Virtual machines play a crucial role in modern computing. They are often used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. An assumption is made that they are a way of securely containing and isolating potentially malicious code, however we now know this to be incorrect.
Over the past year, the Zero Day Initiative (ZDI) program has begun to see submissions targeting VMware Workstation and Fusion that result in guest-to-host escapes. Additionally, at the Pwn2Own 2017 competition earlier this year, two separate teams managed to exploit a guest operating system, escape the virtual environment, and execute code on the host operating system. This represents the first time such a VMware escape was demonstrated at the contest and earned the contestants the highest cash prizes of the competition.
This talk will dive deep into modern exploitation techniques of VMware vulnerabilities. We start by examining the VMware guest-to-host communications, which occur through the Backdoor channel (yes, it's really called Backdoor). Next, we take an in-depth look at the available attack surfaces on a virtual machine. These include components such as third-party software, remote procedure calls, and graphics drivers.
Finally, we will dive into the exploitation of different types vulnerabilities on VMware that result in guest-to-host escapes, including the two award-winning entries from Pwn2Own that resulted in $205,000 USD of payouts to the contestants.