logo

Mobius Band: Explore Hyper-V Attack Interface through Vulnerabilities Internals

Conference:  BlackHat USA 2021

2021-08-04

Summary

The presentation discusses Hyper-V RCE vulnerabilities and the attack interface through internal details of these vulnerabilities. The speaker shares takeaways from the research and potential attack interfaces related to Hyper-V.
  • Introduction to Hyper-V architecture and important components
  • Explanation of Hyper-V RCE vulnerabilities and attack interface through internal details
  • Takeaways from the research and potential attack interfaces related to Hyper-V
The speaker explains how an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. They also discuss the different data paths for Hyper-V data transmission and the multiple attack interfaces of Hyper-V through these vulnerabilities.

Abstract

In recent years, Microsoft regards the cloud as an important development direction in the future. Hyper-V is Microsoft Azure's virtualization solution and the cornerstone of Microsoft cloud virtualization. However, virtualization software like Hyper-V is not absolutely secure after all, and even a trivial vulnerability can cause immeasurable losses.In this talk, I will explain 3 Hyper-V RCE vulnerabilities that I found and have been fixed so far. All of the vulnerabilities could allow an attacker to run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. Two of these vulnerabilities affect the vmswitch component and vhdmp component in Windows Host Ring0 respectively, and the remaining one affects the vmwp component in Windows Host Ring3. I will also introduce the Hyper-V attack interface through the internal details of these vulnerabilities.To understand these vulnerabilities, I will first introduce the differences between Hyper-V exploit and traditional Windows EOP exploit, then I will explain how the data in the Guest is transferred to the Hyper-V component in the Host and how to parse it. Here I categorize Hyper-V data transmission methods into two different data paths, namely the data distributed to the kernel mode and the data distributed to the user mode. The next is to introduce the internal details of several undisclosed Hyper-V RCE vulnerabilities where you will learn about the multiple attack interfaces of Hyper-V through these vulnerabilities.Finally, I will share the takeaways from this research, and explain other potential attack interfaces related to Hyper-V.

Materials:

Tags: