The Great Escape of ESXi

Explore the intricacies of breaking out of a sandboxed virtual machine in this 40-minute conference talk from the 36th Chaos Communication Congress. Delve into the world of VMware ESXi, a bare-metal hypervisor crucial for enterprise-level cloud infrastructure. Discover the challenges of escaping virtual machines in ESXi due to its robust sandbox mechanism, customized filesystem, and kernel. Learn about the fundamentals of the ESXi hypervisor, including its unique bootloader, kernel, filesystem, and virtual devices. Examine attack surfaces in current implementations and uncover security vulnerabilities related to virtual machine escape. Analyze the bugs leveraged in the escape chain, specifically CVE-2018-6981 and CVE-2018-6982, and explore reliable techniques for heap manipulation and arbitrary code execution in the host context. Gain insights into ESXi's sandbox design and the methods used to circumvent it. Witness a full chain escape demonstration on ESXi 6.7, showcasing the first public VMware ESXi escape.

Introduction
Presentation
Overview
Vulnerability
Combining Vulnerability
VMware Tools
Questions