Mobius Band: Explore Hyper-V Attack Interface through ...
Transcript of Mobius Band: Explore Hyper-V Attack Interface through ...
![Page 1: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/1.jpg)
Mobius Band: Explore Hyper-V Attack Interface through Vulnerabilities Internals
⚫ Zhenhao Hong (@rthhh17)
Ant Group Light-Year Security Lab, Ex-researcher @IceSword Lab, Qihoo 360
⚫ Chuanjian Liao
IceSword Lab, Qihoo 360
#BHUSA @BlackHatEvents
![Page 2: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/2.jpg)
#BHUSA @BlackHatEvents
whoami
• Zhenhao Hong (@rthhh17)• @Ant Group Light-Year Security
Lab• Ex-researcher @IceSword Lab,
Qihoo 360• Awarded the 2019-2020 MSRC
Most Valuable Security Researchers
• Chuanjian Liao• Technical Director @IceSword
Lab, Qihoo 360
![Page 3: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/3.jpg)
#BHUSA @BlackHatEvents
Agenda
• Hyper-V Architecture
• Hyper-V Guest and Host Communication
• Why Hyper-V is difficult
• Vulnerabilities Details
• Attack Interface
• Concluding Thoughts
![Page 4: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/4.jpg)
Hyper-V Architecture
#BHUSA @BlackHatEvents
![Page 5: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/5.jpg)
#BHUSA @BlackHatEvents
Architecture
Hypervisor (Ring -1)
Ring 0 Ring 0
VMWPs (Ring 3) Ring 3
Root Partition Child Partition
Host Drivers
VMBUS VMBUS
Guest Drivers
![Page 6: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/6.jpg)
#BHUSA @BlackHatEvents
Architecture - Hypervisor
Hypervisor
hvix64.exe(Intel CPU)
hvax64.exe(AMD CPU)
Memory Management
VM-Exit Handlers Nested Virtualization etc...
APIC VirtualizationMSRs Virtualization
![Page 7: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/7.jpg)
#BHUSA @BlackHatEvents
Architecture - VMBUS
Host Kernel Space(Ring 0)
Hypervisor Ring -1 (hardware)
Guest Kernel Space(Ring 0)
NT (ntoskrnl.exe) Guest Kernel
VMBUS Host
vmbusr.sysvmbkmclr.sys
winhvr.sys
VMBUS Guest
Linux : hv_vmbus.ko
Windows : vmbus.sysvmbkmcl.sys
winhv.sys
![Page 8: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/8.jpg)
#BHUSA @BlackHatEvents
Architecture – Host Drivers
Host DriversNetwork Virtualization
vmswitch.sysvmsproxy.sys
vmsproxyhnic.sys
VMBUS
hvsocket
hvsocket.syshvsocketcontrol.sys
PCI Virtualization
vpcivsp.sys
Storage Virtualization
storvsp.sysvhdparser.sys
vhdmp.sys
![Page 9: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/9.jpg)
#BHUSA @BlackHatEvents
Architecture - VMWPsvmconnect.exe (Virtual Machine Connection)
VMWP.exe (Virtual Machine Worker Process)
VMBUS
socket
I/O Write I/O Read
Virtual Machine Integration Service
vmiccore.dllvmicvdev.dll
VM UI Devices
vmuidevices.dll
Dynamic Memory Controller
vmdynmem.dll
etc…
![Page 10: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/10.jpg)
Hyper-V Guest and Host Communication
#BHUSA @BlackHatEvents
![Page 11: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/11.jpg)
#BHUSA @BlackHatEvents
➢VMBUS initialize in Linux Guest.
Communication
![Page 12: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/12.jpg)
#BHUSA @BlackHatEvents
➢VMBUS initialize in Linux Guest.
Communication
![Page 13: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/13.jpg)
#BHUSA @BlackHatEvents
➢VMBUS device initialize.
➢vmbus_open
Communication
vmbus_open
hv_ringbuffer_init vmbus_establish_gpadlalloc_pagesCHANNELMSG_OPEN
CHANNEL
Allocate
continuous pages
for VMBUS
ringbuffer.
VMBUS ringbuffer
initialize.
Establish a GPADL for the
specified buffer.
