Cybersecurity

The NCC Group has identified a critical vulnerability within VMware Workstation, allowing for a guest-to-host escape. The issue stems from a logic flaw in the handling of virtual devices, leading to memory corruption and potential controlled code execution on the host process.

Affected Systems and Potential Impact

This vulnerability compromises VM isolation, enabling arbitrary code execution in the host context of the Workstation hypervisor. It poses risks to multi-VM developer environments and sensitive lab setups, potentially leading to data breaches and unauthorized lateral movement.

Vulnerability Details

Proof of Concept (PoC) Code

The following procedural outline is consistent with the NCC Group’s proof-of-concept description for educational and validation purposes in controlled environments. It is intended to test patched status and detection capabilities:

• Initiate a VMware backdoor/RPC session from guest userland.
• Transmit multiple RPC packets using the same session ID, manipulating binary size and payload offset/size to trigger an out-of-bounds write.
• Exploit the vulnerability to overwrite host memory and redirect control flow to attacker-controlled data.
• Deploy a minimal host-side shell payload executed within the Workstation process context.

// guest-side pseudocode outline

open_vmware_backdoor();

uint32_t sid = rpc_begin_session();

// Packet A: prime host buffer

rpc_send(sid, .bin_size = A_SIZE, .payload_off = OFF_A, .payload_size = SZ_A, .data = bufA);

// Packet B: overlapping write to force OOB and corrupt adjacent metadata/code ptr

rpc_send(sid, .bin_size = B_SIZE, .payload_off = OFF_B, .payload_size = SZ_B, .data = crafted_overlap);

// Optional: Packet C to finalize control-flow hijack

rpc_send(sid, .bin_size = C_SIZE, .payload_off = OFF_C, .payload_size = SZ_C, .data = rop_or_shellcode);

// Trigger vulnerable processing path

rpc_commit(sid);

The key exploitation detail involves reusing the same session ID with specific size and offset calculations, causing a miscalculation in buffer boundaries and enabling an out-of-bounds write in the host’s parser, facilitating code redirection.

Mitigation Strategies

• Implement VMware security updates addressing the virtual device/RPC handling path vulnerabilities.
• Restrict execution of untrusted workloads in Workstation environments and separate high-risk testing VMs from sensitive host data.
• Monitor VMware processes for unusual child process creation and file access originating from the Workstation host process.
• Apply host-based EDR and application control to limit hypervisor process behavior post-exploitation.