转:https://www.zerodayinitiative.com/blog/2017/6/26/use-after-silence-exploiting-a-quietly-patched-uaf-in-vmware

Springtime around the Zero Day Initiative (ZDI) means ramping up for the Pwn2Own (P2O) competition held each year at the CanSecWest conference. To say the least, it’s a busy time to be a ZDI researcher as we build targets, answer contestant questions, and review program submissions. This year was no different. In 2016, we introduced the VMware escape category in P2O but did not have any entries. We were expecting some for 2017, so it did not surprise us when we received a VMware vulnerability through the program a week before the contest.

I was very curious about this vulnerability for various reasons. First, I thought it was a defensive submission of some sort, one meant to possibly create a duplicate at P2O, thus preventing another competitor from getting a full P2O win. This has happened in the past and adds a new level of strategy to the P2O contest. Second, and most importantly, it was a Use-After-Free (UAF) vulnerability affecting drag-and-drop (DnD) and was triggered by Remote Call Procedure requests, which is something I’ve never played with before.

This blog covers the vulnerability and the efforts put into exploiting it. It’s also the first in a series of blogs that will discuss various VMware topics, including exploitation, reversing, and fuzzing VMware targets. Going from a virtual client to executing code opens a new world of possibilities – and risks.

Note: This vulnerability existed on VMware Workstation 12.5.2 and earlier versions. It was subsequently patched with VMware Workstation version 12.5.3. All the analysis shown here was done on VMware Workstation 12.5.1.

The bug

Before I explain the details of the bugs involved, here’s a quick video showing the full exploit chain in action:...

The nice thing about this vulnerability was how simple it was to trigger. Sending the following RPCI requests triggered the vulnerability:

tools.capability.dnd_version 2
    vmx.capability.dnd_version
    tools.capability.dnd_version 3
    vmx.capability.dnd_version
    dnd.setGuestFileRoot AAAAA //Technically any DnD function would work.

With pageheap fully enabled on vmware-vmx.exe, WinDbg would break with the following exception:(这个出错的地方存疑?复现地址不一样!)

Reviewing the output from !heap (pronounced bang-heap) gave me more information about the address in @RCX. First, I learned that it was indeed a Use-After-Free, and second, I knew exactly where the free happened:

 

The next step was to determine the size of that object.(上图中的sub_1400A2cf0并没有出现在!heap结果中?) By breaking right before the free happened and running !heap on @RCX, this gets me the information I was looking for:

 

The disassembly above showed that the freed object was of size 0xb8 . By examining the instructions around the crash(通过在crash周围的指令可以发现该对象被另一个初始化对象所引用), I noticed that the dangling pointer was kept in an object of size0x38(该指针在0x38的对象中存储) , which was allocated initially when the VM starts:

Exploiting the bug

While examining the disassembly at crash time, it was obvious that I needed some kind of information leak to exploit this vulnerability. To speed up this process, I used one of Tencent Security's Pwn2Own(借助了腾讯漏洞CVE-2017-4905来绕过aslr.如果不用呢,能否实现利用?) vulnerabilities that leaked the address of vmware-vmx.exe. This particular info leak will be discussed in detail in the future, but it does provide the needed info leak to make this exploit successful.

Usually, when I try to exploit vulnerabilities in a target, I ask myself these questions:

  1. What type of requests can I send?
  2. What do I control?
  3. How can I control the crash?
  4. How can I gain better exploitation primitives?

At this point, I could send RPCI requests, which are technically sent through the Backdoor interface along with other Backdoor requests. Yes, the official name VMware gave this interface is Backdoor.

So, how could I control the contents of the freed object? I’m used to UAF’s in the browser world, but exploiting and controlling this one was something new to me. I started looking at the RPC functions that I can call from the Guest with normal user privileges, and I stumbled across tools.capability.guest_temp_directory . I thought it would be easy to send a string of a certain size to overwrite the freed block. The result was promising:

(注意占位了可能还会释放。需要多次发送请求,增大占位的概率。tools.capability.guest_temp_directory aaa;aaa多次执行后,前面的数据会被清除。)

Technically, we can control this vulnerability by sending an arbitrary RPC request, though not necessarily tools.capability.guest_temp_directory . This solves the biggest problem.

The next question was whether or not I could put a ROP chain and payload in a deterministic place. Again, I started looking at the RPC functions that I could call from the Guest. There were a few interesting functions to choose from.(看来还得逆向分析查看) The one that stood out was unity.window.contents.start . Taking a closer look at the assembly, I noticed that a reference to the contents is kept in a global variable:

 

In other words, if I sent a unity.window.contents.start request, I’d know exactly where this request was stored: vmware_vmx+0xb870f8.

So, I triggered the crash again with the following RPC calls:

tools.capability.dnd_version 2
    vmx.capability.dnd_version
    tools.capability.dnd_version 3
    vmx.capability.dnd_version
    unity.capability.guest_temp_directory AAA..AAAA
    dnd.setGuestFileRoot BBB..BB

As you can see, @RDI points to the request that triggered the bug.(也就是假如请求中包含shellcode,则shellcode存储地址可预测,即就是rdi.那么假如控制了跳转地址,则将其跳转到rdi也就是shellcode。)

What did the plan look like at this point?

  1. Send a unity.window.contents.start request with a ROP chain that sets RSP to RDI.(只需将rsp指向rdi.这样就可以rop了,这是栈迁移)
  2. Trigger the free.(释放对象)
  3. Overwrite the freed object with another one. The freed object should contain the address of vmware_vmx+0xb870f8.(占用对象。包含指向栈迁移的地址)
  4. Trigger the re-use using a request that contains the ROP chain to gain RCE.

Visually, it’s pretty simple:

 

The resulting code execution leaves the virtual client behind to instead run at the hypervisor layer.

Conclusion

When we introduced the VMware category at Pwn2Own 2016, we didn’t really expect to get any entries. We rarely see entries in new categories due to the time it takes researchers to find bugs and craft the needed exploits. However, we were hopeful that we would see some appear in 2017, and sure enough, two different teams successfully elevated from virtual client to executing code in the hypervisor. I’ll be detailing those exploits and techniques in the future. Until then, don’t let Use-After-Free vulnerabilities in VMware scare you. They’re fun to exploit ☺. Every RPCI function has its own story with its own exploit primitive.

You can find me on Twitter at @AbdHariri, and follow the team for the latest in exploit techniques and security patches.

vmware漏洞之四:简评USE-AFTER-SILENCE: EXPLOITING A QUIETLY PATCHED UAF IN VMWARE的更多相关文章

  1. vmware漏洞之三——Vmware虚拟机逃逸漏洞(CVE-2017-4901)Exploit代码分析与利用

    本文简单分析了代码的结构.有助于理解. 转:http://www.freebuf.com/news/141442.html 0×01 事件分析 2017年7月19 unamer在其github上发布了 ...

  2. vmware漏洞之二——简评:实战VMware虚拟机逃逸漏洞

    下文取自360,是vmware exploit作者自己撰写的.本文从实验角度对作者的文章进行解释,有助于学习和理解.文章虚线内或红色括号内为本人撰写. ------------------------ ...

  3. vmware漏洞之一——转:利用一个堆溢出漏洞实现VMware虚拟机逃逸

    转:https://zhuanlan.zhihu.com/p/27733895?utm_source=tuicool&utm_medium=referral 小结: vmware通过Backd ...

  4. 装部署VMware vSphere 5.5文档 (6-2) 为IBM x3850 X5服务器安装配置VMware ESXi

    部署VMware vSphere 5.5 实施文档 ########################################################################## ...

  5. vmware 桌面虚拟化 horizon view 介绍(使用微软的RDP协议或vmware 专有的PCoIP协议,连接到虚拟桌面,并且可以使用本地的USB设备、本地存储)

    虚拟化(一):虚拟化及vmware产品介绍 虚拟化(二):虚拟化及vmware workstation产品使用 虚拟化(三):vsphere套件的安装注意及使用 虚拟化(四):vsphere高可用功能 ...

