breaking turtles all the way down
play

Breaking Turtles All the Way Down An Exploit Chain to Break Out of - PowerPoint PPT Presentation

Jun 11, 2023 •321 likes •700 views

Breaking Turtles All the Way Down An Exploit Chain to Break Out of VMware ESXi Hanqing Zhao, Yanyu Zhang , Kun Yang, Taesoo Kim Chaitin Security Research Lab Georgia Institute of Technology Tsinghua University 1 What is ESXi? Bare-metal

  1. Breaking Turtles All the Way Down An Exploit Chain to Break Out of VMware ESXi Hanqing Zhao, Yanyu Zhang , Kun Yang, Taesoo Kim Chaitin Security Research Lab Georgia Institute of Technology Tsinghua University 1

  2. What is ESXi? ● Bare-metal hypervisor ● Widely used in private cloud 2

  3. What is VM Escape? ... Guest OS Guest OS ... Guest OS 0 1 N exploitation VMM Excute arbitrary codes network connection on the host Host OS 3

  4. Attack I/O devices (Pwn2Own 2017) Graphic (TianfuCup Ethernet 2018) USB (Pwn2Own 2019) SATA SCSI Several Workstation escape COM have been demonstrated 4

  5. No ESXi Escape? What makes it so challenging? (Pwn2Own 2017) Graphic There has been no escape of (TianfuCup Ethernet 2018) ESXi !!! USB (Pwn2Own 2019) SATA SCSI COM 5

  6. The customized architecture has not been studied RPC ● VMKernel RPC VMX handlers ○ VMM(hypervisor) guest OS virtual ○ User world API hardwares ○ VMFS ○ Drivers PIO/ Sandbox MMIO ● VMX Process #VM launch #VM-exit ○ Virtual hardwares #VM resume ○ RPC handlers USER API VM-Exit handlers VMM VMKernel Physical Hardware 6

  7. Limited attack surfaces ● VM-Exit handlers RPC RPC host Ring3 VMX handlers ● Virtual Hardwares guest OS virtual ● RPC hardwares ● compact VMX Sandbox process #VM launch I/O #VM-exit #VM resume USER API VMM VM-Exit handlers host Ring0 7

  8. Challenging mitigations and protections RPC RPC host Ring3 VMX ● ASLR handlers guest OS virtual ● NX/DEP hardwares ● sandboxing PIO/ Sandbox MMIO #VM launch #VM-exit #VM resume USER API VM-Exit handlers VMM host Ring0 8

  9. Overview: VulnerabilitIes and Exploitation VMX Uninitialized Stack Usage (CVE-2018-6981) Sandbox Uninitialized Stack Read (CVE-2018-6982) 9

  10. Overview: VulnerabilitIes and Exploitation VMX Uninitialized Stack Usage → Arbitrary Address Free Sandbox Uninitialized Stack Read → Information Leakage 10

  11. Overview: VulnerabilitIes and Exploitation VMX Uninitialized Stack Usage → Arbitrary Address Free Sandbox Uninitialized Stack Read → Information Leakage Arbitrary Shellcode Execution in VMX process 11

  12. Overview: VulnerabilitIes and Exploitation VMX VMX Uninitialized Stack Usage → Arbitrary Address Free Sandbox Sandbox Escape Uninitialized Stack Read → Information Leakage Arbitrary Shellcode Execution in VMX process 12

  13. CVE-2018-6981: Uninitialized Stack Variable void destruct_page_struct(page_struct * a1 ) void __usercall vmxnet3_reg_cmd() { { ... if(page_count == 1) case 4: // VMXNET3_CMD_UPDATE_MAC_FILTERS free(a1->addr) * dma_memory_create(..., &page); // free the pointer on stack vmxnet3_cmd_update_mac_filters(v6, &page, a5); else * destruct_page_struct(&page); free(a1->page_array); } } break; page ... } char __fastcall dma_memory_create( unsigned addr , uint64 translate_size size , … , page_struct * page ) page_offset { // check the addr page_count * if ( addr > v5 || !size || size > v5 - addr + 1 ) addr 0x10 * return 0; set_page_struct(addr, size, a3, a4, page); page_array 0x18 return 1; } ... 13 a struct on stack for address translation

  14. CVE-2018-6981: Uninitialized Stack Variable void destruct_page_struct(page_struct * a1 ) void __usercall vmxnet3_reg_cmd() { { ... if(page_count == 1) case 4: // VMXNET3_CMD_UPDATE_MAC_FILTERS free(a1->addr) * dma_memory_create(..., &page); // free the pointer on stack vmxnet3_cmd_update_mac_filters(v6, &page, a5); else * destruct_page_struct(&page); free(a1->page_array); } } break; page try to initialize the “page” structure on stack ... } char __fastcall dma_memory_create( unsigned addr , uint64 translate_size size , … , page_struct * page ) page_offset { // check the addr page_count * if ( addr > v5 || !size || size > v5 - addr + 1 ) addr 0x10 * return 0; set_page_struct(addr, size, a3, a4, page); page_array 0x18 return 1; } ... 14 a struct on stack for address translation

  15. CVE-2018-6981: Uninitialized Stack Variable void destruct_page_struct(page_struct * a1 ) void __usercall vmxnet3_reg_cmd() { { ... if(page_count == 1) case 4: // VMXNET3_CMD_UPDATE_MAC_FILTERS free(a1->addr) * dma_memory_create(..., &page); // free the pointer on stack vmxnet3_cmd_update_mac_filters(v6, &page, a5); else * destruct_page_struct(&page); free(a1->page_array); } } break; check the size and addr page ... } char __fastcall dma_memory_create( unsigned addr , uint64 translate_size size , … , page_struct * page ) page_offset { // check the addr page_count * if ( addr > v5 || !size || size > v5 - addr + 1 ) addr 0x10 * return 0; set_page_struct(addr, size, a3, a4, page); page_array 0x18 return 1; } ... 15 a struct on stack for address translation

  16. CVE-2018-6981: Uninitialized Stack Variable void destruct_page_struct(page_struct * a1 ) void __usercall vmxnet3_reg_cmd() { { ... if(page_count == 1) case 4: // VMXNET3_CMD_UPDATE_MAC_FILTERS free(a1->addr) * dma_memory_create(..., &page); // free the pointer on stack vmxnet3_cmd_update_mac_filters(v6, &page, a5); else * destruct_page_struct(&page); free(a1->page_array); } } break; illegal combination! skip initalization page ... } char __fastcall dma_memory_create( unsigned addr , uint64 translate_size size , … , page_struct * page ) page_offset { // check the addr page_count * if ( addr > v5 || !size || size > v5 - addr + 1 ) addr 0x10 * return 0; initialization set_page_struct(addr, size, a3, a4, page); page_array 0x18 return 1; } ... 16 a struct on stack for address translation

  17. CVE-2018-6981: Uninitialized Stack Variable void destruct_page_struct(page_struct * a1 ) void __usercall vmxnet3_reg_cmd() { { ... if(page_count == 1) case 4: // VMXNET3_CMD_UPDATE_MAC_FILTERS free(a1->addr) * dma_memory_create(..., &page); // free the pointer on stack vmxnet3_cmd_update_mac_filters(v6, &page, a5); else * destruct_page_struct(&page); free(a1->page_array); } } break; page return and enter into the “destruct” function ... } char __fastcall dma_memory_create( unsigned addr , uint64 translate_size size , … , page_struct * page ) page_offset { // check the addr page_count * if ( addr > v5 || !size || size > v5 - addr + 1 ) addr 0x10 * return 0; initialization set_page_struct(addr, size, a3, a4, page); page_array 0x18 return 1; } ... 17 a struct on stack for address translation

  18. Uninit Variable → Arbitrary Address Free void __usercall handle_port_io(__int64 a1 , __int64 a2 , __int64 a3 ) { ... v3 = *(a1 + 4); Abusing a function to spray stack! v4 = *(a1 + 13); read_or_write = *(a1 + 48); ... if ( *(a1 + 60) && (v10 = *(a1 + 52) << 12, v10 > 0x8000) ) v11 = malloc_heap_memory(v10); // copy the data into heap else translate_size v11 = &v35; void destruct_page_struct page_offset if ( read_or_write & 1 ) (page_struct * a1 ) page_count { { if ( *(v8 + 60) ) … { ... addr 0x10 // free the pointer on stack v15 = v11; free(a1->page_array); page_array 0x18 do } ... { ... memcpy(v15, v18, v17); // copy the data into stack 18 18 ...

  19. CVE-2018-6982: Uninitialized Stack Variable bool __fastcall vmxnet3_cmd_get_coalesce(__int64 a1 , char a2 ){ struct buffer { uint64_t member0; At first, all stack variables are uninitlized uint64_t member1; }; size_t length; ... get_length_from_guest(..., &length); if(length != 16) return; ... * buffer.member0 = 0xFA000000003LL; // first 8-byte of src is initialized, but 16-byte is read // (length == 16) * write_back_to_guest(v19, &buffer, length, ...); return 1; } ... 19 }

  20. CVE-2018-6982: Uninitialized Stack Variable bool __fastcall vmxnet3_cmd_get_coalesce(__int64 a1 , char a2 ){ struct buffer { uint64_t member0; uint64_t member1; }; size_t length; ... set length get_length_from_guest(..., &length); must be 16 if(length != 16) return; ... * buffer.member0 = 0xFA000000003LL; // first 8-byte of src is initialized, but 16-byte is read // (length == 16) * write_back_to_guest(v19, &buffer, length, ...); return 1; } ... 20 }

  21. CVE-2018-6982: Uninitialized Stack Variable bool __fastcall vmxnet3_cmd_get_coalesce(__int64 a1 , char a2 ){ struct buffer { uint64_t member0; uint64_t member1; }; size_t length; ... get_length_from_guest(..., &length); if(length != 16) return; ... initialize the first 8-byte * buffer.member0 = 0xFA000000003LL; // first 8-byte of src is initialized, but 16-byte is read // (length == 16) * write_back_to_guest(v19, &buffer, length, ...); return 1; } ... 21 }

  22. CVE-2018-6982: Uninitialized Stack Variable bool __fastcall vmxnet3_cmd_get_coalesce(__int64 a1 , char a2 ){ struct buffer { uint64_t member0; uint64_t member1; }; size_t length; ... get_length_from_guest(..., &length); if(length != 16) return; ... * buffer.member0 = 0xFA000000003LL; // first 8-byte of src is initialized, but 16-byte is read // (length == 16) member1(uninitilized) * write_back_to_guest(v19, &buffer, length, ...); will be write back to the return 1; } guest OS ... 22 }

  23. Abusing a special RPC named “backdoor” ● A special hypercall ● Guest ○ Send messages through special I/O ports ● Host ○ Handle messages in VMX process 23

Recommend

ORIGIN OF TURTLES Earliest relative of the current existing sea turtles - Desmatochelys padillai

ORIGIN OF TURTLES Earliest relative of the current existing sea turtles - Desmatochelys padillai

TURTLES FRIENDLY PREHISTORIC CREATURES Georgina Hayes PADI SI #411108 BSc Hons. Zoology ORIGIN OF TURTLES Earliest relative of the current existing sea turtles - Desmatochelys padillai from the early Cetaceous period (fossil aged at 120

228 views • 19 slides
Protecting Sea Turtles from Shrimp Trawl Nets Credit: NOAA Whats the Problem? Not

Protecting Sea Turtles from Shrimp Trawl Nets Credit: NOAA Whats the Problem? Not

Protecting Sea Turtles from Shrimp Trawl Nets Credit: NOAA Whats the Problem? Not all shrimp boats are required to use Turtle Excluder Devices (TEDs) * The government estimates that 50,000 sea turtles drown every year in shrimp

363 views • 18 slides
Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Dr Nick Saville Breaking out of the box Understanding rela5onships between learning and assessment Breaking out of the box - a metaphor for thinking about rela5onships and interpreta5ons breaking out breaking out of the box of the

895 views • 68 slides
Turtles for the Biology of Reptiles Amphibian Foundation Dr. Tobias Landberg The Flexible

Turtles for the Biology of Reptiles Amphibian Foundation Dr. Tobias Landberg The Flexible

Turtles for the Biology of Reptiles Amphibian Foundation Dr. Tobias Landberg The Flexible Organism What causes diversity? Responding to challenges at different time scales Behavior Adaptation Plasticity Evolution Where is variation

646 views • 40 slides
Conserving Leatherback Sea Turtles in Trinidad and Tobago: Harmonizing Trinidad and Tobagos

Conserving Leatherback Sea Turtles in Trinidad and Tobago: Harmonizing Trinidad and Tobagos

Conserving Leatherback Sea Turtles in Trinidad and Tobago: Harmonizing Trinidad and Tobagos Conserva&lt;on of Wildlife Act and Regula&lt;ons under the Fisheries Act Brent Plater Fulbright Scholar, University of the West Indies at St.