Use vmbus_post_msg send
CHANNELMSG_GPADL_HEA
DER &
CHANNELMSG_GPADL_BOD
Y message to Host
Use vmbus_post_msg send
CHANNELMSG_OPENCHAN
NEL message to Host
![Page 14: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/14.jpg)
#BHUSA @BlackHatEvents
➢Send data to Host : vmbus_sendpacket
Communication
hv_ringbuffer_write
hv_signal_on_write
vmbus_setevent
vmbus_set_event
hv_do_fast_hypercall8
guestdata
![Page 15: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/15.jpg)
#BHUSA @BlackHatEvents
➢Send data to Host : vmbus_sendpacket
Communication
hv_ringbuffer_write
hv_signal_on_write
vmbus_setevent
vmbus_set_event
hv_do_fast_hypercall8
guestdata
vmcall
![Page 16: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/16.jpg)
#BHUSA @BlackHatEvents
➢Receive data form Host : vmbus_on_event
Communication
![Page 17: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/17.jpg)
#BHUSA @BlackHatEvents
➢Receive data form Host : vmbus_on_event
Communication
![Page 18: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/18.jpg)
#BHUSA @BlackHatEvents
➢VMBUS in Host
➢There are two functions, vmbkmclr!KmclpVmbusManualIsr and vmbkmclr!KmclpVmbusIsr
➢vmbkmclr!KmclpVmbusIsr : distribute guest data to Host driver. (storvsp.sys vmswitch.sys …)
➢vmbkmclr!KmclpVmbusManualIsr : distribute guest data to host usermode component. (vmuidevices.dll vmdynmem.dll vmicvdev.dll …)
Communication
![Page 19: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/19.jpg)
#BHUSA @BlackHatEvents
➢Data path to Ring0 (vmbkmclr!KmclpVmbusIsr)
➢For example, storvsp.sys
Communication
Guest data
Guest data Size
![Page 20: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/20.jpg)
#BHUSA @BlackHatEvents
➢Data path to Ring3 (vmbkmclr!KmclpVmbusManualIsr)
➢For example, vmiccore.dll
Communication
![Page 21: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/21.jpg)
#BHUSA @BlackHatEvents
➢Data path to Ring3 (vmbkmclr!KmclpVmbusManualIsr)
➢For example, vmiccore.dll
Communication
![Page 22: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/22.jpg)
#BHUSA @BlackHatEvents
➢Data path to Ring3 (vmbkmclr!KmclpVmbusManualIsr)
➢For example, vmiccore.dll
Communication
![Page 23: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/23.jpg)
Why Hyper-V is difficult?
#BHUSA @BlackHatEvents
![Page 24: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/24.jpg)
#BHUSA @BlackHatEvents
Compare with Win32k!EngRealizeBrush Integer Overflow (MS17-017)➢win32k!EngRealizeBrush Integer Overflow Exploit
⚫CreateBitmap allocate Bitmap object(size can be controlled)
⚫RegisterClassEx allocate LpszMenuName object(Pool feng-shui for ENGBRUSH object)
⚫CreatePalette allocate Palette object(size can be controlled & abuse object gaining memory R/W)
⚫DeleteObject & UnRegisterClass control object free(Pool feng-shui)
⚫We can control the content of Bitmap objects and Palette objects.(Construct memory R/W)
![Page 25: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/25.jpg)
#BHUSA @BlackHatEvents
Compare with Win32k!EngRealizeBrush Integer Overflow (MS17-017)
Traditional EoP Hyper-V Exploit
Attack
Interface
• Lots of APIs.
• Ring0 read data from User-Mode address directly.
• No APIs.
• All data is transmitted via VMBUS, Ring0 unable to
read data from Guest memory space directly.
Object Allocate
& Free
• Lots of objects can be abused so far.
• Allocate & Free kernel Object is easy control.
• Construct memory R/W by control the content of
kernel objects.
• No suitable object for abuse.(Still Finding…)
• Unable to control object Allocate & Free directly.
• Unable to control the timing of object Allocate &
Free.(Because of VMBUS mechanism)
• There is very little content in the object that can be
controlled from Guest.
TOC/TOU• Have a User-Mode pointer.
• Fetch the pointer(User-Mode memory) more than
once.
• All data is transmitted via VMBUS, Ring0 unable to
read data from Guest memory space directly.
![Page 26: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/26.jpg)
Vulnerabilities details
#BHUSA @BlackHatEvents
![Page 27: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/27.jpg)
#BHUSA @BlackHatEvents
CVE-2019-0620
![Page 28: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/28.jpg)
#BHUSA @BlackHatEvents
➢Root cause : Into vmbkmclr!VmbChannelPacketComplete twice with SAME first parameter.
CVE-2019-0620
![Page 29: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/29.jpg)
#BHUSA @BlackHatEvents
➢bp storvsp!VstorCompleteScsiRequest+0x2d7 "r @rcx;k;r @$thread;!pool @rcx;.echo ; g“
➢Trigger this issue, and see what happened in WinDbg.
CVE-2019-0620
![Page 30: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/30.jpg)
#BHUSA @BlackHatEvents
➢bp storvsp!VstorCompleteScsiRequest+0x2d7 "r @rcx;k;r @$thread;!pool @rcx;.echo ; g“
➢Trigger this issue, and see what happened in WinDbg.
