Over the past year, attacks targeting VMware desktop hypervisors (Workstation, Fusion etc) have been on the rise. Virtual machines play a crucial role in modern computing. They are often used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. VMs also remain important tools for pentesters. Conversely, customer virtualization can lead to dead ends during a pentest. This limitation could lead to situations where enterprises fail to understand the true risk to their virtualized environments. This presentation provides pentesters the information and Metasploit modules to weaken or escape the isolation imposed by VMware hypervisors.
Pwn2Own 2017 featured two full guest-to-host escapes, one of which also affects VMware ESXi. While a guest-to-host escape is the most eye-catching way to abuse a hypervisor, there are other, more subtle abuses as well. This presentation examines VMware guest-to-host communications, which occur through the self-titled Backdoor channel. We will also explore some of the functionalities exposed through the RPC Interface within Backdoor such as the Drag-n-Drop (DnD) and CopyPaste mechanisms. We demonstrate how to take advantage of these mechanisms – without VMware tools installed – to disclose sensitive information from the host. We’ll also take a look at the Host-To-Guest file system and demonstrate how it can be exploited to execute code in the context of the host. Last, we will analyze a Use-After-Free vulnerability that affects DnD and we’ll show the exploitation process used to achieve code execution on the host, from the guest.