CanSecWest 2024
Presentations
From March 20 to 22
URB Excalibur: The New VMware All-Platform VM Escapes
Virtual machine escape has always been a challenging task for hackers. VMware's hypervisor, as a popular closed-source commercial hypervisor, presents even greater difficulty in vulnerability discovery and exploitation. With each security update and the patching of old exploits, how can we find new vulnerabilities and write exploits to complete virtual machine escape? This talk will first systematically introduce the current architecture and attack surfaces of VMware's hypervisor. We will then analyze the changes that have occurred in recent years, as well as the relevant security patches and mitigations. Our new research focuses on the virtual USB controller, which is one of the main attack surfaces of hypervisor. A computer that can be used normally needs USB interfaces and related USB devices. Virtual machines also require USB, so there is a natural risk of security vulnerabilities when communicating with the virtual USB controller. We will, for the first time, systematically introduce VMware's virtual USB 2.0 controller (EHCI). Compared to QEMU's, it is more complex and interesting. URB (USB Request Block) is an object used to transmit USB packets in VMware's hypervisor. Our research will be the first to reveal its powerful role and huge security risks in virtual machine escape exploitation. In this talk, we will detail the structure, function, and lifecycle of URB and related important objects.