转:https://www.zerodayinitiative.com/blog/2017/6/26/use-after-silence-exploiting-a-quietly-patched-uaf-in-vmware

Springtime around the Zero Day Initiative (ZDI) means ramping up for the Pwn2Own (P2O) competition held each year at the CanSecWest conference. To say the least, it’s a busy time to be a ZDI researcher as we build targets, answer contestant questions, and review program submissions. This year was no different. In 2016, we introduced the VMware escape category in P2O but did not have any entries. We were expecting some for 2017, so it did not surprise us when we received a VMware vulnerability through the program a week before the contest.

I was very curious about this vulnerability for various reasons. First, I thought it was a defensive submission of some sort, one meant to possibly create a duplicate at P2O, thus preventing another competitor from getting a full P2O win. This has happened in the past and adds a new level of strategy to the P2O contest. Second, and most importantly, it was a Use-After-Free (UAF) vulnerability affecting drag-and-drop (DnD) and was triggered by Remote Call Procedure requests, which is something I’ve never played with before.

This blog covers the vulnerability and the efforts put into exploiting it. It’s also the first in a series of blogs that will discuss various VMware topics, including exploitation, reversing, and fuzzing VMware targets. Going from a virtual client to executing code opens a new world of possibilities – and risks.

Note: This vulnerability existed on VMware Workstation 12.5.2 and earlier versions. It was subsequently patched with VMware Workstation version 12.5.3. All the analysis shown here was done on VMware Workstation 12.5.1.

The bug

Before I explain the details of the bugs involved, here’s a quick video showing the full exploit chain in action:...

The nice thing about this vulnerability was how simple it was to trigger. Sending the following RPCI requests triggered the vulnerability:

tools.capability.dnd_version 2
    vmx.capability.dnd_version
    tools.capability.dnd_version 3
    vmx.capability.dnd_version
    dnd.setGuestFileRoot AAAAA //Technically any DnD function would work.

With pageheap fully enabled on vmware-vmx.exe, WinDbg would break with the following exception:(这个出错的地方存疑?复现地址不一样!)

Reviewing the output from !heap (pronounced bang-heap) gave me more information about the address in @RCX. First, I learned that it was indeed a Use-After-Free, and second, I knew exactly where the free happened:

 

The next step was to determine the size of that object.(上图中的sub_1400A2cf0并没有出现在!heap结果中?) By breaking right before the free happened and running !heap on @RCX, this gets me the information I was looking for:

 

The disassembly above showed that the freed object was of size 0xb8 . By examining the instructions around the crash(通过在crash周围的指令可以发现该对象被另一个初始化对象所引用), I noticed that the dangling pointer was kept in an object of size0x38(该指针在0x38的对象中存储) , which was allocated initially when the VM starts:

Exploiting the bug

While examining the disassembly at crash time, it was obvious that I needed some kind of information leak to exploit this vulnerability. To speed up this process, I used one of Tencent Security's Pwn2Own(借助了腾讯漏洞CVE-2017-4905来绕过aslr.如果不用呢,能否实现利用?) vulnerabilities that leaked the address of vmware-vmx.exe. This particular info leak will be discussed in detail in the future, but it does provide the needed info leak to make this exploit successful.

Usually, when I try to exploit vulnerabilities in a target, I ask myself these questions:

  1. What type of requests can I send?
  2. What do I control?
  3. How can I control the crash?
  4. How can I gain better exploitation primitives?

At this point, I could send RPCI requests, which are technically sent through the Backdoor interface along with other Backdoor requests. Yes, the official name VMware gave this interface is Backdoor.

