logo
allArticlesConferencesPresentations

Exploiting the Hyper-V IDE Emulator to Escape the Virtual Machine

Conference:  BlackHat USA 2019

2019-08-07

Summary

The presentation discusses a vulnerability in Hyper-V's emulated storage component and how it was exploited on Windows Server 2012R2. It also explores the evolution of Windows between Windows 2012R2 and Redstone 3 and how the same vulnerability was exploited with numerous hardening measures in place. The talk concludes with a discussion on Microsoft's approach to hardening the Hyper-V stack and other critical code.
  • Hyper-V's emulated storage component has a vulnerability that was reported through the Hyper-V bug bounty
  • The vulnerability was exploited on Windows Server 2012R2
  • The same vulnerability was exploited on Windows Redstone 3 with numerous hardening measures in place
  • The presentation explores the evolution of Windows between Windows 2012R2 and Redstone 3
  • Microsoft is approaching hardening the Hyper-V stack and other critical code
The speaker found a sketchy function called writedata port in the emulated storage stack that had him concerned. Although he did not find a way to trigger a bug there, he found a crash dump on his desk from a researcher who had a crash in Hyper-V. The researcher sent him a POC and worked on an exploit. The speaker then used the exploit to evaluate how their exploit mitigations were doing in general.

Abstract

Cloud proliferation continues to increase the worlds dependency on the security of virtualization stacks. But like all software stacks, virtualization stacks have vulnerabilities.In this talk, I'll examine a powerful vulnerability in Hyper-V's emulated storage component that was reported through the Hyper-V bug bounty. Then, I'll demonstrate how I exploited this vulnerability on Windows Server 2012R2. Next, I'll discuss how Windows has evolved between Windows 2012R2 and Redstone 3. I'll show you how I tried, failed, and then ultimately succeeded in exploiting the same vulnerability on Windows Redstone 3 with numerous hardening measures in place. This will provide empirical evidence for the impact that several years of platform hardening can have on exploitation.I'll wrap up the talk by discussing the takeaways Microsoft had from this exercise and how we're approaching hardening the Hyper-V stack (and other critical code) as a result.
Materials:
Tags:

Post a comment

Related work

Mobius Band: Explore Hyper-V Attack Interface through Vulnerabilities Internals

Conference:  BlackHat USA 2021
Authors:
2021-08-04

DirectX: The New Hyper-V Attack Surface

Conference:  Black Hat USA 2022
Authors:
2022-08-11

A Dive in to Hyper-V Architecture & Vulnerabilities

Conference:  BlackHat USA 2018
Authors:
2018-08-08

Breaking VSM by Attacking SecureKernel

Conference:  BlackHat USA 2020
Authors:
2020-08-06

HTTP/2: The Sequel is Always Worse

Conference:  Defcon 29
Authors:
2021-08-01

Contain Yourself: Staying Undetected Using the Windows Container Isolation Framework

Conference:  Defcon 31
Authors: Daniel Avinoam Security Researcher, Deep Instinct
2023-08-01