Virtualization technology brings greater security, availability and scalability to the system. It can prevent viruses and malware from attacking the host system.

Our presentation is mainly about modern exploitation techniques for VMware’s virtualization products. We will give some modern primitives to achieve a mature and stable exploitation for a vulnerability in Workstation and ESXi. We will use the Workstation Escape in the Tianfu Cup in 2018 and the ESXi Escape in GeekPwn in 2018 as examples to vividly describe the practical use of these techniques. With these examples, you can easily understand Virtualization Escape and use our primitives in your instance.

We will introduce the details of the vulnerabilities of virtual network cards, the primitives we discussed includes a reliable way to spray the host’s heap, a reliable way to arrange heap layout, a way to read and write everywhere, a way to bypass the CFG security mechanism of the workstation. Then we will detail how to convert a hard-to-use vulnerability into a stable arbitrary address read and write, and bypass CFG to implement arbitrary code execution.

Finally, we will demonstrate an example of ESXi Escape, then discuss the impact of the latest changes in the Workstation.