size || size > v5 - addr + 1 ) addr 0x10 * return 0; set_page_struct(addr, size, a3, a4, page); page_array 0x18 return 1; } ... 15 a struct on stack for address translation

  16. CVE-2018-6981: Uninitialized Stack Variable void destruct_page_struct(page_struct * a1 ) void __usercall vmxnet3_reg_cmd() { { ... if(page_count == 1) case 4: // VMXNET3_CMD_UPDATE_MAC_FILTERS free(a1->addr) * dma_memory_create(..., &page); // free the pointer on stack vmxnet3_cmd_update_mac_filters(v6, &page, a5); else * destruct_page_struct(&page); free(a1->page_array); } } break; illegal combination! skip initalization page ... } char __fastcall dma_memory_create( unsigned addr , uint64 translate_size size , … , page_struct * page ) page_offset { // check the addr page_count * if ( addr > v5 || !size || size > v5 - addr + 1 ) addr 0x10 * return 0; initialization set_page_struct(addr, size, a3, a4, page); page_array 0x18 return 1; } ... 16 a struct on stack for address translation

  17. CVE-2018-6981: Uninitialized Stack Variable void destruct_page_struct(page_struct * a1 ) void __usercall vmxnet3_reg_cmd() { { ... if(page_count == 1) case 4: // VMXNET3_CMD_UPDATE_MAC_FILTERS free(a1->addr) * dma_memory_create(..., &page); // free the pointer on stack vmxnet3_cmd_update_mac_filters(v6, &page, a5); else * destruct_page_struct(&page); free(a1->page_array); } } break; page return and enter into the “destruct” function ... } char __fastcall dma_memory_create( unsigned addr , uint64 translate_size size , … , page_struct * page ) page_offset { // check the addr page_count * if ( addr > v5 || !size || size > v5 - addr + 1 ) addr 0x10 * return 0; initialization set_page_struct(addr, size, a3, a4, page); page_array 0x18 return 1; } ... 17 a struct on stack for address translation

  18. Uninit Variable → Arbitrary Address Free void __usercall handle_port_io(__int64 a1 , __int64 a2 , __int64 a3 ) { ... v3 = *(a1 + 4); Abusing a function to spray stack! v4 = *(a1 + 13); read_or_write = *(a1 + 48); ... if ( *(a1 + 60) && (v10 = *(a1 + 52) << 12, v10 > 0x8000) ) v11 = malloc_heap_memory(v10); // copy the data into heap else translate_size v11 = &v35; void destruct_page_struct page_offset if ( read_or_write & 1 ) (page_struct * a1 ) page_count { { if ( *(v8 + 60) ) … { ... addr 0x10 // free the pointer on stack v15 = v11; free(a1->page_array); page_array 0x18 do } ... { ... memcpy(v15, v18, v17); // copy the data into stack 18 18 ...

  19. CVE-2018-6982: Uninitialized Stack Variable bool __fastcall vmxnet3_cmd_get_coalesce(__int64 a1 , char a2 ){ struct buffer { uint64_t member0; At first, all stack variables are uninitlized uint64_t member1; }; size_t length; ... get_length_from_guest(..., &length); if(length != 16) return; ... * buffer.member0 = 0xFA000000003LL; // first 8-byte of src is initialized, but 16-byte is read // (length == 16) * write_back_to_guest(v19, &buffer, length, ...); return 1; } ... 19 }

  20. CVE-2018-6982: Uninitialized Stack Variable bool __fastcall vmxnet3_cmd_get_coalesce(__int64 a1 , char a2 ){ struct buffer { uint64_t member0; uint64_t member1; }; size_t length; ... set length get_length_from_guest(..., &length); must be 16 if(length != 16) return; ... * buffer.member0 = 0xFA000000003LL; // first 8-byte of src is initialized, but 16-byte is read // (length == 16) * write_back_to_guest(v19, &buffer, length, ...); return 1; } ... 20 }

  21. CVE-2018-6982: Uninitialized Stack Variable bool __fastcall vmxnet3_cmd_get_coalesce(__int64 a1 , char a2 ){ struct buffer { uint64_t member0; uint64_t member1; }; size_t length; ... get_length_from_guest(..., &length); if(length != 16) return; ... initialize the first 8-byte * buffer.member0 = 0xFA000000003LL; // first 8-byte of src is initialized, but 16-byte is read // (length == 16) * write_back_to_guest(v19, &buffer, length, ...); return 1; } ... 21 }

  22. CVE-2018-6982: Uninitialized Stack Variable bool __fastcall vmxnet3_cmd_get_coalesce(__int64 a1 , char a2 ){ struct buffer { uint64_t member0; uint64_t member1; }; size_t length; ... get_length_from_guest(..., &length); if(length != 16) return; ... * buffer.member0 = 0xFA000000003LL; // first 8-byte of src is initialized, but 16-byte is read // (length == 16) member1(uninitilized) * write_back_to_guest(v19, &buffer, length, ...); will be write back to the return 1; } guest OS ... 22 }

