Straight Outta VMware: Modern Exploitation of the SVGA Device for Guest-to-Host Escapes

Conference:  BlackHat EU 2018



This presentation focuses on modern exploitation techniques for VMware Workstation guest's virtual graphics device in order to achieve code execution on the host operating system. There will be in-depth analysis of VMware's graphics pipeline and its implementation details from an attacker's point of view. Specifically, the talk will cover how VMware bootstraps the virtual graphics device and how its behavior is affected by the host and guest operating systems. Once the graphics device is ready, the so-called SVGA thread is waiting for user commands. The presentation will enumerate the available ways to issue commands from the guest in order for them to be processed by the SVGA thread in host context.VMware uses the SVGA3D protocol to communicate with the guest operating system (frontend interface). Commands sent by a guest user are processed by the host operating system using one of the available backend interfaces. The backend interface is selected with respect to the host operating system; this talk will focus on Windows hosts. Concepts used by both the frontend and the backend interfaces will be explained as well. Furthermore, there will be a discussion of VMware's internal objects and how they can be abused in order to develop novel primitives that are valuable assets for exploiting a memory corruption vulnerability. The aforementioned primitives include a reliable way to spray the host's heap, a way to leak memory from the host, and of course, a way to execute arbitrary code in host context. Finally, this purely offensive talk will conclude with a demonstration of those techniques using a public (patched) VMware vulnerability.