This document describes exploiting a use-after-free vulnerability called "Hearthstone" in VMware Workstation to escape from a virtual machine. It begins with background on VMware RPC and the fuzzing framework used. It then explains the Hearthstone vulnerability, how it allows information leakage, and how that leakage can be used to conduct an out-of-bounds write to achieve code execution on the host system. The presentation concludes with a demonstration of the exploitation process and takes questions.

1. Escape from VMware Worksta2on
by using "Hearthstone"

2. About Marvel Team
Focus on virtualization security ,
2015.6-2016.6
• fuzz qemu and xen and report 30+ vuls
• Report cve-2016-3710, the first one can be used to
escape from public cloud
• breakout from docker container
2016.7 – now
• fuzz vmware workstation and hyper-v
• Pwn the vmware workstation in pwnfest 2016

3. Agenda
• Basic Informa2on About Vmware Rpc
• Rpc Fuzzing Framework
• Hearthstone
• Exploita2on of Hearthstone
• Q&A

4. Basic Informa2on About Vmware Rpc

5. Environment
Vmware worksta2on: 12.5.1
Virtual machine OS: windows 10
Host machine OS: windows 10

6. Vmware tools
Path: C:Program FilesVMwareVMware Toolsrpctool.exe
Func2on: Enhance the user experience
Models: rpc, backdoor, vmci, hgfs
The Important channel to communicate with host machine.
Reference: open-vm-tools project

7. Rpc message channel is a big aWack surface
Vmware tools
“rpc”
RPC request data
wrapper
Backdoor
instruc2on
….
Windows kernel
VMVmware-vmx.exe
Exec Rpc command
channel
I/O Request
Package
VMware kernel module

8. Use backdoor transport rpc message
Thanks: hWps://sites.google.com/site/chitchatvmback/backdoor

9. Use backdoor to send enhanced rpc message

10. Use rpc message to allocate heap memory

11. Use rpc message to control the global variables
unity.window.contents.start (serializing data) allocate memory
unity.window.contents.start (serializing data) fill data in memory

12. Use rpc channel to allocate heap memory
Features:
• 8 channels
• maximum size: 0x10000
• During processing of the Channel receive rpc
message, Vmx.exe allocate the memory.
• Rpc message can be filled into the channel
several 2mes, when the total length of the
rpc messages is less than the channel
memory length, rpc command will not be
processed un2l the two lengths are equal.

13. Rpc Fuzzing Framework

14. Fuzzing framework
vmware-vmx.exe
monitor
Snapshot
manager
server
Vmware-rpc-afl-fuzz
Case builder
Config Manager
Virtual machine
vmrun.exe
win-afl
Case tester
client

15. Hearthstone

16. Hearthstone #uaf
Poc:
tools.capability.dnd_version 4
vmx.capability.dnd_version
tools.capability.dnd_version 2
vmx.capability.dnd_version
dnd.ready enable c:1

17. Hearthstone #oob
out of copypaste message`s bound read
out of global_block`s bound write

18. Exploita2on of Hearthstone

19. Cmd Params data
Block which can leak
Heap for out of bound write

20. Informa2on leakage
2(busy RPC)
0x10000
3(busy RPC)
0x10000
4(busy TRANSPORT)
0x10000
5(busy RPC)
0x10000
1(busy RPC)
0x10000
Chunk 4 is transport chunk
Others are RPC chunks

21. Informa2on leakage
2(busy RPC)
3(busy RPC)
4(busy TRANSPORT)
5(busy RPC)
1(busy RPC)
LFH subsegment
b
0x100
BLOCK
(busy)
obj
data
(free)
0x100
BLOCK
(free)
obj
data
(busy)
0x100
BLOCK
(free)
0x100
BLOCK
(free)
0x100
BLOCK
(free)
0x100
BLOCK
(busy)
0x100
rpc req
(busy)
obj
data
(free)
obj
data
(free)
0x100
BLOCK
(busy)
obj
data
(free)
OOB
OOB OOB OOB OOB

22. Informa2on leakage
3(busy RPC)
... ... ...
4(busy TRANSPROT)
5(busy RPC)
0x100
RPC req Out of bound data
0x100
RPC req Out of bound data
0x100
RPC req Out of bound data
3(busy RPC)
... ... ...
4(busy other)
5(busy RPC)
0x100
RPC req Out of bound data
0x100
RPC req Out of bound data
0x100
RPC req Out of bound data
FREE and malloc

23. Informa2on leakage
2(busy RPC)
3(busy RPC)
4(busy other)
have some useful msg
5(busy RPC)
1(busy RPC)
2(free)
4(busy other)
have some useful msg
5(busy RPC)
1(busy RPC)
FREE
FREE

24. INDEX
0x37
信息泄漏
2(busy transport)
4(busy other)
have some useful msg
5(busy RPC)
1(busy RPC)
3(free)
2(busy transport)
4(busy other)
have some useful msg
5(busy RPC)
1(busy RPC)
3(Cmd Params data)

25. Informa2on leakage
2(busy transport)
4(busy other)
have some useful msg
5(busy RPC)
1(busy RPC)
3(busy cmd args buffer)
0x30
stream
fill out
memory
2(busy transport)
(filled by 0x30)
4(busy other)
have some useful msg
5(busy RPC)
1(busy RPC)
3(Cmd Params data buffer)
(covered by overflowed 0x30 stream)

26. Chunk 4
(busy other)
have some useful msg
Chunk 3
(busy cmd args buffer)
(covered by overflowed 0x30 stream)
data1 data2 00 data3 00 00 00 00
……
……
Key value dataN dataN+1 dataN+2
…
0x30 0x30 0x30 0x30 0x30 0x30 0x30
0x30 0x30 0x30 0x30 0x30 0x30 0x30
0x30 0x30 0x30 0x30 0x30 0x30 0x30
……
……
……
……
0x30 0x30 0x30 0x30 0x30 0x30 0x30

27. data1 data2 00 data3 00 00 00 00
……
……
Key value dataN dataN+1 dataN+2
…
0x30 0x30 0x30 0x30 0x30 0x30 0x30
0x30 0x30 0x30 0x30 0x30 0x30 0x30
0x30 0x30 0x30 0x30 0x30 0x30 0x30
……
……
……
……
0x30 0x30 0x30 0x30 0x30 0x30 0x30
0x30 0x30 0x30 …….. data1 data2
READ
data1 data2
SAVE
Rpc Command：
toolsAutoInstallGetParams

28. data1 data2 00 data3 00 00 00
……
……
Key value dataN dataN+1 dataN+2
…
0x30 0x30 0x30 0x30 0x30 0x30 0x30
0x30 0x30 0x30 0x30 0x30 0x30 0x30
0x30 0x30 0x30 0x30 0x30 0x30 0x30
……
……
……
……
0x30 0x30 0x30 0x30 0x30 0x30 0x30
0x30 …….. data1 data2 0x30 data3
READ
data1 data2 00 data3
SAVE
data1 data2
30

29. data1 data2 0x30 data3 0x30 0x30
……
……
Key value dataN dataN+1 dataN+2
…
0x30 0x30 0x30 0x30 0x30 0x30 0x30
0x30 0x30 0x30 0x30 0x30 0x30 0x30
0x30 0x30 0x30 0x30 0x30 0x30 0x30
……
……
……
……
0x30 0x30 0x30 0x30 0x30 0x30 0x30
data1 data2 0x00 data3 00 00 00
……
……
Key value dataN dataN+1 dataN+2
GET30 30 30

31. Q&A