The VMware virtual machine escape patch analysis-vulnerability warning-the black bar safety net

One, Foreword
A virtual machine refers to the installation in the normal host machineOSwithin a fully isolated clientoperating system. Virtual machine escape refers to the breakthrough of the virtual machine limit, with the host machineOSthe interaction of a process, an attacker can through a virtual machine escape of infected host or in the host machine running the malware. In the recently held the PwnFest hacker Conference on the Power of Community organization, held in Seoul, Korea, the researchers successfully implemented a VMware virtual machine escape, this is also VMware for the first time in public is captured, we are interested, therefore, McAfee IPS vulnerability research team decided to delve deeper into this process, to deepen understanding of the vulnerability of the understanding.
Second, the background knowledge
VMware responded very quickly, they quickly released a security patch to fix these vulnerabilities, at the same time published a security Bulletin. According to our in closed source software security aspects of the practice, we studied about this announcement. The Bulletin which referred this to say:
“VMware Workstation and Fusion of drag and drop drag-and-drop, DnD function in the presence of an out of bounds memory access vulnerability. Running in Workstation or Fusion of theoperating system, an attacker can use this vulnerability to achieve the client escape, in the host machine to execute code. In Workstation and Fusion, if the drag-and-drop feature and copy-paste copy-and-paste, C&P feature is disabled, then this vulnerability can not use it”.
This vulnerability exists in the drag-and-drop and copy-paste functions. These two functions are used in the VMware Remote Procedure Call, remote procedure call, the RPC mechanism. VMware’s RPC mechanism has always been a very easy break of the point, easy to implement client-to-host escape.
In our in-depth analysis VMSA-2016-0019（CVE-2016-7461 the patch before, we must first of VMware Workstation how to handle the client to the host machine or host machine to the client between the copy and paste operation.
The following figure from the class of the hierarchical perspective describes the VMware drag-and-drop and copy-paste DnDCP mode（source: VM Tools source code: The

! [](/Article/UploadPic/2017-8/20178114749220. png? www. myhack58. com)
In order to seamlessly implement host and client between the copy and paste operation, the clientOSneed to install the VMware tools. VMware tools is responsible for processing client-to-host or host-to-client communications between. In our study, we use the environment as a Windows client and a Windows host machine. In the Windows client, tools的主进程为vmtoolsd.exe the.

! [](/Article/UploadPic/2017-8/20178114749982. png? www. myhack58. com)
The host machine and the client mutual communication between the one method is by means of RPC Interface. VMware use a method called the back door（Virus）the RPC Interface.
2.1 the client’s RPC mechanism
Let us take a good look at the client and the host system to each other how through the RPC Interface for communication. In order to understand the client’s RPC mechanism, we refer to the VMware tools open source components, namely the open-vm-tools, this component use the following function to handle client RPC call:

! [](/Article/UploadPic/2017-8/20178114749858. png? www. myhack58. com)
Theoretically, any With to RpcChannel_Send()or RpcOut_send()function of the packets can be used rpctools. exe tool to send, this tool is VMWare Workstation, built-in a command-line tool.

! [](/Article/UploadPic/2017-8/20178114749691. png? www. myhack58. com)
RpcOut_Send()call the Message_Send (), which calls the Virus()function.

! [](/Article/UploadPic/2017-8/20178114749944. png? www. myhack58. com)
The Backdoor function is responsible for the by VMware dedicated I/O Port to send the message.

! [](/Article/UploadPic/2017-8/20178114749548. png? www. myhack58. com)
When you call the Backdoor function from the client to the host machine to send message, usually we can see the following instruction set:

! [](/Article/UploadPic/2017-8/20178114749576. png? www. myhack58. com)
After installing the VMware tools, we can in vmtools. dll find this function. As shown below, we can see the Backdoor()is called sub_10050190 function:

! [](/Article/UploadPic/2017-8/20178114749518. png? www. myhack58. com)
After a thorough study, we found that this function will execute a privileged instruction“in.” in.
Let’s go back to vulnerability. We have to DnDCP the RPC message is of interest, the reason is according to the security Bulletin, the vulnerability is located in DnDCP RPC. In the VM Tools source code, we can find DnDCP RPC message specific structure:

! [](/Article/UploadPic/2017-8/20178114749913. png? www. myhack58. com)

[1] [2] [3] next