URB Excalibur: The New VMware All-Platform VM Escapes

URB (USB Request Block) has been identified as a powerful new exploit primitive for VMware VM escapes, affecting all VMware hypervisor platforms including ESXi, Workstation, and Fusion

CVE-2022-31705 is a critical heap out-of-bounds write vulnerability with a CVSS score of 9.3, caused by improper handling of EHCI control transfers

The vulnerability stems from VMware not using calloc or performing memory set operations on URB data arrays when creating new URBs

Main exploitation challenges include:

• Closed source nature of VMware’s hypervisor
• Recent patches fixing most public exploit primitives
• Memory management complexities on different platforms
• CPU core scheduling and magazine allocation issues

Key exploit primitives and techniques:

• Using URB objects for heap manipulation
• Leveraging shader objects for heap spraying
• Converting out-of-bounds write to arbitrary read/write
• Controlling pipe pointers through URB manipulation

The researchers developed new generic exploit primitives that work across all VMware platforms, replacing previously patched techniques

Successful VM escapes were demonstrated on:

• VMware Fusion (18% success rate on MacBook Pro)
• VMware Workstation
• VMware ESXi (at Tianfu Cup 2023)

USB devices represent an attractive attack surface since they are present in most VM configurations and have complex data handling

Exploitation approach focuses on EHCI controller vulnerabilities and USB data packet handling

The research highlights ongoing security concerns in virtualization platforms, especially regarding VM escape vulnerabilities that can affect cloud infrastructure