923 views • 14 slides
Sea Turtles Created with Haiku Deck, presentation software that's simple, beautiful and fun. By

Sea Turtles Created with Haiku Deck, presentation software that's simple, beautiful and fun. By

Sea Turtles Created with Haiku Deck, presentation software that's simple, beautiful and fun. By Brad Flickinger Photo by dbaist5 page 1 of 7 Sea Turtles Created with Haiku Deck, presentation software that's simple, beautiful and fun. By Brad

226 views • 7 slides
Response to Request for Risk Assessment of Exceeding Effort Threshold Associated with Sea Turtles

Response to Request for Risk Assessment of Exceeding Effort Threshold Associated with Sea Turtles

Tab D, No. 5(b) Response to Request for Risk Assessment of Exceeding Effort Threshold Associated with Sea Turtles Rick A. Hart 1 , Mike Travis 2 , and Christopher Liese 1 NOAA Fisheries Service 1 SEFSC 2 SERO Gulf of Mexico Fisheries Management

366 views • 14 slides
Field Studies of Whales, Dolphins, and Sea Turtles for Offshore Alternative Energy Planning in

Field Studies of Whales, Dolphins, and Sea Turtles for Offshore Alternative Energy Planning in

Field Studies of Whales, Dolphins, and Sea Turtles for Offshore Alternative Energy Planning in Massachusetts: 2011-2017 Scott D. Kraus, Ph.D. Ester Quintana, Ph.D Paul Nagelkirk Anderson Cabot Center for Ocean Life New England Aquarium

343 views • 11 slides
Conservation and Trade Management of Freshwater and Terrestrial Turtles in the United States

Conservation and Trade Management of Freshwater and Terrestrial Turtles in the United States

Conservation and Trade Management of Freshwater and Terrestrial Turtles in the United States Workshop Presentation Abstracts Hilton St. Louis St. Louis, Missouri September 20-24, 2010 Convened and hosted by the U.S. Fish and Wildlife Service,

613 views • 24 slides
The Turtles Project: Design and Implementation of Nested Virtualization Muli Ben-Yehuda

The Turtles Project: Design and Implementation of Nested Virtualization Muli Ben-Yehuda

The Turtles Project: Design and Implementation of Nested Virtualization Muli Ben-Yehuda Michael D. Day Zvi Dubitzky Michael Factor Nadav HarEl Abel Gordon Anthony Liguori Orit Wasserman Ben-Ami Yassour IBM

919 views • 63 slides
Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD

Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD

Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD Breaking down iD 15% Rendering Painting 21% Javascript 64% HTML A sample of what iD is doing behind the scenes Breaking down JS 13% Draw Vector

426 views • 27 slides
THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING

THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING

THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING p.1/31 OUTLINE Introduction Higgs sector Tree-level masses EWSB and fine-tuning Supersymmetric spectrum Dark

361 views • 34 slides
Preventing crimes against marine turtles: the role of ARCHELON Panagiota Theodorou Conservation

Preventing crimes against marine turtles: the role of ARCHELON Panagiota Theodorou Conservation

Preventing crimes against marine turtles: the role of ARCHELON Panagiota Theodorou Conservation Coordinator ARCHELON, the Sea Turtle Protection Society of Greece www.archelon.gr LIFE NATURA THEMIS International Perspectives on Preventing

271 views • 26 slides
Page Fault Liberation Army Its turtles Turing machines all the way down! Julian Bangert,

Page Fault Liberation Army Its turtles Turing machines all the way down! Julian Bangert,

Page Fault Liberation Army Its turtles Turing machines all the way down! Julian Bangert, Sergey Bratus, Rebecca .bx Shapiro Trust Lab Dartmouth College Sunday, February 17, 13 Page Fault Liberation l The x86 MMU is not just

760 views • 75 slides
Eastern Box Turtle Overview The eastern box turtle its name from being the official state

Eastern Box Turtle Overview The eastern box turtle its name from being the official state

