Hyper-V has long been considered a prestige target for security researchers, with Microsoft offering high value bug bounties, and performing continuous in-house testing and attack-surface hardening. In this presentation I’ll show how I turned the discovery of a seemingly unreproducible bug into a critical-rated arbitrary code execution vulnerability, which was awarded MSRC’s maximum bounty.
The talk will begin with a very brief introduction to virtualization and Hyper-V, before launching into an in-depth examination of the low-level VMBus protocol which underpins guest-host communication. We will cover the mechanisms VMBus uses for signaling, shared memory, and callback messages, and the different types of devices it supports. Finally, I will trace the flow of a VMBus message from a guest VM all the way through to a host device driver in order to demonstrate the attack surface exposed by VMBus.
To finish this presentation I will dive into the details of a bug I discovered in early 2023 in a core VMBus host driver. In the journey to create a reliable proof-of-concept I will explain how to modify the Linux kernel’s Hyper-V guest drivers to craft our own custom VMBus packets, discuss a novel method of manipulating the Windows kernel’s LookasideList cache implementation from inside a guest VM, and finally, demonstrate how I won an incredibly precise race between host kernel threads to trigger the vulnerability.
Leo Adrien
Leo Adrien is an independent security researcher, postgraduate Computer Science student at Monash University, and recovering “security consultant”. He primarily focuses on finding bugs in Windows, but somehow still spends an inordinate amount of time reading Linux kernel code. He often thinks about creating static analysis tools, but always ends up writing another fuzzer.