So, how could I control the contents of the freed object? I’m used to UAF’s in the browser world, but exploiting and controlling this one was something new to me. I started looking at the RPC functions that I can call from the Guest with normal user privileges, and I stumbled across tools.capability.guest_temp_directory . I thought it would be easy to send a string of a certain size to overwrite the freed block. The result was promising:

(注意占位了可能还会释放。需要多次发送请求,增大占位的概率。tools.capability.guest_temp_directory aaa;aaa多次执行后,前面的数据会被清除。)

Technically, we can control this vulnerability by sending an arbitrary RPC request, though not necessarily tools.capability.guest_temp_directory . This solves the biggest problem.

The next question was whether or not I could put a ROP chain and payload in a deterministic place. Again, I started looking at the RPC functions that I could call from the Guest. There were a few interesting functions to choose from.(看来还得逆向分析查看) The one that stood out was unity.window.contents.start . Taking a closer look at the assembly, I noticed that a reference to the contents is kept in a global variable:

 

In other words, if I sent a unity.window.contents.start request, I’d know exactly where this request was stored: vmware_vmx+0xb870f8.

So, I triggered the crash again with the following RPC calls:

tools.capability.dnd_version 2
    vmx.capability.dnd_version
    tools.capability.dnd_version 3
    vmx.capability.dnd_version
    unity.capability.guest_temp_directory AAA..AAAA
    dnd.setGuestFileRoot BBB..BB

As you can see, @RDI points to the request that triggered the bug.(也就是假如请求中包含shellcode,则shellcode存储地址可预测,即就是rdi.那么假如控制了跳转地址,则将其跳转到rdi也就是shellcode。)

What did the plan look like at this point?

  1. Send a unity.window.contents.start request with a ROP chain that sets RSP to RDI.(只需将rsp指向rdi.这样就可以rop了,这是栈迁移)
  2. Trigger the free.(释放对象)
  3. Overwrite the freed object with another one. The freed object should contain the address of vmware_vmx+0xb870f8.(占用对象。包含指向栈迁移的地址)
  4. Trigger the re-use using a request that contains the ROP chain to gain RCE.

Visually, it’s pretty simple:

 

The resulting code execution leaves the virtual client behind to instead run at the hypervisor layer.

Conclusion

When we introduced the VMware category at Pwn2Own 2016, we didn’t really expect to get any entries. We rarely see entries in new categories due to the time it takes researchers to find bugs and craft the needed exploits. However, we were hopeful that we would see some appear in 2017, and sure enough, two different teams successfully elevated from virtual client to executing code in the hypervisor. I’ll be detailing those exploits and techniques in the future. Until then, don’t let Use-After-Free vulnerabilities in VMware scare you. They’re fun to exploit ☺. Every RPCI function has its own story with its own exploit primitive.

You can find me on Twitter at @AbdHariri, and follow the team for the latest in exploit techniques and security patches.

vmware漏洞之四:简评USE-AFTER-SILENCE: EXPLOITING A QUIETLY PATCHED UAF IN VMWARE的更多相关文章

  1. vmware漏洞之三——Vmware虚拟机逃逸漏洞(CVE-2017-4901)Exploit代码分析与利用

    本文简单分析了代码的结构.有助于理解. 转:http://www.freebuf.com/news/141442.html 0×01 事件分析 2017年7月19 unamer在其github上发布了 ...

  2. vmware漏洞之二——简评:实战VMware虚拟机逃逸漏洞

    下文取自360,是vmware exploit作者自己撰写的.本文从实验角度对作者的文章进行解释,有助于学习和理解.文章虚线内或红色括号内为本人撰写. ------------------------ ...

  3. vmware漏洞之一——转:利用一个堆溢出漏洞实现VMware虚拟机逃逸

    转:https://zhuanlan.zhihu.com/p/27733895?utm_source=tuicool&utm_medium=referral 小结: vmware通过Backd ...

  4. 装部署VMware vSphere 5.5文档 (6-2) 为IBM x3850 X5服务器安装配置VMware ESXi

    部署VMware vSphere 5.5 实施文档 ########################################################################## ...