CVE-2019-0620
![Page 31: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/31.jpg)
#BHUSA @BlackHatEvents
➢bp storvsp!VstorCompleteScsiRequest+0x2d7 "r @rcx;k;r @$thread;!pool @rcx;.echo ; g“
➢Trigger this issue, and see what happened in WinDbg.
CVE-2019-0620
![Page 32: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/32.jpg)
#BHUSA @BlackHatEvents
➢The following Stack Backtrace can be trigger in normal procedure.
CVE-2019-0620
![Page 33: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/33.jpg)
#BHUSA @BlackHatEvents
➢The following Stack Backtrace can be trigger only vhdmp! VhdmpiPerformExtraScsiActions second parameter offset 0x08’s memory is not NULL.
CVE-2019-0620
![Page 34: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/34.jpg)
#BHUSA @BlackHatEvents
➢The following Stack Backtrace can be trigger only vhdmp! VhdmpiPerformExtraScsiActions second parameter offset 0x08’s memory is not NULL.
CVE-2019-0620
![Page 35: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/35.jpg)
#BHUSA @BlackHatEvents
➢vhdmp!VhdmpiPerformExtraScsiActions second parameter offset 0x08’s memory is set by vhdmp!VhdmpiCompleteOffloadRequest
➢2
CVE-2019-0620
![Page 36: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/36.jpg)
#BHUSA @BlackHatEvents
➢vhdmp!VhdmpiPerformExtraScsiActions second parameter offset 0x08’s memory is set by vhdmp!VhdmpiCompleteOffloadRequest
➢2
CVE-2019-0620
![Page 37: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/37.jpg)
#BHUSA @BlackHatEvents
➢vhdmp!VhdmpiPerformExtraScsiActions second parameter offset 0x08’s memory is set by vhdmp!VhdmpiCompleteOffloadRequest
➢2
CVE-2019-0620
vhdmp!VhdmpiPerformExtraScsiActions second parameter offset 0x08’s memory is *(_QWORD *)(v20 + 0x20)
![Page 38: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/38.jpg)
#BHUSA @BlackHatEvents
➢In vhdmp!VhdmpiCompleteOffloadRequest, where is *(struct VHD_SCSI_REQUEST **)(v6 + 0x58) be set?
CVE-2019-0620
![Page 39: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/39.jpg)
#BHUSA @BlackHatEvents
➢In vhdmp!VhdmpiCompleteOffloadRequest, where is *(struct VHD_SCSI_REQUEST **)(v6 + 0x58) be set.
CVE-2019-0620
Guest Data
![Page 40: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/40.jpg)
#BHUSA @BlackHatEvents
➢vhdmp!VhdmpiOffloadTableInsertLocked will insert an _VHD_OFFLOAD_OP object into OffloadTable.
➢vhdmp!VhdmpiScsiCommandWriteUsingToken will invoke vhdmp!VhdmpiOffloadTableInsertLocked.
CVE-2019-0620
![Page 41: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/41.jpg)
#BHUSA @BlackHatEvents
➢vhdmp!VhdmpiOffloadTableInsertLocked will insert an _VHD_OFFLOAD_OP object into OffloadTable.
➢vhdmp!VhdmpiScsiCommandWriteUsingToken will invoke vhdmp!VhdmpiOffloadTableInsertLocked.
CVE-2019-0620
![Page 42: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/42.jpg)
#BHUSA @BlackHatEvents
➢vhdmp!VhdmpiOffloadTableInsertLocked will insert an _VHD_OFFLOAD_OP object into OffloadTable.
➢vhdmp!VhdmpiScsiCommandWriteUsingToken will invoke vhdmp!VhdmpiOffloadTableInsertLocked.
CVE-2019-0620
![Page 43: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/43.jpg)
#BHUSA @BlackHatEvents
➢vhdmp!VhdmpiOffloadTableInsertLocked will insert an _VHD_OFFLOAD_OP object into OffloadTable.
➢vhdmp!VhdmpiScsiCommandWriteUsingToken will invoke vhdmp!VhdmpiOffloadTableInsertLocked.
CVE-2019-0620
![Page 44: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/44.jpg)
#BHUSA @BlackHatEvents
➢vhdmp!VhdmpiOffloadTableInsertLocked will insert an _VHD_OFFLOAD_OP object into OffloadTable.
➢vhdmp!VhdmpiScsiCommandWriteUsingToken will invoke vhdmp!VhdmpiOffloadTableInsertLocked.
