当前位置:首页 > 报告详情

vCenter 的覆灭:DCERPC 漏洞如何改变了 ESXi 的命运.pdf

上传人: 竿*** 编号:981825 2025-11-29 57页 3.93MB

1、#BHAS BlackHatEventsvCenter LostHow the DCERPC Vulnerabilities Changed the Fate of ESXiHao Zheng Zibo Li Yue LiuTianGong Team of QI-ANXIN Group#BHAS BlackHatEventsHao Zhengzhz_6951Who we areZibo Lizblee_Yue LiuMr_LiuYue#BHAS BlackHatEventsWho we areTianGong Lab of QI-ANXIN GroupFocusing on vulnerabi

2、lity discovery and exploitationTargeting at Edge Devices/IOT/OS/Virtualization/BrowserWorks published in Black Hat,HITBSecConf,EuroS&P,Usenix,ACM CCSAwarded in GeekPwn,Tianfu Cup,Matrix CupWebsite:https:/tiangonglab.github.io/X:TianGongLab#BHAS BlackHatEventsLong-term Focus on VMwares virtualization

3、 securityDiscovered and reported multiple vulnerabilities in both ESXi and WorkstationPresented our research at DEFCON,HITBOur previous work on VMware#BHAS BlackHatEventsTransition to vCenter Server ResearchNoticed VMware vCenter Server Out-of-Bounds Write Vulnerability(CVE-2023-34048)memory corrupt

4、ionremote code executionexploitation in the wildvCenterMeHypervisorhttps:/ BlackHatEventsAgenda1.DCERPC Protocol Overview2.DCERPC Vulnerabilities Discovery3.Exploitation Challenges&Techniques4.Beyond vCenter:Privilege Escalation and Control5.Conclusion#BHAS BlackHatEvents1.DCERPC Protocol Overview#B

5、HAS BlackHatEventsA remote procedure call(RPC)mechanismWidely used in Unix and Windows NT systems.Uses Interface Definition Language(IDL)to define interfaces.DCERPC Protocol#BHAS BlackHatEventsConsists of fixed common header and optional fieldsThere are 20 valid packet typesDCERPC Protocol Structure

6、#BHAS BlackHatEventsUsed in ports 2012,2014,and 2020DCERPC in vCenter#BHAS BlackHatEvents2.DCERPC Vulnerabilities Discovery#BHAS BlackHatEventsCVE-2024-37079/37080#BHAS BlackHatEventsCVE-2024-37079Request Parsing (Well-researched)Response Generation (Overlooked vulnerability found)#BHAS BlackHatEven

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据文章内容,以下是全文关键点的概括: 1. **DCERPC协议概述**:DCERPC是一种RPC机制,广泛应用于Unix和Windows NT系统,使用IDL定义接口。 2. **DCERPC漏洞发现**:发现了CVE-2024-37079/37080等漏洞,涉及内存损坏和远程代码执行。 3. **漏洞分析**:CVE-2024-37079因auth_len计算错误导致溢出,CVE-2024-37080因auth_tlrs验证不足导致整数下溢。 4. **利用挑战与技巧**:面临内存保护机制和难以控制内存布局的挑战,通过heap overflow和control flow hijacking进行利用。 5. **权限提升与控制**:利用FD_CLOEXEC标志和vCenter内部机制进行权限提升,控制ESXi。 6. **结论与建议**:强调边界检查、数据内容检测的重要性,以及利用关键结构和低级防御机制进行攻击的技巧。
"DCERPC漏洞如何影响ESXi?" "揭秘vCenter Server的权限提升漏洞!" "如何利用DCERPC漏洞控制ESXi?"
客服
商务合作
小程序
服务号
折叠