1、#BHAS BlackHatEventsvCenter LostHow the DCERPC Vulnerabilities Changed the Fate of ESXiHao Zheng Zibo Li Yue LiuTianGong Team of QI-ANXIN Group#BHAS BlackHatEventsHao Zhengzhz_6951Who we areZibo Lizblee_Yue LiuMr_LiuYue#BHAS BlackHatEventsWho we areTianGong Lab of QI-ANXIN GroupFocusing on vulnerabi
2、lity discovery and exploitationTargeting at Edge Devices/IOT/OS/Virtualization/BrowserWorks published in Black Hat,HITBSecConf,EuroS&P,Usenix,ACM CCSAwarded in GeekPwn,Tianfu Cup,Matrix CupWebsite:https:/tiangonglab.github.io/X:TianGongLab#BHAS BlackHatEventsLong-term Focus on VMwares virtualization
3、 securityDiscovered and reported multiple vulnerabilities in both ESXi and WorkstationPresented our research at DEFCON,HITBOur previous work on VMware#BHAS BlackHatEventsTransition to vCenter Server ResearchNoticed VMware vCenter Server Out-of-Bounds Write Vulnerability(CVE-2023-34048)memory corrupt
4、ionremote code executionexploitation in the wildvCenterMeHypervisorhttps:/ BlackHatEventsAgenda1.DCERPC Protocol Overview2.DCERPC Vulnerabilities Discovery3.Exploitation Challenges&Techniques4.Beyond vCenter:Privilege Escalation and Control5.Conclusion#BHAS BlackHatEvents1.DCERPC Protocol Overview#B
5、HAS BlackHatEventsA remote procedure call(RPC)mechanismWidely used in Unix and Windows NT systems.Uses Interface Definition Language(IDL)to define interfaces.DCERPC Protocol#BHAS BlackHatEventsConsists of fixed common header and optional fieldsThere are 20 valid packet typesDCERPC Protocol Structure
6、#BHAS BlackHatEventsUsed in ports 2012,2014,and 2020DCERPC in vCenter#BHAS BlackHatEvents2.DCERPC Vulnerabilities Discovery#BHAS BlackHatEventsCVE-2024-37079/37080#BHAS BlackHatEventsCVE-2024-37079Request Parsing (Well-researched)Response Generation (Overlooked vulnerability found)#BHAS BlackHatEven