vCenter Lost: How the DCERPC Vulnerabilities Changed the Fate of ESXi

vCenter Lost: How the DCERPC Vulnerabilities Changed the Fate of ESXi

MediaVideo
Yanac

As one of the most widely-used commercial virtualization platforms, the security of VMware virtualization suite has long been a focal point of scrutiny. Over the past few years, we have focused extensively on identifying vulnerabilities within VMware products, particularly those in ESXi and Workstation virtualization implementations. Our efforts have led to multiple submissions of critical vulnerabilities, earning recognition from the vendor. This year, we turned our attention to vCenter Server, the centralized management platform for VMware vSphere environments. Through our research, we discovered four critical vulnerabilities in its DCERPC service—three heap overflow vulnerabilities and one privilege escalation vulnerability. Notably, we were able to exploit one of the heap overflow vulnerabilities in combination with the privilege escalation vulnerability to achieve unauthorized remote root access, successfully completing the Matrix Cup 2024 vulnerability challenge.

In this presentation, we will begin by providing a detailed overview of the DCERPC protocol and the four vulnerabilities we uncovered in its implementation within vCenter Server, which have been assigned CVE numbers CVE-2024-37079, CVE-2024-37080, CVE-2024-38812, and CVE-2024-38813. It is well-known that achieving remote code execution through memory corruption vulnerabilities in network services is particularly challenging, especially when defenses like Address Space Layout Randomization (ASLR) and Position Independent Executable (PIE) are in place. We will then dive into advanced heap fengshui techniques we used to exploit two of these vulnerabilities to execute remote code with root privileges. Finally, after gaining root access to the vCenter Server’s operating system, we will introduce a method to escalate privileges further and gain control over ESXi itself—demonstrating how these vulnerabilities can be leveraged to fully control the virtualized infrastructure.

By:
Hao Zheng | Security Researcher at QI-ANXIN TianGong Team, Legendsec at QI-ANXIN Group
Zibo Li | Security Researcher at QI-ANXIN TianGong Team, Legendsec at QI-ANXIN Group
Yue Liu | Security Researcher, Southeast University School of Cyber Science and Engineering, QI-ANXIN Group

Full Abstract and Presentation Materials:
https://www.blackhat.com/asia-25/briefings/schedule/#vcenter-lost-how-the-dcerpc-vulnerabilities-changed-the-fate-of-esxi-43199Black HatRead More