Cyber security

Hyper-V Stuff : Exploring The Depths Of Security Insights And Vulnerabilities

In this comprehensive exploration, we delve into the intricate world of Hyper-V, showcasing a collection of significant work and research dedicated to understanding and enhancing the security of Microsoft’s Hyper-V hypervisor.

From detailed proof-of-concept exploits to advanced debugging techniques, this article highlights the critical vulnerabilities discovered and the innovative tools developed for hypervisor research and fuzzing.

Join us as we navigate through the complexities of Hyper-V security, shedding light on its most pivotal aspects.

This repository contains some of the Hyper-V related work I did in the past…

GHHv6_ch25

My code from the “Inside Hyper-V” of the Gray Hat Hacking book (6th edition).

Original repository

Includes a framework that can be used to perform hypervisor research/fuzzing and hyper-v specific code (hypercalls, MSRs, VMBus communication).

windbg_hyperv_script.js

Windbg script that can be used when debugging hvix64 and provides the following features:

  • Dumping VMCS contents.
  • Dumping EPT tables.
  • GPA -> SPA translation.
  • Conditional breakpoints on VMExit conditions:
    • Use !brexit conditions.
    • Where conditions is a in the form condition1 condition2 .. conditionN.
    • Each condition consists of 3 parts (in the described order and without space between them):
      1. A VMCS field name (for example VM_EXIT_REASON)
      2. A condition code: any of ==, !=, <=, >=, <, >.
      3. An integer value.

CVE-2020-0751.c

Proof of concept for Hyper-V stack overflow bug (hvix64).

CVE-2020-0890.c

Proof of concept for Hyper-V NULL deref bug (hvix64).

CVE-2020-0904.c

Proof of concept for Hyper-V type confusion bug (hvix64).

CVE-2021-28476

Proof of concept for Hyper-V arbitrary memory read bug (vmswitch).

Notes:

  • This bug was classified as RCE, learn why here.
  • This bug has also been presented by other researchers.
  • In the advisory I included other OOB read bugs I found but no CVEs were assigned to them.
Tamil S

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Leave a Comment
Share
Published by
Tamil S
Tags: cybersecurityHyper-V Stuffinformationsecuritykalilinuxkalilinuxtools
8 months ago

Recent Posts

Bomber : Navigating Security Vulnerabilities In SBOMs

bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…

8 hours ago

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…

8 hours ago

Exploit Street – Navigating The New Terrain Of Windows LPEs

Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…

2 days ago

ShadowDumper – Advanced Techniques For LSASS Memory Extraction

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…

3 days ago

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago