URB Excalibur: The New VMware All-Platform VM Escapes

Learn about URB-based VM escapes affecting VMware platforms, including heap exploitation techniques, USB attack surfaces, and successful exploits demonstrated at Tianfu Cup 2023.

Key takeaways
  • URB (USB Request Block) has been identified as a powerful new exploit primitive for VMware VM escapes, affecting all VMware hypervisor platforms including ESXi, Workstation, and Fusion

  • CVE-2022-31705 is a critical heap out-of-bounds write vulnerability with a CVSS score of 9.3, caused by improper handling of EHCI control transfers

  • The vulnerability stems from VMware not using calloc or performing memory set operations on URB data arrays when creating new URBs

  • Main exploitation challenges include:

    • Closed source nature of VMware’s hypervisor
    • Recent patches fixing most public exploit primitives
    • Memory management complexities on different platforms
    • CPU core scheduling and magazine allocation issues
  • Key exploit primitives and techniques:

    • Using URB objects for heap manipulation
    • Leveraging shader objects for heap spraying
    • Converting out-of-bounds write to arbitrary read/write
    • Controlling pipe pointers through URB manipulation
  • The researchers developed new generic exploit primitives that work across all VMware platforms, replacing previously patched techniques

  • Successful VM escapes were demonstrated on:

    • VMware Fusion (18% success rate on MacBook Pro)
    • VMware Workstation
    • VMware ESXi (at Tianfu Cup 2023)
  • USB devices represent an attractive attack surface since they are present in most VM configurations and have complex data handling

  • Exploitation approach focuses on EHCI controller vulnerabilities and USB data packet handling

  • The research highlights ongoing security concerns in virtualization platforms, especially regarding VM escape vulnerabilities that can affect cloud infrastructure