CVE-2019-0620 Guest Data
Insert into OffloadTable
![Page 45: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/45.jpg)
#BHUSA @BlackHatEvents
➢Use vhdmp!VhdmpiScsiCommandWriteUsingToken & vhdmp! VhdmpiScsiCommandCopyOperationAbort pair can trigger the following Stack Backtrace.
CVE-2019-0620
![Page 46: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/46.jpg)
#BHUSA @BlackHatEvents
➢vhdmp!VhdmpiScsiCommandCopyOperations
CVE-2019-0620
v5 is outcode in PoC Code
![Page 47: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/47.jpg)
#BHUSA @BlackHatEvents
➢vhdmp!VhdmpiScsiCommandCopyOperations
CVE-2019-0620 v5 can be controlled by Guest
v5 is outcode in PoC Code
![Page 48: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/48.jpg)
#BHUSA @BlackHatEvents
➢PoC Code
CVE-2019-0620
![Page 49: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/49.jpg)
#BHUSA @BlackHatEvents
➢PoC Code
CVE-2019-0620
0x11 : vhdmp!VhdmpiScsiCommandWriteUsingToken0x1C : vhdmp!VhdmpiScsiCommandCopyOperationAbort
Used for vhdmp!VhdmpiScsiCommandCopyOperationAbort
Used for vhdmp!VhdmpiScsiCommandWriteUsingToken
![Page 50: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/50.jpg)
#BHUSA @BlackHatEvents
CVE-2019-0620 debugging & trigger
![Page 51: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/51.jpg)
#BHUSA @BlackHatEvents
CVE-2019-0620 debugging & trigger
![Page 52: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/52.jpg)
#BHUSA @BlackHatEvents
CVE-2019-0620 debugging & trigger
![Page 53: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/53.jpg)
#BHUSA @BlackHatEvents
CVE-2019-0620 debugging & trigger
![Page 54: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/54.jpg)
#BHUSA @BlackHatEvents
➢Exploit thinking
• PoC has a chance to cause UAF.
• Find suitable object for kernel pool Spray.
➢Why failed?
• No object of suitable size was found…
CVE-2019-0620
![Page 55: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/55.jpg)
#BHUSA @BlackHatEvents
CVE-2019-0720
![Page 56: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/56.jpg)
#BHUSA @BlackHatEvents
➢RtlDeleteElementGenericTableAvl’s second parameter is the return value from RtlLookupElementGenericTableAvl
CVE-2019-0720
Delete from generic table and free
![Page 57: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/57.jpg)
#BHUSA @BlackHatEvents
➢RtlDeleteElementGenericTableAvl not only deletes a specified element from a generic table, but also free the specified element.
➢vmbusr!ChUnmapGpadlView’s second parameter is “gpadl_handle”, “gpadl_handle” can be controlled by Guest Machine.
CVE-2019-0720
![Page 58: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/58.jpg)
#BHUSA @BlackHatEvents
➢RtlDeleteElementGenericTableAvl not only deletes a specified element from a generic table, but also free the specified element.
➢vmbusr!ChUnmapGpadlView’s second parameter is “gpadl_handle”, “gpadl_handle” can be controlled by Guest Machine.
CVE-2019-0720
Reference: Linux Kernel Source Tree
![Page 59: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/59.jpg)
#BHUSA @BlackHatEvents
Important information about vmbusr!ChUnmapGpadlView
➢vmbusr!ChUnmapGpadlView will running at a multithreaded environment; Actually Multi-core processor environment.
➢vmbusr!ChUnmapGpadlView second parameter controlled by Guest data(gpadl_handle), and the first parameter can be controlled by what channel we use indirectly;
CVE-2019-0720
![Page 60: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/60.jpg)
#BHUSA @BlackHatEvents
CVE-2019-0720
State-1
State-2
State-3
Start
End
State-1
State-2
State-3
![Page 61: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/61.jpg)
#BHUSA @BlackHatEvents
• Assume the following situation:
➢There are two threads: ThreadA & ThreadB; Running on different CPUs.
➢ThreadA & ThreadB will running to vmbusr!ChUnmapGpadlView at the same time.
➢Both of two threads call function vmbusr!ChUnmapGpadlView have SAME parameter.
➢ThreadA a little more faster than ThreadB.
CVE-2019-0720
![Page 62: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/62.jpg)
#BHUSA @BlackHatEvents
• Steps – 1
➢ThreadA will first acquire the spinlock(spinlock address : v2+0x3c0) and into a critical region. (State-1)
➢ At the same time, ThreadB will waiting for the spinlock.
CVE-2019-0720Start
End
State-1
State-2
State-3
Start
End
State-1
State-2
State-3
ThreadA ThreadBwait
![Page 63: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/63.jpg)
#BHUSA @BlackHatEvents
• Steps – 2
➢ThreadA call function RtlLookupElementGenericTableAvland return a pointer PointerA. (State-1)
➢ Release the spinlock and exit the critical region.
