We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
URB Excalibur: The New VMware All-Platform VM Escapes
Learn about URB-based VM escapes affecting VMware platforms, including heap exploitation techniques, USB attack surfaces, and successful exploits demonstrated at Tianfu Cup 2023.
-
URB (USB Request Block) has been identified as a powerful new exploit primitive for VMware VM escapes, affecting all VMware hypervisor platforms including ESXi, Workstation, and Fusion
-
CVE-2022-31705 is a critical heap out-of-bounds write vulnerability with a CVSS score of 9.3, caused by improper handling of EHCI control transfers
-
The vulnerability stems from VMware not using calloc or performing memory set operations on URB data arrays when creating new URBs
-
Main exploitation challenges include:
- Closed source nature of VMware’s hypervisor
- Recent patches fixing most public exploit primitives
- Memory management complexities on different platforms
- CPU core scheduling and magazine allocation issues
-
Key exploit primitives and techniques:
- Using URB objects for heap manipulation
- Leveraging shader objects for heap spraying
- Converting out-of-bounds write to arbitrary read/write
- Controlling pipe pointers through URB manipulation
-
The researchers developed new generic exploit primitives that work across all VMware platforms, replacing previously patched techniques
-
Successful VM escapes were demonstrated on:
- VMware Fusion (18% success rate on MacBook Pro)
- VMware Workstation
- VMware ESXi (at Tianfu Cup 2023)
-
USB devices represent an attractive attack surface since they are present in most VM configurations and have complex data handling
-
Exploitation approach focuses on EHCI controller vulnerabilities and USB data packet handling
-
The research highlights ongoing security concerns in virtualization platforms, especially regarding VM escape vulnerabilities that can affect cloud infrastructure