hAFL1: Our Journey of Fuzzing Hyper-V and Discovering a 0-Day

hAFL1 is a kAFL-based fuzzing infrastructure for Hyper-V devices that allows for structure-aware fuzzing of RNDIS packets and provides detailed crash reports. It was used to discover a critical 0-day in Hyper-V vmswitch.

• Fuzzers automate the process of bug discovery by rapidly feeding a target with numerous inputs
• hAFL1 sends fuzzing inputs from the host level to mimic a child-partition and leverages Intel-PT to obtain coverage feedback
• hAFL1 allows for structure-aware fuzzing of RNDIS packets using Google protobuf protocol buffers and the Leap prototype mutator library
• A critical 0-day in Hyper-V vmswitch was discovered using hAFL1 - an arbitrary read vulnerability
• The bug was reported to MSRC and assigned a CVE

During the presentation, the speakers shared that they received a phone call from one of their servers running hAFL1 only two hours after it started running, indicating a crash. Upon investigation, they discovered a bug in vmswitch and reported it to MSRC, who assigned it a CVE.

Fuzzers are tremendously important in the realm of vulnerability research, as they automate the process of bug discovery by rapidly feeding a target with numerous inputs. Several factors make up an efficient fuzzer. One of them is structure-awareness - leveraging knowledge of the input format to generate test-cases. Another important property is coverage-guidance - the ability to mutate inputs based on previously visited execution paths. Sophisticated fuzzers have been developed and used to find critical vulnerabilities in all types of software.Targeting Hyper-V with existing fuzzers is highly challenging. Hyper-V does not trivially support Intel-PT, and therefore when run on top of kAFL, the latter loses one of its strongest features - coverage-guidance. Other complexities arise from sending fuzzing inputs to Hyper-V virtualization service providers (VSPs). VSPs receive data through the VMBus interface, which is proprietary and undocumented. Moreover, data comes in specific formats depending on the protocol used on top of the VMBus channel.To tackle these challenges we developed hAFL1, a kAFL-based fuzzing infrastructure for Hyper-V devices, of which vmswitch is a particular case. hAFL1's novel approach is that it sends fuzzing inputs from the host level. It mimics a child-partition by initializing necessary data structures in vmswitch and sending inputs to the target as if it were over VMBus. By doing that, hAFL1 leverages Intel-PT to obtain coverage feedback. hAFL1 allows structure-aware fuzzing of RNDIS packets, and also provides detailed crash reports.In this session, we present hAFL1 and provide the implementation bits required to write a Hyper-V fuzzer. We uncover a critical 0-day in Hyper-V vmswitch which was found using our fuzzer - an arbitrary read vulnerability. Finally, we show a live demo of exploiting this vulnerability, which until only a few weeks ago could take down big portions of Azure cloud infrastructure.