CVE-2019-0720Start
End
State-1
State-2
State-3
Start
End
State-1
State-2
State-3
ThreadA ThreadBwait
PointerA
![Page 64: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/64.jpg)
#BHUSA @BlackHatEvents
• Steps – 3
➢ThreadB acquire the same spinlock(spinlock address : v2+0x3c0) and into a critical region. (State-1)
➢ ThreadA acquire spinlock and waiting for the spinlock. (State-2)
CVE-2019-0720Start
End
State-1
State-2
State-3
Start
End
State-1
State-2
State-3
ThreadA ThreadB
wait
![Page 65: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/65.jpg)
#BHUSA @BlackHatEvents
• Steps – 4
➢ThreadB call function RtlLookupElementGenericTableAvland return a pointer PointerB. (State-1)
➢Release the spinlock and exit the critical region.
➢Two threads call function vmbusr!ChUnmapGpadlView have SAME parameter, PointerB == PointerA.
CVE-2019-0720Start
End
State-1
State-2
State-3
Start
End
State-1
State-2
State-3
ThreadA ThreadB
wait
PointerB
![Page 66: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/66.jpg)
#BHUSA @BlackHatEvents
• Steps – 5
➢ThreadA will acquire the spinlock(spinlock address : v2+0x3c0) at the secondKeAcquireSpinLockRaiseToDpc and into a critical region. (State-3)➢Call function
vmbusr!ChDeleteGpadlViewIfUnreferenced to free memory which PointerA points to, and delete the element(PointerA) from a generic table. ➢Release the spinlock and exit the
critical region.
CVE-2019-0720Start
End
State-1
State-2
State-3
Start
End
State-1
State-2
State-3
ThreadA ThreadB
wait
Free PointerA
![Page 67: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/67.jpg)
#BHUSA @BlackHatEvents
• Steps – 6
➢ThreadB will acquire the spinlock(spinlock address : v2+0x3c0) at the second KeAcquireSpinLockRaiseToDpc and into a critical region. (State-3)
➢Call function vmbusr!ChDeleteGpadlViewIfUnreferenced to free memory which PointerB points to, and delete the element(PointerB) from a generic table.
CVE-2019-0720Start
End
State-1
State-2
State-3
Start
End
State-1
State-2
State-3
ThreadA ThreadB
Free PointerB
![Page 68: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/68.jpg)
#BHUSA @BlackHatEvents
• Steps – 6
➢PointerA == PointerB
➢vmbusr!ChDeleteGpadlViewIfUnreferenced will use an already freed memory's pointer as the second parameter.
➢UAF!!!
CVE-2019-0720Start
End
State-1
State-2
State-3
Start
End
State-1
State-2
State-3
ThreadA ThreadB
Use freed PointerA
![Page 69: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/69.jpg)
#BHUSA @BlackHatEvents
Two necessary conditions
➢Two non-interfering threads run to function vmbusr!ChUnmapGpadlView.
➢Two threads call function vmbusr!ChUnmapGpadlView have SAME parameters.
CVE-2019-0720
![Page 70: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/70.jpg)
#BHUSA @BlackHatEvents
Fortunately☺ the following are two threads’ stack backtrace satisfy the necessary conditions.
CVE-2019-0720
![Page 71: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/71.jpg)
#BHUSA @BlackHatEvents
➢Thread1 can be triggered by send NVSP_MSG1_TYPE_REVOKE_RECV_BUF nvsp_message message and CHANNELMSG_GPADL_TEARDOWN message in a guest machine.
CVE-2019-0720
![Page 72: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/72.jpg)
#BHUSA @BlackHatEvents
➢Thread2 can be triggered by simulation press system reset key in a guest machine.
➢AND! "efi.reset_system(0, EFI_SUCCESS, 0, NULL);" can trigger an important thread to control above Thread1&Thread2 become two non-interfering threads. The following is the important thread's stack backtrace.
CVE-2019-0720
![Page 73: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/73.jpg)
#BHUSA @BlackHatEvents
➢Thread2 can be trigger by simulation press system reset key in a guest machine.
➢AND! "efi.reset_system(0, EFI_SUCCESS, 0, NULL);" can trigger a important thread to control above Thread1&Thread2 became two non-interfering threads. The following is the important thread's stack traceback.
CVE-2019-0720
![Page 74: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/74.jpg)
#BHUSA @BlackHatEvents
➢This important thread should running before Thread1&Thread2, so we should use the following codes in PoC to set function vmswitch!VmsVmNicPvtRevokeRecieveBufferWorkItem into a sleep state.
