If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!
Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.
During the presentation, we will first share the fundamentals of ESXi hypervisor and some of its special features, including its own customized bootloader, kernel, filesystem, virtual devices and so on. Next, we will demonstrate the attack surfaces in its current implementations and how to uncover security vulnerabilities related to virtual machine escape. In particular, we will anatomize the bugs leveraged in our escape chain, CVE-2018-6981 and CVE-2018-6982, and give an exhaustive delineation about some reliable techniques to manipulate the heap for exploitation, triggering arbitrary code execution in the host context. Meanwhile, due to the existence of sandbox mechanism in ESXi, code execution is not enough to pop a shell. Therefore, we will underline the design of the sandbox and explain how it is adopted to restrict permissions. We will also give an in-depth analysis of the approaches leveraged to circumvent the sandbox in our escape chain. Finally, we will provide a demonstration of a full chain escape on ESXi 6.7.