Disk controllers are an integral part of virtual machines on hypervisors like VMware Workstation. They are the bridge between the CPU and the hard disks or CD/DVDs. For most hypervisors, disk controllers are usually available in many models. There are emulated ones like 53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI and LSI53C895A, and paravirtual ones like PVSCSI and Virtio-SCSI.
Since hypervisors are considered a relatively safe layer of isolation, a VM escape can be catastrophic and the most common way to achieve this is targeting the peripherals of a virtual machine. While peripherals like the graphics cards and the network adapters have been pwned many times at contests like Pwn2Pwn or Tianfu Cup, public exploits against the disk controllers are rarely seen. Given their numerous models and complexity, disk controllers should be an ideal ground for bug hunting.
In this talk, we will dive into this fascinating attack interface on VMware hypervisors which has never been publicly exploited before.
First, some background information about the disk controllers and the SCSI specification will be given, then we will show how and where the data sent from the guest OS driver to the disk controllers is checked and processed.
A vulnerability I found in the disk controllers of VMware hypervisors will be analyzed which can be exploited to escape from a virtual machine. What makes this vulnerability interesting is that although it is a memory corruption vuln, but the exploitation of it does not need any memory massaging. During our test, it took less than 1 second and had a success rate of nearly 100%.
Last but not least, two exploits will be demonstrated against the Linux and Windows version of VMware Workstation respectively. Despite that the latter having additional mitigations (Control Flow Guard), the primitive given by our vulnerability is powerful enough to bypass it easily.