CVE-2019-0720
![Page 75: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/75.jpg)
#BHUSA @BlackHatEvents
The principle of above code in PoC
➢Set function vmswitch!VmsVmNicPvtRevokeRecieveBufferWorkItem'ssecond parameter offset 0xe0 's memory to a non-zero value, and this function will into a sleep state until offset 0xe0 's memory set to zero.
➢Fortunately☺, we can also use "efi.reset_system(0, EFI_SUCCESS, 0, NULL);" to set zero in offset 0xe0 's memory indirectly.
CVE-2019-0720
![Page 76: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/76.jpg)
#BHUSA @BlackHatEvents
The principle of above code in PoC
➢Set function vmswitch!VmsVmNicPvtRevokeRecieveBufferWorkItem'ssecond parameter offset 0xe0 's memory to a non-zero value, and this function will into a sleep state until offset 0xe0 's memory set to zero.
➢Fortunately☺, we can also use "efi.reset_system(0, EFI_SUCCESS, 0, NULL);" to set zero in offset 0xe0 's memory indirectly.
CVE-2019-0720
![Page 77: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/77.jpg)
#BHUSA @BlackHatEvents
The principle of above code in PoC
➢Set function vmswitch!VmsVmNicPvtRevokeRecieveBufferWorkItem'ssecond parameter offset 0xe0 's memory to a non-zero value, and this function will into a sleep state until offset 0xe0 's memory set to zero.
➢Fortunately☺, we can also use "efi.reset_system(0, EFI_SUCCESS, 0, NULL);" to set zero in offset 0xe0 's memory indirectly.
CVE-2019-0720
![Page 78: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/78.jpg)
#BHUSA @BlackHatEvents
CVE-2019-0720 debugging & trigger
![Page 79: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/79.jpg)
#BHUSA @BlackHatEvents
CVE-2019-0720 debugging & trigger
![Page 80: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/80.jpg)
#BHUSA @BlackHatEvents
CVE-2019-0720 debugging & trigger
![Page 81: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/81.jpg)
#BHUSA @BlackHatEvents
CVE-2019-0720 debugging & trigger
![Page 82: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/82.jpg)
#BHUSA @BlackHatEvents
CVE-2019-0720 debugging & trigger
![Page 83: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/83.jpg)
#BHUSA @BlackHatEvents
CVE-2019-0720 debugging & trigger
![Page 84: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/84.jpg)
#BHUSA @BlackHatEvents
➢Race condition : Because of VM shutdown, Host will auto recycle the VM resource. But we can also use some VM resource and do something. In this case, send a NVSP_MSG1_TYPE_REVOKE_RECV_BUF message when VM reset(efi.reset_system(0, EFI_SUCCESS, 0, NULL);).
➢In a word : Use Resource When Auto Recycle
CVE-2019-0720
![Page 85: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/85.jpg)
#BHUSA @BlackHatEvents
➢Exploit thinking
I. Find suitable object for kernel pool Spray.
II. But the time window between two threads is very short, kernel pool Spray is not easy to succeed.
III. Use interrupt to interfere with one of the threads, then cause thread switching, increase the time window.
➢Why failed?
• The thread lock is a Spin Lock.
CVE-2019-0720
![Page 86: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/86.jpg)
#BHUSA @BlackHatEvents
CVE-2020-16891
![Page 87: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/87.jpg)
#BHUSA @BlackHatEvents
CVE-2020-16891
![Page 88: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/88.jpg)
#BHUSA @BlackHatEvents
➢This vulnerability requires Windows Server category OS.
➢Set "Network Adapter"—>"Hardware Acceleration"—>"Enable SR-IOV" in the virtual machine settings.
➢In the "Virtual Switch Manager", virtual network adapter should enable "Enable single-root I/O virtualization" and select a network adapter that must support SR-IOV at the hardware level.
➢For example, I select "Intel(R) Ethernet 10G 4P X540/I350 rNDC #2".
CVE-2020-16891
![Page 89: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/89.jpg)
#BHUSA @BlackHatEvents
➢This vulnerability require Windows Server category OS.
➢Set "Network Adapter"—>"Hardware Acceleration"—>"Enable SR-IOV" in the virtual machine settings.
➢In the "Virtual Switch Manager", virtual network adapter should enable "Enable single-root I/O virtualzation" and select a network adapter that must support SR-IOV at the hardware level.
➢For example, I select "Intel(R) Ethernet 10G 4P X540/I350 rNDC #2".