  23. Abusing a special RPC named “backdoor” ● A special hypercall ● Guest ○ Send messages through special I/O ports ● Host ○ Handle messages in VMX process 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ORIGIN OF TURTLES Earliest relative of the current existing sea turtles - Desmatochelys padillai

ORIGIN OF TURTLES Earliest relative of the current existing sea turtles - Desmatochelys padillai

TURTLES FRIENDLY PREHISTORIC CREATURES Georgina Hayes PADI SI #411108 BSc Hons. Zoology ORIGIN OF TURTLES Earliest relative of the current existing sea turtles - Desmatochelys padillai from the early Cetaceous period (fossil aged at 120

228 views • 19 slides
Protecting Sea Turtles from Shrimp Trawl Nets Credit: NOAA Whats the Problem? Not

Protecting Sea Turtles from Shrimp Trawl Nets Credit: NOAA Whats the Problem? Not

Protecting Sea Turtles from Shrimp Trawl Nets Credit: NOAA Whats the Problem? Not all shrimp boats are required to use Turtle Excluder Devices (TEDs) * The government estimates that 50,000 sea turtles drown every year in shrimp

363 views • 18 slides
Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Dr Nick Saville Breaking out of the box Understanding rela5onships between learning and assessment Breaking out of the box - a metaphor for thinking about rela5onships and interpreta5ons breaking out breaking out of the box of the

895 views • 68 slides
Turtles for the Biology of Reptiles Amphibian Foundation Dr. Tobias Landberg The Flexible

Turtles for the Biology of Reptiles Amphibian Foundation Dr. Tobias Landberg The Flexible

Turtles for the Biology of Reptiles Amphibian Foundation Dr. Tobias Landberg The Flexible Organism What causes diversity? Responding to challenges at different time scales Behavior Adaptation Plasticity Evolution Where is variation

646 views • 40 slides
Conserving Leatherback Sea Turtles in Trinidad and Tobago: Harmonizing Trinidad and Tobagos

Conserving Leatherback Sea Turtles in Trinidad and Tobago: Harmonizing Trinidad and Tobagos

Conserving Leatherback Sea Turtles in Trinidad and Tobago: Harmonizing Trinidad and Tobagos Conserva&lt;on of Wildlife Act and Regula&lt;ons under the Fisheries Act Brent Plater Fulbright Scholar, University of the West Indies at St.

923 views • 14 slides
Sea Turtles Created with Haiku Deck, presentation software that's simple, beautiful and fun. By

Sea Turtles Created with Haiku Deck, presentation software that's simple, beautiful and fun. By

Sea Turtles Created with Haiku Deck, presentation software that's simple, beautiful and fun. By Brad Flickinger Photo by dbaist5 page 1 of 7 Sea Turtles Created with Haiku Deck, presentation software that's simple, beautiful and fun. By Brad

226 views • 7 slides
Response to Request for Risk Assessment of Exceeding Effort Threshold Associated with Sea Turtles

Response to Request for Risk Assessment of Exceeding Effort Threshold Associated with Sea Turtles

Tab D, No. 5(b) Response to Request for Risk Assessment of Exceeding Effort Threshold Associated with Sea Turtles Rick A. Hart 1 , Mike Travis 2 , and Christopher Liese 1 NOAA Fisheries Service 1 SEFSC 2 SERO Gulf of Mexico Fisheries Management

366 views • 14 slides
Field Studies of Whales, Dolphins, and Sea Turtles for Offshore Alternative Energy Planning in

Field Studies of Whales, Dolphins, and Sea Turtles for Offshore Alternative Energy Planning in

Field Studies of Whales, Dolphins, and Sea Turtles for Offshore Alternative Energy Planning in Massachusetts: 2011-2017 Scott D. Kraus, Ph.D. Ester Quintana, Ph.D Paul Nagelkirk Anderson Cabot Center for Ocean Life New England Aquarium

343 views • 11 slides
Conservation and Trade Management of Freshwater and Terrestrial Turtles in the United States

Conservation and Trade Management of Freshwater and Terrestrial Turtles in the United States

Conservation and Trade Management of Freshwater and Terrestrial Turtles in the United States Workshop Presentation Abstracts Hilton St. Louis St. Louis, Missouri September 20-24, 2010 Convened and hosted by the U.S. Fish and Wildlife Service,

613 views • 24 slides
The Turtles Project: Design and Implementation of Nested Virtualization Muli Ben-Yehuda

The Turtles Project: Design and Implementation of Nested Virtualization Muli Ben-Yehuda

The Turtles Project: Design and Implementation of Nested Virtualization Muli Ben-Yehuda Michael D. Day Zvi Dubitzky Michael Factor Nadav HarEl Abel Gordon Anthony Liguori Orit Wasserman Ben-Ami Yassour IBM

919 views • 63 slides
Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD

Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD

Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD Breaking down iD 15% Rendering Painting 21% Javascript 64% HTML A sample of what iD is doing behind the scenes Breaking down JS 13% Draw Vector

426 views • 27 slides
THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING

THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING

THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING p.1/31 OUTLINE Introduction Higgs sector Tree-level masses EWSB and fine-tuning Supersymmetric spectrum Dark

361 views • 34 slides
Preventing crimes against marine turtles: the role of ARCHELON Panagiota Theodorou Conservation

Preventing crimes against marine turtles: the role of ARCHELON Panagiota Theodorou Conservation

Preventing crimes against marine turtles: the role of ARCHELON Panagiota Theodorou Conservation Coordinator ARCHELON, the Sea Turtle Protection Society of Greece www.archelon.gr LIFE NATURA THEMIS International Perspectives on Preventing

271 views • 26 slides
Page Fault Liberation Army Its turtles Turing machines all the way down! Julian Bangert,

Page Fault Liberation Army Its turtles Turing machines all the way down! Julian Bangert,

Page Fault Liberation Army Its turtles Turing machines all the way down! Julian Bangert, Sergey Bratus, Rebecca .bx Shapiro Trust Lab Dartmouth College Sunday, February 17, 13 Page Fault Liberation l The x86 MMU is not just

760 views • 75 slides
Eastern Box Turtle Overview The eastern box turtle its name from being the official state

Eastern Box Turtle Overview The eastern box turtle its name from being the official state

Eastern Box Turtle Overview The eastern box turtle its name from being the official state reptile of North Carolina. Scientific name : Terrapene carolina Carolina It belongs to a group of turtles called hinge-shelled turtles , commonly called

329 views • 4 slides
Breaking Up Breaking Up Is Is Hard Hard To Do (But It Might To Do (But It Might Be Be Easier

Breaking Up Breaking Up Is Is Hard Hard To Do (But It Might To Do (But It Might Be Be Easier

Breaking Up Breaking Up Is Is Hard Hard To Do (But It Might To Do (But It Might Be Be Easier with a Prenup) Easier with a Prenup) Gregory S. Gregory S. William Williams, , Esq. Esq. Carr rruthe uthers &amp; rs &amp; Roth, P.A.

170 views • 6 slides
Pointers Character Values There are a fixed number of char values Examples: a b

Pointers Character Values There are a fixed number of char values Examples: a b

Pointers Character Values There are a fixed number of char values Examples: a b \n Number of possibilities : the number of chars 1 A char Variable Pointer Values There are a fixed number of pointer values Assume a 32 bit

483 views • 20 slides
CSE306 Software Quality in Practice Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall

CSE306 Software Quality in Practice Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall

CSE306 Software Quality in Practice Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall Before class question When stepping through code with debugger, why are declarations skipped? int foo() { int x; double y; y = f(x) * 3; / / why

321 views • 9 slides
Database Design Process Requirements analysis Conceptual design: Entity-Relationship Model

Database Design Process Requirements analysis Conceptual design: Entity-Relationship Model

IT360: Applied Database Systems From Entity-Relational Model To Relational Model Chapter 6, 7 in Kroenke 1 Database Design Process Requirements analysis Conceptual design: Entity-Relationship Model Logical design: transform ER

340 views • 22 slides
Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1 Buffer Overflows One of the most common vulnerabiliCes in soGware Programming languages commonly associated with buffer overflows including

195 views • 17 slides
Charcoal Briquettes Cheap, environmentally-friendly bio fuel and devices 2.009 Blue Team A

Charcoal Briquettes Cheap, environmentally-friendly bio fuel and devices 2.009 Blue Team A

Charcoal Briquettes Cheap, environmentally-friendly bio fuel and devices 2.009 Blue Team A Dexter Ang, John Brewer, Kevin Chen, Greg Fonder, Danny Hilton, Matt Krueger, Andres Pino 2.009 Blue Team A October 7, 2004 Piston Extrusion 2.009

420 views • 4 slides
Remediation W. Lee Daniels Virginia Tech wdaniels@vt.edu; www.landrehab.org Goals for this talk

Remediation W. Lee Daniels Virginia Tech wdaniels@vt.edu; www.landrehab.org Goals for this talk

Characteristics of Coal Combustion By-Products and Considerations for Use in Site Remediation W. Lee Daniels Virginia Tech wdaniels@vt.edu; www.landrehab.org Goals for this talk Briefly describe history of coal combustion residuals (CCR)

1.03k views • 71 slides
How does Wind affect Coal (Cycling, Emissions and Cost)

How does Wind affect Coal (Cycling, Emissions and Cost)

How does Wind affect Coal (Cycling, Emissions and Cost) Outline Analysis of cycling costs Why analyze cycling damage and costs Damage

589 views • 26 slides
Parent Volunteers Our 2019-20 Parent Volunteer Coordinator Karen Bartnick From MCSD: Mrs. Patti

Parent Volunteers Our 2019-20 Parent Volunteer Coordinator Karen Bartnick From MCSD: Mrs. Patti

Parent Volunteers Our 2019-20 Parent Volunteer Coordinator Karen Bartnick From MCSD: Mrs. Patti May SAVE THE DATE: Meet and Greet on Friday, Sept. 6 at 9:30 Email address: volunteer_coordinator@clarkalc.net August 2019 Classroom Supplies Needed

434 views • 15 slides

More recommend