Blackhat talk: Cloudburst – VMWare guest to host escapes by Kostya Kirtchinsky
Kostya started of by telling everybody: “I’m not a virtualisation expert”
Then he started to explain how he was able to build up his cloudburst exploit.he focused on the guest os devices, because the device are omnipresent in all VMWare pruducts, they run on the host, can be accessed from the guest, are written in C/C++ and parse some complex data.
Cloudburst is a reliable guest to host escape on recent VMWare products: Workstation, Fusion?, ESX Server (4.0 RC Hardfreeze). All the bugs in his presentation have already been patched patched.
Couldburst is a combination of 3 / 4 bugs in VMWare emulated video.
- Host memory leak into the guest
- Host arbitrary memory write from the guest into the host, both absolute and relative.
Also some functions in VMWare where very helpful to bypass DEP.
The VMWare VGA device is a virtual PCI device. And it does support 3D on VMWare on windows. There are bugs in 2D video that allow arbitrary read from the host process, but not bugs that allow an arbitrary memory write in the right area’s of memory in functions that are enabled by default. 3D however offers better possibilities in that it actually ahs a default enabled arbitrary memory write function. It was also in ESX 4.0 RC Hardfreeze, but got fixed before ESX4 reached production.
In order to fully exploit the bug, Kostya had to use the MOSDEF shell code and communicate via de video buffer. This means that the compromised guest OS communicates with the shell code in the compromised host using BMP images.
Kostya’s conclusions are: VMWare is not a security layer, it is just another layer to find bugs in. Given the right bug primitives, you can exploit anything.
He is also wondering why is the 3D video function code is even included in ESX?
He finished by successfully demonstrating the attack to us