VMware Workstation/ESXi is one of the most popular commercial virtualization software on the market. Its complex virtualization system design and critical position in infrastructure have made it a top target for hackers over the long term. For security researchers, discovering virtualization escape vulnerabilities in the VMware hypervisor is as challenging as confronting a dragon in a role-playing game.
In this presentation, we will unveil a new attack surface: Device Virtualization in VMKernel. This is an unknown territory that has not been explored by security researchers to date. Furthermore, this attack perspective has not been considered in VMware’s defense system, and its existing sandbox mechanisms are theoretically incapable of defending against attacks initiated from VMKernel.Â
During the analysis of this attack surface and reverse engineering of the VMware Hypervisor, we discovered 8 vulnerabilities related to device virtualization, 3 of them have been assigned CVE number (some vulnerabilities have even been successfully exploited in Tianfu Cup), and the remaining 5 of our vulnerabilities have been officially confirmed by VMware.
About how we discover the attack surface of VMKernel and find 8 unknown vulnerabilities, we will progressively explain from three parts:
- VMware Virtualization Details
We will delve into the loading process of vmm, the implementation of data sharing between vmm and vmx, and VMware’s UserRPC, which facilitates communication between the Hypervisor and the Host. These mechanisms are crucial in virtual device emulation.
- USB Virtualization Bug Hunting
We will address security issues in various parts of the USB system, including the host controller, VUsb middleware, and VUsb backend devices, based on the vulnerabilities we have unearthed.
- SCSI Virtualization Bug Hunting
We will primarily discuss the similarities and differences in SCSI-related device emulation in the virtual disk system between VMware Workstation and ESXi. Additionally, we will cover design flaws related to disk device emulation that we discovered in VMKernel.