Asynchronous clock is used extensively in hypervisors, which is designed to avoid the blocking of the calling thread, thereby improving the responsiveness of the software. There are many devices using asynchronous clock to process their task in QEMU, such as Network,USB,Disk and Crypto device. However, we find that a attacker can leverage asynchronous clock to do some race condition attack, which can help to make a exploit.

In this talk, we demonstrate how to achieve a full guest-to-host escape exploitation just through a heap overflow write vulnerability.

We will show how to turn a malloc-use-free primitive to a malloc primitive and turn heap overflow write to arbitrary address write (AAW) by leveraging the asynchronous clock, which makes this hard-to-exploit vulnerability exploitable without the help of other devices in QEMU – this is a new attack approach which we call Timekiller. As far as we know, this is the first attack technique leveraging the asynchronous clock to finish a guest-to-host escape exploit.

This is the first public virtual machine escape exploit in the virtio-crypto device (full 0-day). Combining Timekiller and structures in virtio-crypto device, we can exploit most heap overflow write vulnerabilities in QEMU.