  6. GitHub现VMware虚拟机逃逸EXP,利用三月曝光的CVE-2017-4901漏洞

    今年的Pwn2Own大赛后,VMware近期针对其ESXi.Wordstation和Fusion部分产品发布更新,修复在黑客大赛中揭露的一些高危漏洞.事实上在大赛开始之前VMware就紧急修复了一个编 ...

  7. CVE-2012-3569:VMware OVF Tool 格式化字符串漏洞调试分析

    0x01 简介 VMware OVF Tool 是一个命令行实用程序,允许您从许多 VMware 产品导入和导出 OVF 包.在 2.1.0 - 2.1.3 之间的版本中存在格式化字符串漏洞,通过修改 ...

  8. VMware Workstation 学习笔记

    1. 什么是虚拟机:虚拟机(Virtual Machine)指通过软件模拟的具有完整硬件系统功能的.可以运行在一个完全隔离环境中的完整计算机系统. 2. 虚拟机的用途:测试软件.搭建某种特定需求的环境 ...

  9. 虚拟机 VMware Workstation12 安装Ubuntu系统

    Ubuntu 系统是一款优秀的.基于GNU/Linux 的平台的桌面系统. 当然,目前为止很多应用程序还完全不能允许运行在 Ubuntu 系统上,而且 Ubuntu 的界面.使用方法会让大部分Wind ...

随机推荐

  1. 整数中1出现的次数(从1到n整数中1出现的次数)

    整数中1出现的次数(从1到n整数中1出现的次数) 题目描述 求出1 ~ 13的整数中1出现的次数,并算出100 ~ 1300的整数中1出现的次数?为此他特别数了一下1 ~ 13中包含1的数字有1.10 ...

  2. 【设计模式】 模式PK:策略模式VS桥梁模式

    1.概述 我们先来看两种模式的通用类图. 两者之间确实很相似.如果把策略模式的环境角色变更为一个抽象类加一个实现类,或者桥梁模式的抽象角色未实现,只有修正抽象化角色,想想看,这两个类图有什么地方不一样 ...

  3. [Luogu 2341] HAOI2006 受欢迎的牛

    [Luogu 2341] HAOI2006 受欢迎的牛 智能推的水题,一看是省选题就给做了,做一半才发现 Tarjan 算法忘干净了. Tarjan 求出SCC,算出每一个 SCC 包含原图的点数(s ...

  4. javascript拖拽原理与简单实现方法[demo]

    美国人有一句常用的俗语—“Re-inventing the Wheel”,从字面上来解释就是“重新发明轮子”.可是轮子早已问世,再要去发明岂非劳而无功? 产品经理发下需求,实施者再到网上搜索代码,也许 ...

  5. 并查集入门--畅通工程(HDU1232)

    题目链接:http://acm.hdu.edu.cn/showproblem.php?pid=1232 畅通工程 Time Limit: 4000/2000 MS (Java/Others)    M ...

  6. POJ 1321 棋盘问题 (深搜)

    题目链接 Description 在一个给定形状的棋盘(形状可能是不规则的)上面摆放棋子,棋子没有区别.要求摆放时任意的两个棋子不能放在棋盘中的同一行或者同一列,请编程求解对于给定形状和大小的棋盘,摆 ...

  7. 随机森林(Random Forest)详解(转)

    来源: Poll的笔记 cnblogs.com/maybe2030/p/4585705.html 1 什么是随机森林?   作为新兴起的.高度灵活的一种机器学习算法,随机森林(Random Fores ...

  8. Python第三方库matplotlib(2D绘图库)入门与进阶

    Matplotlib 一 简介: 二 相关文档: 三 入门与进阶案例 1- 简单图形绘制 2- figure的简单使用 3- 设置坐标轴 4- 设置legend图例 5- 添加注解和绘制点以及在图形上 ...

  9. 自动化测试===requests+unittest+postman的接口测试

    postman是一个跨平台的接口测试工具,下载链接在这里:https://www.getpostman.com/ unittest是一个单元测试框架,python中安装:pip install uni ...

  10. Linux内核中内存cache的实现【转】

    Linux内核中内存cache的实现 转自:http://blog.chinaunix.net/uid-127037-id-2919545.html   本文档的Copyleft归yfydz所有,使用 ...