straight outta vmware: modern exploitation of the svga
TRANSCRIPT
![Page 1: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/1.jpg)
Straight outta VMware:Modern exploitation of the SVGA device
for guest-to-host escapes
Zisis Sialveras ([email protected])Microsoft BlueHat v18
www.census-labs.com
![Page 2: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/2.jpg)
> WHOAMI
•
–
•
•
•
![Page 3: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/3.jpg)
> AGENDA
•
–
–
–
•
–
–
•
![Page 4: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/4.jpg)
> VMWARE ARCHITECTURE
![Page 5: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/5.jpg)
> FIRST TASKS OF VMX APPLICATION
•
•
![Page 6: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/6.jpg)
> MKS MODULE
•
•–
![Page 7: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/7.jpg)
> MKS MODULE – RENDERERS
•–
•–
•
•
![Page 8: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/8.jpg)
> DEVICEPOWERON MODULE
•
•
•
![Page 9: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/9.jpg)
> SVGALATE MODULE
•
•
![Page 10: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/10.jpg)
> SVGA THREAD
•
•
•
–
![Page 11: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/11.jpg)
> SVGA DEVICE – GUEST POINT OF VIEW
•
–
–
![Page 12: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/12.jpg)
> SVGA THREAD – SVGA FIFO
•
•
•
–
–
![Page 13: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/13.jpg)
> SVGA FIFO – SUBMIT COMMAND
•
•
![Page 14: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/14.jpg)
> SVGA REGISTERS – PORT I/O
•
•
![Page 15: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/15.jpg)
> COMMAND BUFFERS
•
–
–
![Page 16: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/16.jpg)
> SVGA3D PROTOCOL
![Page 17: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/17.jpg)
> OBJECT TABLES
•
•–
•
•
![Page 18: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/18.jpg)
> MEMORY OBJECTS
•
•
![Page 19: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/19.jpg)
> COMMON SVGA OBJECTS
•
–
–
–
–
–
•
–
–
–
–
![Page 20: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/20.jpg)
> CONTEXT DEFINE
![Page 21: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/21.jpg)
> CONTEXT BIND
![Page 22: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/22.jpg)
> CONTEXT DESTROY
![Page 23: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/23.jpg)
> EXPLOITATION PRIMITIVES
•
–
–
–
–
•
–
–
–
•
![Page 24: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/24.jpg)
> HOW TO USE SHADERS
•
•
•
•–
•
![Page 25: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/25.jpg)
> ANALYSIS OF
![Page 26: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/26.jpg)
> CREATE NEW SHADER
![Page 27: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/27.jpg)
> HEAP SPRAYING SUMMARY
• On a single “set shader” command, two allocations of the requested size are performed.– The first one is freed immediately.
– The latter is freed when the guest user destroys the shader.
• VMware keeps track of the total shader allocation size. Must be less than 8MB.
• Guest is able to define as many shaders fit in shader object table– The size of the object table can be modified by SVGA3D_CMD_SET_OTABLE
command.
![Page 28: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/28.jpg)
> SURFACES
• Surface definition
– All host VRAM resources, including 2D textures, 3D textures, cube environment maps, render targets, and vertex/index buffers are represented using a homogeneous surface abstraction.
• Surface is a frontend object.
![Page 29: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/29.jpg)
> RESOURCE CONTAINERS
• Resource containers is a data structure of the backend (DX11Renderer).
• They are associated with surfaces.
![Page 30: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/30.jpg)
> RESOURCE CONTAINERS• There are ten (10) different types
of resource containers.
• Which type will be created depends on the arguments that the surface was defined with.
• Similarly to the other SVGA objects, VMware creates them onlywhen they are going to be used (lazy allocation).
![Page 31: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/31.jpg)
• SVGA_3D_CMD_SURFACE_COPY copies parts (three dimensional boxes) from the source to the destination surface.
> SURFACE COPY
![Page 32: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/32.jpg)
> SURFACE COPY
![Page 33: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/33.jpg)
![Page 34: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/34.jpg)
> MAP SUBRESOURCE
![Page 35: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/35.jpg)
> RESOURCE CONTAINER GETDATABUFFER
![Page 36: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/36.jpg)
• Resource containers are very attractive to attackers, since they– can be allocated multiple
times
– contain pointers to heap
– contain dimensions
– contain function pointers
> ATTACKING VMWARE
![Page 37: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/37.jpg)
> ATTACKING VMWARE
•
•
–
–
–
–
•
![Page 38: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/38.jpg)
> ATTACKING VMWARE
•–
•
•
![Page 39: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/39.jpg)
> AVOID THE PITFALL
•
–
•
–
![Page 40: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/40.jpg)
> LEAK AND CODE EXECUTION
•
– LFH chunks are placed next to each other
• Once the attacker has vmware-vmx base address, they can corrupt GetDataBuffer function pointer and call surface copy command.