CVE-2020-16891
![Page 90: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/90.jpg)
#BHUSA @BlackHatEvents
➢The issue exists in function vmwp!EmulatorVp::FlushGvaTranslationCache
CVE-2020-16891
![Page 91: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/91.jpg)
#BHUSA @BlackHatEvents
➢The issue exists in function vmwp!EmulatorVp::FlushGvaTranslationCache
CVE-2020-16891
![Page 92: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/92.jpg)
#BHUSA @BlackHatEvents
➢The issue exists in function vmwp!EmulatorVp::FlushGvaTranslationCache
CVE-2020-16891
![Page 93: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/93.jpg)
#BHUSA @BlackHatEvents
① vmwp!EmulatorVp::FlushGvaTranslationCache+0x9e →vmwp!VND_HANDLER_CONTEXT::RemoveReference→vmwp!Vml::VmSharableObject::DecrementUserCount
② If vmwp!VND_HANDLER_CONTEXT::RemoveReference first parameter offset-0x50’s value is 1, vmwp!Vml::VmSharableObject::DecrementUserCount will free a VmbComMmioHandlerAdapter object of size 0xb0.
PS : The first parameter offset-0x50 is a reference counter’s address, if the reference counter equal to 1, a VmbComMmioHandlerAdapter object will be recycled, and free a 0xb0 size heap chunk. In the following presentation, the reference counter will be referred to as KEY_REF_COUNTER.
CVE-2020-16891
![Page 94: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/94.jpg)
#BHUSA @BlackHatEvents
➢vmwp!VndCompletionHandler::HandleVndCallback can also invoke Vml::VmSharableObject::DecrementUserCount
➢vmwp!VndCompletionHandler::HandleVndCallback invoke Vml::VmSharableObject::DecrementUserCount to decrease an object’s reference count.
➢ The KEY_REF_COUNTER can also be modified by function Vml::VmSharableObject::DecrementUserCount at address vmwp!VndCompletionHandler::HandleVndCallback+0xAAE.
CVE-2020-16891
![Page 95: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/95.jpg)
#BHUSA @BlackHatEvents
➢The PoC code is control vmwp.exe process runs to address vmwp!VndCompletionHandler::HandleVndCallback+0xAAE
CVE-2020-16891
![Page 96: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/96.jpg)
#BHUSA @BlackHatEvents
➢The PoC code is control vmwp.exe process runs to address vmwp!EmulatorVp::FlushGvaTranslationCache+0x9e
CVE-2020-16891
What is virt_addr+0x1004 ?
![Page 97: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/97.jpg)
#BHUSA @BlackHatEvents
➢The PoC code is control vmwp.exe process runs to address vmwp!EmulatorVp::FlushGvaTranslationCache+0x9e
CVE-2020-16891
What is virt_addr+0x1004 ?
![Page 98: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/98.jpg)
#BHUSA @BlackHatEvents
CVE-2020-16891 debugging & trigger
![Page 99: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/99.jpg)
#BHUSA @BlackHatEvents
CVE-2020-16891 debugging & trigger
KEY_REF_COUNTER
![Page 100: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/100.jpg)
#BHUSA @BlackHatEvents
CVE-2020-16891 debugging & trigger
KEY_REF_COUNTERKEY_REF_COUNTER
KEY_REF_COUNTER was decremented by 1 here.
![Page 101: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/101.jpg)
#BHUSA @BlackHatEvents
CVE-2020-16891 debugging & trigger
KEY_REF_COUNTERKEY_REF_COUNTER
KEY_REF_COUNTER was decremented by 1 here. VmbComMmioHandlerAdapter object
KEY_REF_COUNTER
![Page 102: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/102.jpg)
#BHUSA @BlackHatEvents
CVE-2020-16891 debugging & trigger
KEY_REF_COUNTERKEY_REF_COUNTER
KEY_REF_COUNTER was decremented by 1 here. VmbComMmioHandlerAdapter object
KEY_REF_COUNTER
Free VmbComMmioHandlerAdapter object here
![Page 103: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/103.jpg)
#BHUSA @BlackHatEvents
CVE-2020-16891 debugging & trigger
KEY_REF_COUNTERKEY_REF_COUNTER
KEY_REF_COUNTER was decremented by 1 here. VmbComMmioHandlerAdapter object
KEY_REF_COUNTER
Free VmbComMmioHandlerAdapter object here
Use freed memory
![Page 104: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/104.jpg)
#BHUSA @BlackHatEvents
CVE-2020-16891 debugging & trigger
KEY_REF_COUNTERKEY_REF_COUNTER
KEY_REF_COUNTER was decremented by 1 here. VmbComMmioHandlerAdapter object
KEY_REF_COUNTER
Free VmbComMmioHandlerAdapter object here
Use freed memory
![Page 105: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/105.jpg)
#BHUSA @BlackHatEvents
➢Exploit thinking
• Find suitable object for heap Spray in a vmwp.exe process.
