A PoC Exploit Unveiled for VMware Workstation Vulnerability
A critical vulnerability chain in VMware Workstation has been exposed through a proof-of-concept (PoC) exploit, enabling malicious actors to breach a guest virtual machine and execute arbitrary code on the host operating system.
This exploit adeptly connects an information leak with a stack-based buffer overflow, culminating in a complete guest-to-host escape—an exceptionally severe category of security flaw prevalent within virtualization platforms.
Originally highlighted at the Pwn2Own Vancouver event in 2023, the exploit has been documented by security researcher Alexander Zaviyalov of NCC Group, who recently released an extensive technical analysis alongside a functional PoC, illustrating the tangible threat posed by these vulnerabilities.
The Two-Stage Attack
The formidable guest-to-host escape is executed by encompassing two disparate vulnerabilities associated with the virtual Bluetooth device feature in VMware Workstation—an option that is activated by default, thereby allowing a guest VM to utilize the host’s Bluetooth adapter.
Information Leak (CVE-2023-20870, CVE-2023-34044): The initial segment of the attack capitalizes on a Use-After-Free (UAF) memory leak. By dispatching specifically formulated USB Request Block (URB) control transfers to the virtual mouse and Bluetooth devices, an adversary can extract memory pointers from the vmware-vmx.exe process running on the host.
This memory leak proves vital for circumventing Address Space Layout Randomization (ASLR), a standard security measure that randomizes memory addresses to complicate the exploitation process.
Buffer Overflow (CVE-2023-20869): Once ASLR is bypassed, the perpetrator progresses to the subsequent phase, which involves initiating a stack-based buffer overflow by transmitting a malicious Service Discovery Protocol (SDP) packet from the guest VM to another Bluetooth device detectable by the host.
The overflow facilitates the hijacking of the program’s execution flow, enabling the attacker to employ the leaked memory addresses to execute a personalized payload on the host environment.
The synergy of these vulnerabilities permits an assailant with command over a guest VM to seize complete control of the host machine.
In a practical demonstration, the exploit successfully initiated a reverse shell from a Linux guest to a fully patched Windows 11 host, effectively compromising the foundational system, as stated by Alexander Zaviyalov here.
This comprehensive exploit chain predominantly impacts VMware Workstation 17.0.1 and earlier iterations. The respective vulnerabilities have distinct patch timelines:
- The stack-based buffer overflow (CVE-2023-20869) was rectified in version 17.0.2.
- The memory leak vulnerabilities (CVE-2023-20870 and CVE-2023-34044) have been patched in versions 17.0.2 and 17.5.0, respectively.
Given that the full exploit necessitates both the buffer overflow and the memory leak, users operating version 17.0.1 or older are at heightened risk.
Mitigations
The foremost directive for all users is to upgrade their VMware Workstation software to the latest version available (17.5.0 or more recent), which encompasses remedies for all identified vulnerabilities.
For those unable to execute an immediate update, a potential workaround involves disabling the virtual Bluetooth device. This can be achieved by deselecting the “Share Bluetooth devices with the virtual machine” option within the USB Controller settings of the virtual machine.
Disabling this feature effectively eliminates the attack surface leveraged by this specific PoC. The comprehensive research underscores the intricate nature of contemporary exploits and accentuates the necessity of prompt patching in virtualization platforms.
Source link: Cybersecuritynews.com.