![Page 41: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/41.jpg)
> THE BUG
![Page 42: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/42.jpg)
> VMSA-2017-0006
• Bug is located in SM4 bytecode parser
• Fixed at version 12.5.5 of VMware
– I patched vmware-vmx.exe to reintroduce the vulnerability on 14.1.3
• Developed an escape exploit (named “katachnia”) which consists of two parts (userland application, kernel driver)
![Page 43: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/43.jpg)
> VULNERABILITY DETAILS
• A malicious shader must be set to a DXContext (using SVGA3D_CMD_DX_SET_SHADER)
• A call to SVGA3D_CMD_DX_DRAW will trigger the shader bytecode parser
• During the call an object of 0x26D80 size will be allocated
– Values from the bytecode will be used as index to access that shader
![Page 44: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/44.jpg)
> VULNERABLE VERSION 12.5.4 -DCL_CONSTANTBUFFER (59H)
![Page 45: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/45.jpg)
> PATCHED VERSION 12.5.5 -DCL_CONSTANTBUFFER (59H)
![Page 46: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/46.jpg)
> VULNERABLE VERSION 12.5.4 -DCL_INDEXRANGE (5B)
![Page 47: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/47.jpg)
> PATCHED VERSION 12.5.5 –DCL_INDEXRANGE (5B)
![Page 48: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/48.jpg)
> THE EXPLOIT
![Page 49: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/49.jpg)
> DRIVER ENTRY
• BAR0 contains I/O base
• BAR2 contains the FIFO physical address
![Page 50: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/50.jpg)
> INIT_SVGA IOCTL
KATACHNIA APPLICATION
KATACHNIAKERNEL DRIVER
INIT_SVGA_IOCTL
![Page 51: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/51.jpg)
> HOW TO SETUP SVGA
• FIFO initialization
• Object tables definition
![Page 52: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/52.jpg)
> LEAK_VMX_ADDR_IOCTL
KATACHNIA APPLICATION
KATACHNIA KERNEL DRIVER
INIT_SVGA_IOCTL
Config is done, graphics are dead (black screen)
LEAK_VMX_ADDR_IOCTL
![Page 53: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/53.jpg)
> PREPARE MEMORY LAYOUT
• Allocate a big chunk that will be occupied later by the allocation at SVGA3D_CMD_DX_DRAW
• Repeatedly allocate a shader ofsize 0x150
0x26D80
![Page 54: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/54.jpg)
> PREPARE MEMORY LAYOUT
• Allocate a big chunk that will be occupied later by the allocation at SVGA3D_CMD_DX_DRAW
• Repeatedly allocate a shader ofsize 0x150
0x26D80
LFH 0x150
![Page 55: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/55.jpg)
> PREPARE MEMORY LAYOUT
• Replace all 0x150 heap chunks with ResourceContainer1 (RC1)
0x26D80
LFH 0x150 (RC1)
![Page 56: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/56.jpg)
> PREPARE MEMORY LAYOUT
![Page 57: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/57.jpg)
> PREPARE MEMORY LAYOUT
DataBuffers
Resource Container type 0
0x26D80
LFH 0x150 (RC1)
LFH 0x150 (RC0)
![Page 58: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/58.jpg)
> FREE BIG SHADER
free
LFH 0x150 (RC1)
LFH 0x150 (RC0)
![Page 59: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/59.jpg)
> TRIGGER THE BUG
0x26D80Vulnerable buffer
LFH 0x150 (RC1)
LFH 0x150 (RC0)
![Page 60: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/60.jpg)
> COPY SURFACES BACK TO GUEST
• Call surface copy until the corrupted RC1 is encountered
free
LFH 0x150 (RC1)
LFH 0x150 (RC0)
![Page 61: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/61.jpg)
> CORRUPT A FUNCTION POINTER
0x26D80Vulnerable buffer
LFH 0x150 (RC1)
LFH 0x150 (RC0)
• Corrupt RC1->GetDataBuffer with the first ROP gadget
![Page 62: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/62.jpg)
> HONEY, I DEFEATED ASLR
• Corrupt the QWORD at offset 8 of RC1 with the address of the global pointer of the RPC content buffer
• Will not analyze RPC further (google for more info on this)
• In short, guest user can allocate a controllable buffer on the heap of the host whose address is stored at a global variable
![Page 63: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/63.jpg)
> YAY, WE GOT THE ADDRESS
KATACHNIA APPLICATION
KATACHNIA KERNEL DRIVER
INIT_SVGA_IOCTL
Config is done, graphics are dead (black screen)
LEAK_VMX_ADDR_IOCTL
vmware-vmx address returned,RC1->GetDataBuffer is corrupted
with the first ROP gadget
![Page 64: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/64.jpg)
KATACHNIA APPLICATION
KATACHNIA KERNEL DRIVER
> PLACE THE ROP CHAIN…
INIT_SVGA_IOCTL
Config is done, graphics are dead (black screen)
LEAK_VMX_ADDR_IOCTL
vmware-vmx address returned,RC1->GetDataBuffer is corrupted
with the first ROP gadgetRPC
Place on host’s heap the ROP chain
![Page 65: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/65.jpg)
KATACHNIA APPLICATION
KATACHNIA KERNEL DRIVER
> PRISON BREAK!
ESCAPE_IOCTL !!1
INIT_SVGA_IOCTL
Config is done, graphics are dead (black screen)
LEAK_VMX_ADDR_IOCTL
vmware-vmx address returned,RC1->GetDataBuffer is corrupted
with the first ROP gadgetRPC
Place on host’s heap the ROP chain
![Page 66: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/66.jpg)
> SHOW OFF (AKA DEMO!)
![Page 67: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/67.jpg)
> CONCLUSION
• Reusable and reliable exploitation primitives for memory corruption bugs were introduced
• SVGA has a good quality of code
– however, it is amazingly complex, so expect more bugs
• VMware lacks modern exploitation mitigations
– No isolated heap
– No CFI
![Page 68: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/68.jpg)
> REFERENCES
•
•
•
•
•
•
•
![Page 69: Straight outta VMware: Modern exploitation of the SVGA](https://reader034.vdocuments.mx/reader034/viewer/2022051915/62850ea8e5037342a72bb0c0/html5/thumbnails/69.jpg)