Eastern Box Turtle Overview The eastern box turtle its name from being the official state reptile of North Carolina. Scientific name : Terrapene carolina Carolina It belongs to a group of turtles called hinge-shelled turtles , commonly called

329 views • 4 slides
Breaking Up Breaking Up Is Is Hard Hard To Do (But It Might To Do (But It Might Be Be Easier

Breaking Up Breaking Up Is Is Hard Hard To Do (But It Might To Do (But It Might Be Be Easier

Breaking Up Breaking Up Is Is Hard Hard To Do (But It Might To Do (But It Might Be Be Easier with a Prenup) Easier with a Prenup) Gregory S. Gregory S. William Williams, , Esq. Esq. Carr rruthe uthers &amp; rs &amp; Roth, P.A.

170 views • 6 slides
The Benefit of the Doubt The Swedish Legal System Why Breaking the Law? Judas Priest Breaking

The Benefit of the Doubt The Swedish Legal System Why Breaking the Law? Judas Priest Breaking

The Benefit of the Doubt The Swedish Legal System Why Breaking the Law? Judas Priest Breaking The Law Lyrics There I was completely wasting, out of work and down All inside it's so frustrating as I drift from town to town Feel as though

269 views • 10 slides
Transitions in Place Leonard Hock, D.O., M.A.C.O.I., CMD Breaking Bad News Goals and Objectives

Transitions in Place Leonard Hock, D.O., M.A.C.O.I., CMD Breaking Bad News Goals and Objectives

3/22/2012 Transitions in Place Leonard Hock, D.O., M.A.C.O.I., CMD Breaking Bad News Goals and Objectives Understand and use the key steps in breaking bad news. Confirm and be able to use effective methods of communication in breaking

245 views • 8 slides
SUSY breaking and the MSSM Spontaneous SUSY breaking at tree-level ORaifeartaigh, Fayet,

SUSY breaking and the MSSM Spontaneous SUSY breaking at tree-level ORaifeartaigh, Fayet,

SUSY breaking and the MSSM Spontaneous SUSY breaking at tree-level ORaifeartaigh, Fayet, Iliopoulos Spontaneous SUSY Breaking 0 | H | 0 &gt; 0 implies that SUSY is broken. 2 D a D a , V = F i F i + g 2 find models where F i = 0

249 views • 24 slides
A Preliminary Assessment of Hawksbill Turtles In Palm Beach County Waters Larry Wood, Marinelife

A Preliminary Assessment of Hawksbill Turtles In Palm Beach County Waters Larry Wood, Marinelife

A Preliminary Assessment of Hawksbill Turtles In Palm Beach County Waters Larry Wood, Marinelife Center of Juno Beach, Florida Project objectives Characterize Palm Beach Countys hawksbill population structure Investigate the relationships

191 views • 15 slides
Breaking Gridlock, Breaking Ground: Tackling Anchorage Housing Affordability Presented by Michele

Breaking Gridlock, Breaking Ground: Tackling Anchorage Housing Affordability Presented by Michele

Breaking Gridlock, Breaking Ground: Tackling Anchorage Housing Affordability Presented by Michele Brown MOA Senior Citizens Advisory Commission Senior Housing Forum Loussac Library October 22, 2014 Our Goal: All Anchorage residents have

496 views • 36 slides
i.e., Higgs? 1 Understanding Electroweak Symmetry breaking is essential for significant progress

i.e., Higgs? 1 Understanding Electroweak Symmetry breaking is essential for significant progress

Symmetry is fundamental to our understanding of the basic laws of physics Mass is always associated with symmetry breaking Easier to discover the symmetry: e.g. SU(2) x U(1) Harder to discover the symmetry breaking mechanism, i.e., Higgs? 1

862 views • 24 slides
Dynamical SUSY breaking A rule of thumb for SUSY breaking theory with no flat directions that

Dynamical SUSY breaking A rule of thumb for SUSY breaking theory with no flat directions that

Dynamical SUSY breaking A rule of thumb for SUSY breaking theory with no flat directions that spontaneously breaks a continuous global symmetry generally breaks SUSY Goldstone boson with a scalar partner (a modulus), but if there are no flat

750 views • 36 slides
Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware

Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware

Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware Wallets ? - high level overview YES NO Do you want to send 1.337 BTC to Public data 1UnREADABLE Operations on private data, with user validation

739 views • 24 slides

More recommend