  5. vmware 桌面虚拟化 horizon view 介绍(使用微软的RDP协议或vmware 专有的PCoIP协议,连接到虚拟桌面,并且可以使用本地的USB设备、本地存储)

    虚拟化(一):虚拟化及vmware产品介绍 虚拟化(二):虚拟化及vmware workstation产品使用 虚拟化(三):vsphere套件的安装注意及使用 虚拟化(四):vsphere高可用功能 ...

  6. GitHub现VMware虚拟机逃逸EXP,利用三月曝光的CVE-2017-4901漏洞

    今年的Pwn2Own大赛后,VMware近期针对其ESXi.Wordstation和Fusion部分产品发布更新,修复在黑客大赛中揭露的一些高危漏洞.事实上在大赛开始之前VMware就紧急修复了一个编 ...

  7. CVE-2012-3569:VMware OVF Tool 格式化字符串漏洞调试分析

    0x01 简介 VMware OVF Tool 是一个命令行实用程序,允许您从许多 VMware 产品导入和导出 OVF 包.在 2.1.0 - 2.1.3 之间的版本中存在格式化字符串漏洞,通过修改 ...

  8. VMware Workstation 学习笔记

    1. 什么是虚拟机:虚拟机(Virtual Machine)指通过软件模拟的具有完整硬件系统功能的.可以运行在一个完全隔离环境中的完整计算机系统. 2. 虚拟机的用途:测试软件.搭建某种特定需求的环境 ...

  9. 虚拟机 VMware Workstation12 安装Ubuntu系统

    Ubuntu 系统是一款优秀的.基于GNU/Linux 的平台的桌面系统. 当然,目前为止很多应用程序还完全不能允许运行在 Ubuntu 系统上,而且 Ubuntu 的界面.使用方法会让大部分Wind ...

随机推荐

  1. js的数据类型--数字

    近期做一些项目的时候发现,自己的js基础还是不够扎实,再看一遍犀牛书,加深自己的理解和印象.所以从这篇文章开始,后面都是关于原生js的一些内容. 这篇文章,我们具体介绍一下js的数据类型其中一种. j ...

  2. jquery-validate校验

    开源地址:https://github.com/jquery-validation/jquery-validation 校验select添加如下属性: ignore: ":hidden:no ...

  3. 51Nod 1087 1 10 100 1000 | 数学

    Input示例 3 1 2 3 Output示例 1 1 0 #include "bits/stdc++.h" using namespace std; #define LL lo ...

  4. [Luogu 2073] 送花

    很容易想到的平衡树,加个维护区间和. 只需要插入和删除操作即可. kth其实都不用的,最小和最大可以从根节点log n一直向左/一直向右跑到叶子节点而求得. 记得每插入完一个点一定要更新区间和!!更新 ...

  5. 【BZOJ】1607: [Usaco2008 Dec]Patting Heads 轻拍牛头

    [算法]模拟 #include<cstdio> #include<algorithm> using namespace std; ,maxm=; int a[maxn],A[m ...

  6. PHP练习4 留言板

    一.要求 二.示例页面 三.网页代码及网页显示 1.denglu.php  登录页面 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Tran ...

  7. 使用SQL Server连接xml接口,读取并解析数据

    --数据源格式,放到任意程序中部署接口即可--<Data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmln ...

  8. JAVA Frame 响应窗口关闭事件

    /* * To change this license header, choose License Headers in Project Properties. * To change this t ...

  9. Angular2.0 基础: 环境搭建

    最近在学习Angular2的使用,其实看过Angular2 文档的都知道,相比于之前的Angular1,Angular2 的改动还是挺大的. 而对于‘angular2 的本地开发环境的搭建的中,我们首 ...

  10. 空间数据库系列一:geomesa&sparksql 分析环境搭建

    geomesa sparksql 分析环境搭建 1.安装hbase-1.3.2.1 standlone版本,作为geomesa的store a.修改配置文件:hbase-1.3.2.1/conf/hb ...