Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition, 6th Edition

CHAPTER 26 Hacking Hypervisors Case Study

In this chapter, we cover the following topics:

• Root cause analysis of a device emulation vulnerability in QEMU

• USB and EHCI basics

• Development of a VM escape exploit for a user-mode worker process (QEMU)

In this chapter, we will analyze and exploit CVE-2020-14364,¹ by Xiao Wei and Ziming Zhang, in QEMU’s USB emulation code. It is a simple and reliable vulnerability, which makes it a great case study. Hypervisors such as KVM and Xen use QEMU as their worker process component, so when we target QEMU, we will be performing user-mode exploitation.

This chapter assumes that on your host you are using a Linux installation with KVM virtualization enabled and that you have a working install ...

Get Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition, 6th Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition, 6th Edition by Allen Harper, Ryan Linn, Stephen Sims, Michael Baucom, Huascar Tejeda, Daniel Fernandez, Moses Frost

CHAPTER 26

Hacking Hypervisors Case Study

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly