leveraging vmware s rpc
play

LEVERAGING VMWARE'S RPC INTERFACE FOR FUN AND PROFIT 1 Agenda - PowerPoint PPT Presentation

Oct 29, 2022 •11 likes •491 views

LEVERAGING VMWARE'S RPC INTERFACE FOR FUN AND PROFIT 1 Agenda Introduction VMware General Architecture (Simplified) Host <-> Guest Communication Backdoor Interface VM RPC Interface Functions

  1. LEVERAGING VMWARE'S RPC INTERFACE FOR FUN AND PROFIT 1

  2. Agenda • Introduction • VMware General Architecture (Simplified) • Host <-> Guest Communication – Backdoor Interface • VM RPC Interface – Functions – Recording Guest -> Host RPC requests • Developing tools to query the RPC Interface – C++ – Python • C Extension • CTypes • VMware UAF Exploitation – Controlling Freed Objects – Finding Exploit primitives – Demo • Conclusion 2

  3. Introductions 3

  4. Abdul-Aziz Hariri • BS in Computer Sciences – University of Balamand • Currently a Senior Security Researcher at ZDI – Root Cause analysis / Vulnerability Research / Exploit development – ZDI Case Lead – Pwn2Own Preparation / Judging entries • Past Experiences – Bits Arabia, Insight-Tech and Morgan Stanley • Past research: – Pwn4Fun 2014 renderer exploit writer – Microsoft Bounty submission – Patents on Exploit Mitigation Technologies – Adobe Reader research • Twitter: @abdhariri 4

  5. Jasiel Spelman • BA in Computer Science – University of Texas at Austin • Currently a Senior Security Researcher at ZDI – Root Cause analysis / Vulnerability Research / Exploit development – ZDI Research Lead – Pwn2Own Invigilator • Past Experiences – TippingPoint Digital Vaccine team • Past research: – Pwn4Fun 2014 sandbox escape exploit writer – Patents on zero day protection technologies – Windows kernel information leaks – Adobe Flash RE & RCE vulnerabilities • Twitter: @WanderingGlitch 5

  6. Brian Gorenc • BS in Computer Engineering – Texas A&M University • MS in Software Engineering – Southern Methodist University • Director of Vulnerability Research at Trend Micro – Leads the Zero Day Initiative – Organizes Pwn2Own – Approver of Payments • Past Experiences – Lead Developer at Lockheed Martin • Past research: – Microsoft Bounty submission – Patents on Exploit Mitigation Technologies – Bug hunting in many products • Twitter: @MaliciousInput 6

  7. VMware General Architecture 7

  8. VMware General Architecture (Simplified*) Hypervisor Management Layer vmware-vmx vmware-vmx I/O I/O What’s going on here? CPU CPU vmware tools libs Guest Guest * very 8

  9. Good Question • As it turns out, quite a bit • Regardless of whether VMware tools are installed 9

  10. Host <-> Guest Communication 10

  11. Host <-> Guest Communication • Communication is done by accessing special I/O ports • VMware implements an interface called “Backdoor” – Hijacks the IN/OUT instructions – Supports multiple commands – Supports two protocols: RPCI and TCLO – Can be used to extract host information – Can be used to send Guest->Host RPC requests • The Backdoor interface is enabled by default 11

  12. Host <-> Guest Communication - Backdoor • Supports multiple commands/functions – The commands can be found in the open-vm-tools on github – backdoor_def.h defines these commands • The guest can invoke more of these commands than you think … 12

  13. Host <-> Guest Communication - Backdoor • Invoking Backdoor functions is simple: mov eax, 564D5868h /* magic number */ mov ebx, command-specific-parameter mov cx, command-number /* 1001e = RPC */ mov dx, 5658h /* VMware I/O port */ in eax, dx 13

  14. Host <-> Guest Communication - Backdoor Backdoor Channel Low-bandwidth RPCI High-bandwidth Hypervisor Guest (host) (vm) Other TCLO Backdoor Channel 14

  15. Host <-> Guest Communication - RPCI • Supports multiple commands – Rpctool.exe can be used to query some of the commands. – Rpctool.exe is open source and can be found in the open-vm-tools – These RPC commands can be found in vmware- vmx.exe and sprinkled throughout the open-vm- tools source 15

  16. Host <-> Guest Communication - RPCI 16

  17. Host <-> Guest Communication – Summary • Backdoor Interface is used for Host/Guest communication • Hijacks in/out instructions • RPCI is used from guest -> host • TCLO is used from host -> guest • RPCI commands can be found in vmware-vmx{.exe} • open-vm-tools is a goldmine! 17

  18. VM RPC Interface 18

  19. GuestRPC • The RPC requests are sent through the “backdoor” channel • Specifically, the BDOOR_CMD_MESSAGE (0x1E) • The Guest Messages are defined in guest_msg_def.h • GuestRPC supports multiple message types: 19

  20. GuestRPC • Example of a simple GuestRPC message: mov eax, 0x564D5868 mov eax, 0x564D5868 mov ecx, 0x6001e //MESSAGE_TYPE_CLOSE mov ecx, 0x001e //MESSAGE_TYPE_OPEN mov edx, 0x5658 mov edx, 0x5658 mov ebx, SIZE mov ebx, 0xC9435052 in eax, dx in eax, dx mov eax, 0x564D5868 mov ecx, 0x1001e //MESSAGE_TYPE_SENDSIZE mov edx, 0x5658 mov ebx, SIZE in eax, dx 20

  21. GuestRPC • GuestRPC requests are are parsed within vmware-vmx{.exe} • GuestRPC Messages/Functions are also implemented inside vmware-vmx{.exe} • If we look closely inside GuestRPC_Funcs we will notice the following: 21

  22. GuestRPC – ExecRPCRequest • The function takes the RPC request as an argument • Checks if the RPC function being passed is valid • Checks if we have enough permissions to execute the function • Executes it 22

  23. GuestRPC – Sniffing RPC Requests • Since this is exactly where RPC requests are parsed, we can actually hook this function and sniff the requests being sent • For this task we used pykd  – Set a breakpoint on the ExecRPCRequest function – A pointer pointing to the request is set in the r8 register – The length of the request is set in the r9 register • Should look similar to the following 23

  24. GuestRPC – Sniffing RPC Requests - DEMO • DEMO 24

  25. Developing tools to query the RPC Interface 25

  26. Tools Dev • One of the challenging problems with VMware and RPC is tools development for: – Case analysis – Exploit development – Fuzzing • While we can definitely use the open-vm-tools to develop tools in C++, there are still challenges: – There are functions that definitely needs to be implemented in ASM – Without ASM we’ll need to use the exports from vmtools.dll • Still a little bit of a hustle 26

  27. Tools Dev - C++, take 1 • Add the open-vm-tools headers to the Include Directories 27

  28. Tools Dev - C++, take 2 • Assembly..Since some function are not fully implemented in the tools, thus in order to step out of the vmtools.dll we’d need to implement some functions in ASM 28

  29. Tools Dev - C++, take 2, continued • As for implementing a function to send RPC requests through the backdoor channel in ASM, it should be pretty simple 29

  30. Tools Dev • All that is still not enough • We need something for FAST tools development • Python? Yup, we implemented simple ways to send RPC requests through python: – C Extensions – Ctypes • Unfortunately, Josh (@kernelsmith) (our DevOps manager) wanted to implement something similar in Ruby. 30

  31. Tools Dev – Python, C Extensions • C Extensions are awesome • It’s a shared Library (. pyd) on Windows which exports an initialization function • The shared library can be imported from python 31

  32. Tools Dev – Python, C Extensions 32

  33. Tools Dev – Python, CTypes • Ctypes provides C compatible data types • Allows calling functions in DLLs or shared libraries 33

  34. Fuzzing the RPC Interface 34

  35. Fuzzing the RPC Interface • Fuzzing the RPC interface requires tooling both on the GuestOS and the HostOS • Some problems that we’d need to tackle: – Detecting Crashes from the host (Mostly debugging vmware-vmx in this case) – Testcase generation (can be on the GuestOS but we want the guest to stay light) – GuestOS VM(s) management from the HostOS 35

  36. Fuzzing the RPC Interface Manage through vmrun attach vmx start monitor VMWare Framework Host WorkStation Agent Send test cases mutator 36

  37. Fuzzing the RPC Interface - InMemory • Since we know exactly were the RPC requests are being parsed, we can actually do InMemory fuzzing : – Hook ExecRPCRequest (on the HostOS) – Modify the RPC request before it gets parsed – Wait for crashes • Additional tooling required: – Crash Detection (From HostOS) – Record modifications (From the HostOS) 37

  38. Fuzzing the RPC Interface - InMemory DEMO 38

  39. VMware Drag and Drop UAF 39

  40. VMware DnD UAF – Root Cause • The Free is triggered when the DnD version is changed multiple times • The re-use happens when a random DnD function is called after the Free • The PoC is relatively simple: 40

  41. VMware DnD UAF – Root Cause • If triggered successfully we should end up in a crash similar to the following: • To verify further, !heap – p – a @RCX will show us where the Free happened: 41

  42. VMware DnD UAF – Root Cause • Next, we will need to get the size of the Free’d object • In order to do that, we will need to break right before the Free happens and run !heap – p – a on the address before it gets Freed 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

VMware vSphere Provider The VMware vSphere provider gives Terraform the ability to work with

VMware vSphere Provider The VMware vSphere provider gives Terraform the ability to work with

VMware vSphere Provider The VMware vSphere provider gives Terraform the ability to work with VMware vSphere Products, notably vCenter Server (https://www.vmware.com/products/vcenter-server.html) and ESXi

1.74k views • 156 slides
REAL PERFORMANCE RESULTS WITH VMWARE HORIZON AND VIEWPLANNER Manvender Rawat, NVIDIA Jason K.

REAL PERFORMANCE RESULTS WITH VMWARE HORIZON AND VIEWPLANNER Manvender Rawat, NVIDIA Jason K.

April 4-7, 2016 | Silicon Valley REAL PERFORMANCE RESULTS WITH VMWARE HORIZON AND VIEWPLANNER Manvender Rawat, NVIDIA Jason K. Lee, NVIDIA Uday Kurkure, VMware Inc. Overview of VMware Horizon 7 and NVIDIA GRID 2.0 Overview of VMware View

639 views • 44 slides
Resource Management in VMware ESX Server 3 Mark Fei Technical Instructor, VMware Objectives To

Resource Management in VMware ESX Server 3 Mark Fei Technical Instructor, VMware Objectives To

Resource Management in VMware ESX Server 3 Mark Fei Technical Instructor, VMware Objectives To understand: How resource pools allow you to define resource policies that are enforceable regardless of server heterogeneity or VMotion activity

547 views • 25 slides
VMware vCloud Director Provider 2.5 The VMware vCloud Director provider is used to interact with

VMware vCloud Director Provider 2.5 The VMware vCloud Director provider is used to interact with

VMware vCloud Director Provider 2.5 The VMware vCloud Director provider is used to interact with the resources supported by VMware vCloud Director. The provider needs to be congured with the proper credentials before it can be used. Use the

1.48k views • 113 slides
Traffic Footprint Characterization of Workloads using BPF Aditi Ghag aghag@vmware.com VMware

Traffic Footprint Characterization of Workloads using BPF Aditi Ghag aghag@vmware.com VMware

Traffic Footprint Characterization of Workloads using BPF Aditi Ghag aghag@vmware.com VMware Outline Background Scheduling use case Characterization of workloads eBPF based framework Traffic footprint-aware container scheduling

807 views • 24 slides
f eaturing vZilla Paul Braren, IT Professional VMware Certified Professional (VCP

f eaturing vZilla Paul Braren, IT Professional VMware Certified Professional (VCP

Build Your Own VMware ESXi and Microsoft Hyper-V lab at Home, Using Affordable and Efficient Hardware. Security BSides Boston, Saturday, May 18 2013 f eaturing vZilla Paul Braren, IT Professional VMware Certified Professional (VCP

327 views • 13 slides
INTENSIVE APPLICATION ON VMWARE HORIZON VIEW USING NVIDIA GRID VGPU Manvender Rawat, NVIDIA Lan

INTENSIVE APPLICATION ON VMWARE HORIZON VIEW USING NVIDIA GRID VGPU Manvender Rawat, NVIDIA Lan

April 4-7, 2016 | Silicon Valley BENCHMARKING GRAPHICS INTENSIVE APPLICATION ON VMWARE HORIZON VIEW USING NVIDIA GRID VGPU Manvender Rawat, NVIDIA Lan Vu, VMware Overview of VMware Horizon 7 and NVIDIA GRID 2.0 How to Size VMs AGENDA

763 views • 50 slides
CLOUDBURST A VMware Guest to Host Escape Story Kostya Kortchinsky Immunity, Inc. BlackHat USA

CLOUDBURST A VMware Guest to Host Escape Story Kostya Kortchinsky Immunity, Inc. BlackHat USA

CLOUDBURST A VMware Guest to Host Escape Story Kostya Kortchinsky Immunity, Inc. BlackHat USA 2009, Las Vegas 06/29/09 1 Introduction 06/29/09 2 VMware Architecture VMware Architecture Devices are emulated on the Host 06/29/09 3 Why

1.11k views • 48 slides
Bridging the Gap: Explaining OpenStack to VMware Administrators Kenneth Hui, Open Cloud

Bridging the Gap: Explaining OpenStack to VMware Administrators Kenneth Hui, Open Cloud

Bridging the Gap: Explaining OpenStack to VMware Administrators Kenneth Hui, Open Cloud Architect, Rackspace Scott Lowe, Engineering Architect, VMware Before we start Get involved! Audience participation is encouraged and requested.

554 views • 31 slides
Banking Case study: Scaling with low latency using NewSQL Jags Ramnarayan (VMWare) Jim

Banking Case study: Scaling with low latency using NewSQL Jags Ramnarayan (VMWare) Jim

Banking Case study: Scaling with low latency using NewSQL Jags Ramnarayan (VMWare) Jim Bedenbaugh (VMWare) Qcon 2012 Agenda Business Requirements Operational data Analysis Problem Statement Scaling pain Introduction to SQLfire Driving

865 views • 47 slides
v6.x.0 Disaster Recovery Solution for VMware vSphere High Availibility Clusters A GENDA

v6.x.0 Disaster Recovery Solution for VMware vSphere High Availibility Clusters A GENDA

v6.x.0 Disaster Recovery Solution for VMware vSphere High Availibility Clusters A GENDA VMware Virtual Layers Site Recovery Manager vFailover Scenarios Introduction Requirements Modes Failover Procedure

547 views • 30 slides
Designing Your VMware Virtual Infrastructure for Optimal Performance, Resilience and Availability

Designing Your VMware Virtual Infrastructure for Optimal Performance, Resilience and Availability

Designing Your VMware Virtual Infrastructure for Optimal Performance, Resilience and Availability Straight from the Source Deji Akomolafe VMware David Klee Heraflux Technologies Cody Chapman Heraflux Technologies December

1.11k views • 108 slides
Delivering Real World 3D Applications with VMware Horizon, Blast Extreme and NVIDIA Grid

Delivering Real World 3D Applications with VMware Horizon, Blast Extreme and NVIDIA Grid

Delivering Real World 3D Applications with VMware Horizon, Blast Extreme and NVIDIA Grid Sebastian Brand Lead Systems Engineer EUC at VMware Luke Wignall Sr. Manager, Performance Engineering at NVIDIA Disclaimer This presentation may

410 views • 37 slides
CS155 Project 1 Gary Luu Spring 2009 Setting up the Environment Download VMware Player

CS155 Project 1 Gary Luu Spring 2009 Setting up the Environment Download VMware Player

CS155 Project 1 Gary Luu Spring 2009 Setting up the Environment Download VMware Player http://www.vmware.com/products/player If prompted, click I copied it Should be configured with NAT, check w/ ifconfig Demo target1.c

397 views • 13 slides
Virtualization is the Operating System of the Cloud Ren W. Schmidt Principal Engineer VMware,

Virtualization is the Operating System of the Cloud Ren W. Schmidt Principal Engineer VMware,

Virtualization is the Operating System of the Cloud Ren W. Schmidt Principal Engineer VMware, Inc. Cloud 1 Agenda Virtualization Primer Cloud Computing Defined VMware vCloud Initiative Cloud Application Architecture

616 views • 37 slides
S8483 - Empowering CUDA Developers with Virtual Desktops Tony Foster Sr. Advisor, Technical

S8483 - Empowering CUDA Developers with Virtual Desktops Tony Foster Sr. Advisor, Technical

S8483 - Empowering CUDA Developers with Virtual Desktops Tony Foster Sr. Advisor, Technical Marketing, Dell EMC VMware vExpert; VMware EUC Champion; VMware Experts Program, BDSEW; NVIDIA vGPU Community Advisor (NGCA) @wonder_nerd

1.1k views • 41 slides
A primer, J. Pearl, M Glymur and N. Jewell Rina Dechter Bren School of Information and Computer

A primer, J. Pearl, M Glymur and N. Jewell Rina Dechter Bren School of Information and Computer

Causal Inference in Statistics A primer, J. Pearl, M Glymur and N. Jewell Rina Dechter Bren School of Information and Computer Sciences 6/7/2018 dechter, class 8, 276-18 The book of Why Pearl

686 views • 45 slides
Backdoors for SAT Marco Gario Supervisor: Steffen H olldobler Advisor: Norbert Manthey EMCL

Backdoors for SAT Marco Gario Supervisor: Steffen H olldobler Advisor: Norbert Manthey EMCL

Backdoors for SAT Marco Gario Supervisor: Steffen H olldobler Advisor: Norbert Manthey EMCL / TUD February 21, 2012 Marco Gario (EMCL / TUD) Backdoors for SAT February 21, 2012 1 / 24 Content Introduction 1 Backdoors 2 Experimental

729 views • 50 slides
Fr ont-door Versus Back-door Adjustment with Unmeasured Confounding: Bias Formulas for Front-door

Fr ont-door Versus Back-door Adjustment with Unmeasured Confounding: Bias Formulas for Front-door

Motivation Illustrative Example: ATT with One-Sided Noncompliance Application: JTPA Fr ont-door Versus Back-door Adjustment with Unmeasured Confounding: Bias Formulas for Front-door and Hybrid Adjustments 1 Adam Glynn and Konstantin Kashin

928 views • 53 slides
Breakthrough silicon scanning discovers backdoor in military chip Sergei Skorobogatov,

Breakthrough silicon scanning discovers backdoor in military chip Sergei Skorobogatov,

Breakthrough silicon scanning discovers backdoor in military chip CHES2012 Workshop, Leuven, Belgium, 9-12 September 2012 Breakthrough silicon scanning discovers backdoor in military chip Sergei Skorobogatov, Christopher Woods

353 views • 20 slides
Kernel Rootkits Don Porter Motivation (bad guys) Why take over a computer system? To

Kernel Rootkits Don Porter Motivation (bad guys) Why take over a computer system? To

Kernel Rootkits Don Porter Motivation (bad guys) Why take over a computer system? To get it to do (potentially illicit) work for you for free! E.g., send spam Stages of an attack Get on the system Get administrator

449 views • 16 slides
Mixed strategy equilibria (msNE) with N players Felix Munoz-Garcia EconS 424 - Strategy and Game

Mixed strategy equilibria (msNE) with N players Felix Munoz-Garcia EconS 424 - Strategy and Game

Mixed strategy equilibria (msNE) with N players Felix Munoz-Garcia EconS 424 - Strategy and Game Theory Washington State University Summarizing... We learned how to nd msNE in games: with 2 players, each with 2 available strategies (2x2

615 views • 37 slides
Upper and Lower Bounds for Weak Backdoor Set Detection Neeldhara Misra, Sebastian Ordyniak ,

Upper and Lower Bounds for Weak Backdoor Set Detection Neeldhara Misra, Sebastian Ordyniak ,

Upper and Lower Bounds for Weak Backdoor Set Detection Neeldhara Misra, Sebastian Ordyniak , Venkatesh Raman, and Stefan Szeider SAT 2013 Backdoor Sets Introduced by Crama et al. 1997 and independently by Williams et al. 2003 in an

768 views • 12 slides
Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats

Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats

Cyber Kill Chain Jay Chen, Ruben Ocana, Senna Alsadam, Andrew Shi Modern Security Threats New class of threat actors called Advanced Persistent Threat (APT) Data compromised for economic or military advancement Conventional

701 views • 32 slides

More recommend