logo

DirectX: The New Hyper-V Attack Surface

Conference:  Black Hat USA 2022

2022-08-11

Summary

The presentation discusses the attack surface of the Hyper-V component and how to find vulnerabilities through fasting.
  • Hyper-V component has a large attack surface that is still being updated
  • Fasting is an efficient way to find vulnerabilities in the component
  • CVE20221898 is an example of an arbitrary address right vulnerability in the DSGK VMP command Summit
  • The major functions of the faster are the agent layer and the New Zealand part
  • Application scenarios for the Happy Returns component include Windows sandbox and homeowners to emulate
  • The presentation includes an overview of the Hyper-V component architecture and how to enable it in the virtual machine configuration
The presenter discovered a non-pointer reference variability by mutating the members of the DSGK VMV command signal sync object structure in the DSGK VMB command signal sync object command message.

Abstract

In 2020, Hyper-V introduced a new feature of GPU-Paravirtualization, which is based on GPU virtualization technology. This technology is integrated into WDDM (Windows Display Driver Model) and all WDDMv2.5 or later drivers have native support for GPU virtualization. However, new features mean new attack surfaces.In this talk, I will disclose 4 vulnerabilities of Hyper-V DirectX component that I found and have been fixed so far. Two of these vulnerabilities could allow an attacker to run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.To understand these vulnerabilities, I will first introduce the basic architecture of the Hyper-V DirectX component, and explain how to configure the virtual machine parameters to implement the method of using this virtual device in a virtual machine. By referring to the WSL Linux kernel source code and reverse engineering, I will introduce the attack surface of the Hyper-V DirectX component. By disclosing 4 vulnerabilities in Hyper-V DirectX component, you will gain a better understanding of this attack surface. Later, I will describe how to use fuzz to find vulnerabilities in this attack surface. Here, I will use a simple fuzz framework written by myself as a learning case. Finally, I'll share takeaways and my opinions on this attack surface, as well as speculation on the future development of Hyper-V DirectX component.

Materials:

Tags: