HEXACON2024 – Compromising the Host Kernel from the VMware Guest by Junoh Lee & Gwangun Jung

Summary: The video discusses how Jun Le and Guang Jong, members of a South Korean vulnerability research team, successfully broke out of the guest environment in VMware and compromised the host kernel by exploiting various vulnerabilities. They present a detailed overview of their research, which was aimed at competing in PTU Own 2024, specifically targeting exploitation strategies using VMware Workstation. The presentation covers key vulnerabilities found in both the VMware and Windows kernel, the challenges faced, and the importance of chaining exploits for privilege escalation.

Keypoints:

• The researchers introduced themselves as part of the vulnerability research team at Theory, focusing on binary analysis and exploitation.
• The goal of their research was to compete in PTU Own 2024, targeting VMware Workstation.
• They explored vulnerabilities related to guest-to-host escape (VM Escape) and exploitation strategies, particularly focusing on code execution and information leakage.
• Two major vulnerabilities were highlighted: an information leakage through the host file sharing feature and a USB feature exploit in the virtual Bluetooth capability.
• They discussed detailed exploitation processes, including specific memory manipulation techniques and the use of controlled memory regions to achieve arbitrary code execution.
• An additional Windows kernel vulnerability was explored, particularly one existing in Microsoft’s cloud file mini filter that allowed bypassing security features.
• The researchers described their strategy for chaining exploits: executing code within VMware and then leveraging unused memory to drop and run a Windows kernel exploit on the host.
• The presentation emphasized the challenges faced in ensuring exploit reliability and the necessity for proactive security measures to stay ahead of defenses.
• They concluded by showcasing a demo video of their successful exploit execution.