Escaping From VMware Workstation Through the Disk Controller

Explore the intricacies of VM escape vulnerabilities through disk controllers in VMware Workstation in this 49-minute conference talk from Hack In The Box Security Conference. Dive into the complex world of disk controllers, including emulated models like 53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI and LSI53C895A, as well as paravirtual ones such as PVSCSI and Virtio-SCSI. Learn about the SCSI specification and how data is processed between guest OS drivers and disk controllers. Discover a previously unexploited vulnerability in VMware hypervisors' disk controllers that allows for VM escape with nearly 100% success rate in under a second. Witness demonstrations of exploits against both Linux and Windows versions of VMware Workstation, including how to bypass Control Flow Guard in Windows. Gain insights from senior vulnerability researcher Wenxu Yin, who has extensive experience in network device and hypervisor security.