URB Excalibur - New VMware All-Platform VM Escapes

Explore the intricacies of virtual machine escape techniques in VMware's hypervisor through this comprehensive Black Hat conference talk. Delve into the current architecture and attack surfaces of VMware's hypervisor, analyzing recent changes, security patches, and mitigations. Focus on the virtual USB controller as a primary attack surface, with a systematic introduction to VMware's virtual USB 2.0 controller (EHCI). Discover the powerful role and security risks of USB Request Block (URB) in virtual machine escape exploitation, including its structure, function, and lifecycle. Learn about new and general VMware VM escape exploitation flows and primitives based on URB. Examine the details of a heap out-of-bounds write vulnerability (CVE-2022-31705) in the EHCI USB controller, and witness demonstrations of escaping from all VMware hypervisor products (ESXi, Workstation, and Fusion). Gain insights into the challenges and solutions encountered during exploitation, and understand the significance of this research in the context of recent competitions and awards in the field of cybersecurity.

URB Excalibur: The New VMware All-Platform VM Escapes