➢Why failed?
• Still finding…
CVE-2020-16891
![Page 106: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/106.jpg)
Attack Interface
#BHUSA @BlackHatEvents
![Page 107: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/107.jpg)
#BHUSA @BlackHatEvents
Attack Interface
Host Kernel Space(Ring 0)
Hypervisor Ring -1 (hvix64.exe/hvax64.exe)
VMBUS
vmbusr.sysvmbkmclr.sys
winhvr.sys
VMWP.exe (Ring3)
vmiccore.dll
vmicvdev.dll
vmuidevices.dll
vmdynmem.dll
vmconnect.exe
vmcall Interrupt injection
Network
vmswitch.sysvmsproxy.sys
vmsproxyhnic.sys
hvsocket
hvsocket.syshvsocketcontrol.sys
PCI
vpcivsp.sys
Storage
storvsp.sysvhdparser.sys
vhdmp.sysR/W VMBUS Ringbuffer
R/W VMBUS Ringbuffer
R/W VMBUS Ringbuffer
R/W VMBUS Ringbuffer
socket
I/O write & read
![Page 108: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/108.jpg)
#BHUSA @BlackHatEvents
Attack Interface
Guest Ring0
Hypervisor Ring-1
vmcallInterrupt
• vmcall
• MSRs W/R
• APIC Address operation
• Nested Virtual Machine
• vmcall
• MSRs virtualization
• APIC virtualization
• Nested virtualization
• Guest Physical Address Translate
![Page 109: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/109.jpg)
#BHUSA @BlackHatEvents
Attack Interface
Guest Ring0
Hypervisor Ring-1
vmcallInterrupt
VMCALL 0x5C HVCALL_POST_MESSAGE (vmbus_post_msg)
• CHANNELMSG_*
• For example : CHANNELMSG_OPENCHANNEL
CHANNELMSG_CLOSECHANNEL
etc…
Process channel Message From Guest
• ChReceiveChannelMessageHost VMBUS
Interruptvmcall
ChmOpenChannelChmCloseChanneletc…
![Page 110: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/110.jpg)
#BHUSA @BlackHatEvents
Attack Interface
Guest Ring0
Hypervisor Ring-1
vmcallInterrupt
VMCALL 0x5D HVCALL_SIGNAL_EVENT
• hv_netvsc.ko
• hv_storvsc.ko
• pci-hyperv.ko
• hv_sock.ko
Network :
• VmsVmNicPvtKmclProcessPacket, VmsVmNicPvtKmclProcessingComplete
Storage :
• VspPvtKmclProcessPacket, VspPvtKmclProcessingComplete
PCI :
• VirtualBusChannelProcessPacket
Hvsocket :
• VmbusTlXPartIndicateReceive
Host VMBUS
Interruptvmcall
Host Driver
vmbus_sendpacket
![Page 111: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/111.jpg)
#BHUSA @BlackHatEvents
Attack Interface
Guest Ring0
Hypervisor Ring-1
vmcallInterrupt
VMCALL 0x5D HVCALL_SIGNAL_EVENT
• hv_utils.ko
• hid_hyperv.ko, hyperv_keyboard.ko, hyperv_fb.ko
• hv_balloon.ko
• Remote Desktop Virtualization device
Integration Services :
• vmicvdev.dll vmiccore.dll
Keyboard, Mouse, Synthetic Video :
• vmuidevices.dll
Dynamic memory :
• vmdynmem.dll
Remote Desktop Virtualization :
• vmconnect.exe
Host VMBUS
Interruptvmcall
VMWP.exe
&
Vmconnect.exe
vmbus_sendpacket
I/O read & write
![Page 112: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/112.jpg)
Concluding Thoughts
#BHUSA @BlackHatEvents
![Page 113: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/113.jpg)
#BHUSA @BlackHatEvents
Concluding Thoughts
➢Hyper-V still has low-hanging apples.
➢It makes more sense to find a way to exploit Hyper-V.
➢It makes sense to pay attention to Hyper-V updates. New features/new updates of some components may make it easier to find vulnerabilities. It is a easy way of Bug Hunting☺.
![Page 114: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/114.jpg)
#BHUSA @BlackHatEvents
Concluding ThoughtsPotential Attack Interface
➢Packet Direct functions in vmswitch.sys
➢Network Direct device
➢PCI Pass-Through
➢Hypervisor nested virtualization
![Page 115: Mobius Band: Explore Hyper-V Attack Interface through ...](https://reader036.fdocuments.us/reader036/viewer/2022062504/62b051c21460975548530ed5/html5/thumbnails/115.jpg)
Thank you for listening!
Twitter : @rthhh17
#BHUSA @BlackHatEvents