{"id":10593,"date":"2022-07-07T09:28:00","date_gmt":"2022-07-07T09:28:00","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbincyber2024\/?post_type=session&#038;p=10593"},"modified":"2023-05-26T07:59:25","modified_gmt":"2023-05-26T07:59:25","slug":"rogue-cdb-escaping-from-vmware-workstation-through-the-disk-controller","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/rogue-cdb-escaping-from-vmware-workstation-through-the-disk-controller\/","title":{"rendered":"Rogue CDB: Escaping from VMware Workstation Through The Disk Controller"},"content":{"rendered":"<p class=\"md-end-block md-p\" style=\"text-align: justify;\"><span class=\"md-plain\">Disk controllers are an integral part of virtual machines on hypervisors like VMware Workstation. They are the bridge between the CPU and the hard disks or CD\/DVDs. For most hypervisors, disk controllers are usually available in many models. There are emulated ones like 53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI and LSI53C895A, and paravirtual ones like PVSCSI and Virtio-SCSI. <\/span><\/p>\n<p class=\"md-end-block md-p\" style=\"text-align: justify;\"><span class=\"md-plain\">Since hypervisors are considered a relatively safe layer of isolation, a VM escape can be catastrophic and the most common way to achieve this is targeting the peripherals of a virtual machine. While peripherals like the graphics cards and the network adapters have been pwned many times at contests like Pwn2Pwn or Tianfu Cup, public exploits against the disk controllers are rarely seen. Given their numerous models and complexity, disk controllers should be an ideal ground for bug hunting.<\/span><\/p>\n<p class=\"md-end-block md-p md-focus\" style=\"text-align: justify;\"><span class=\"md-plain\"><strong>In this talk, we will dive into this fascinating attack interface on VMware hypervisors which has never been publicly exploited before.<\/strong> <\/span><\/p>\n<p class=\"md-end-block md-p md-focus\" style=\"text-align: justify;\"><span class=\"md-plain\">First, some background information about the disk controllers and the SCSI specification will be given, then we will show how and where the data sent from the guest OS driver to the disk controllers is checked and processed. <\/span><\/p>\n<p class=\"md-end-block md-p md-focus\" style=\"text-align: justify;\"><span class=\"md-plain\"><strong>A vulnerability I found in the disk controllers of VMware hypervisors <\/strong>will be analyzed which<strong> can be exploited to escape from a virtual machine.<\/strong> What makes this vulnerability interesting is that although it is a memory corruption vuln, but the exploitation of it does not need any memory massaging. <strong>During our test, it took less than 1 second and had a success rate of nearly 100%<\/strong>. <\/span><\/p>\n<p class=\"md-end-block md-p md-focus\" style=\"text-align: justify;\"><span class=\"md-plain\">Last but not least, <strong>two exploits will be demonstrated against the Linux and Windows version of VMware Workstation respectively.<\/strong> Despite that the latter having additional mitigations (Control Flow Guard), the <strong>primitive given by our vulnerability is powerful enough to bypass it easily<\/strong>.<\/span><\/p>\n","protected":false},"template":"","class_list":["post-10593","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Rogue CDB: Escaping from VMware Workstation Through The Disk Controller - HITB (in)Cyber 2024 - Abu Dhabi<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/rogue-cdb-escaping-from-vmware-workstation-through-the-disk-controller\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Rogue CDB: Escaping from VMware Workstation Through The Disk Controller - HITB (in)Cyber 2024 - Abu Dhabi\" \/>\n<meta property=\"og:description\" content=\"Disk controllers are an integral part of virtual machines on hypervisors like VMware Workstation. They are the bridge between the CPU and the hard disks or CD\/DVDs. For most hypervisors, disk controllers are usually available in many models. There are emulated ones like 53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI and LSI53C895A, and paravirtual ones like [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/rogue-cdb-escaping-from-vmware-workstation-through-the-disk-controller\/\" \/>\n<meta property=\"og:site_name\" content=\"HITB (in)Cyber 2024 - Abu Dhabi\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-26T07:59:25+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/rogue-cdb-escaping-from-vmware-workstation-through-the-disk-controller\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/rogue-cdb-escaping-from-vmware-workstation-through-the-disk-controller\/\",\"name\":\"Rogue CDB: Escaping from VMware Workstation Through The Disk Controller - HITB (in)Cyber 2024 - Abu Dhabi\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/#website\"},\"datePublished\":\"2022-07-07T09:28:00+00:00\",\"dateModified\":\"2023-05-26T07:59:25+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/rogue-cdb-escaping-from-vmware-workstation-through-the-disk-controller\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/rogue-cdb-escaping-from-vmware-workstation-through-the-disk-controller\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/rogue-cdb-escaping-from-vmware-workstation-through-the-disk-controller\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Rogue CDB: Escaping from VMware Workstation Through The Disk Controller\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/\",\"name\":\"HITB (in)Cyber 2024 - Abu Dhabi\",\"description\":\"May 14 - 16, Etihad Arena \",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Rogue CDB: Escaping from VMware Workstation Through The Disk Controller - HITB (in)Cyber 2024 - Abu Dhabi","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/rogue-cdb-escaping-from-vmware-workstation-through-the-disk-controller\/","og_locale":"en_US","og_type":"article","og_title":"Rogue CDB: Escaping from VMware Workstation Through The Disk Controller - HITB (in)Cyber 2024 - Abu Dhabi","og_description":"Disk controllers are an integral part of virtual machines on hypervisors like VMware Workstation. They are the bridge between the CPU and the hard disks or CD\/DVDs. For most hypervisors, disk controllers are usually available in many models. There are emulated ones like 53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI and LSI53C895A, and paravirtual ones like [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/rogue-cdb-escaping-from-vmware-workstation-through-the-disk-controller\/","og_site_name":"HITB (in)Cyber 2024 - Abu Dhabi","article_modified_time":"2023-05-26T07:59:25+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/rogue-cdb-escaping-from-vmware-workstation-through-the-disk-controller\/","url":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/rogue-cdb-escaping-from-vmware-workstation-through-the-disk-controller\/","name":"Rogue CDB: Escaping from VMware Workstation Through The Disk Controller - HITB (in)Cyber 2024 - Abu Dhabi","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/#website"},"datePublished":"2022-07-07T09:28:00+00:00","dateModified":"2023-05-26T07:59:25+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/rogue-cdb-escaping-from-vmware-workstation-through-the-disk-controller\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbincyber2024\/session\/rogue-cdb-escaping-from-vmware-workstation-through-the-disk-controller\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/rogue-cdb-escaping-from-vmware-workstation-through-the-disk-controller\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbincyber2024\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/"},{"@type":"ListItem","position":3,"name":"Rogue CDB: Escaping from VMware Workstation Through The Disk Controller"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/#website","url":"https:\/\/conference.hitb.org\/hitbincyber2024\/","name":"HITB (in)Cyber 2024 - Abu Dhabi","description":"May 14 - 16, Etihad Arena ","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbincyber2024\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/session\/10593"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/types\/session"}],"version-history":[{"count":2,"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/session\/10593\/revisions"}],"predecessor-version":[{"id":12032,"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/session\/10593\/revisions\/12032"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/media?parent=10593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}