Virtualization technology is progressively becoming the authority on which platform security is built and clouds are secured. Hyper-V, Microsoft's virtualization stack, is the backbone to Azure and held to a high security standard. Microsoft offers a bug bounty program with rewards up to $250,000 USD for vulnerabilities in Hyper-V. The hypervisor provides a calling mechanism for guests referred to as hypercalls. Not only could hypercalls offer an avenue for VM escapes, but with the introduction of virtualization-based security (VBS) hypercalls may be abused to bypass Virtual Secure Mode (VSM). In this presentation, we'll discuss our research into developing Hyperseed, our format-aware hypercall fuzzer. We'll dive into the hypercall interface detailing the classes of hypercalls Hyper-V supports, the design of hyperseed, and culminate with details on vulnerabilities we found in hypercall handlers.
In this talk we will briefly cover Hyper-V architecture and its attack surface to set the stage for the audience. Since this topic has been covered many times (i.e. A Dive in to Hyper-V architecture & Vulnerabilities by Joe Bialek & Nicolas Joly @ Blackhat 2018), we won??t spend for than 10 minutes on architecture. We??ll then cover our motivation for fuzzing hypercalls. Next we??ll dive into the hypercall interface. This will be a deep dive covering the technical details on establishing the hypercall interface, classes of hypercalls, inputs/outputs, restrictions, etc. We will then jump into the design of hyperseed, our format-aware fuzzer. This portion will cover everything from our mutation stack to ??access checks?? such as identity / privileges. We??ll discuss the difference between fuzzing from a guest partition vs. the root partition and some of issues we encountered. Finally, we??ll go over the details of vulnerabilities we found with hyperseed. This will include CVE-2018-8439 which is a guest->host RCE. We expect to be able to present on one guest->hypervisor DoS that is currently in-process of being serviced (expected in December).