Pwn2own: Escaping VMware Workstation
a month ago
- #Heap Exploitation
- #Pwn2Own
- #VMware
- Exploited VMware Workstation at Pwn2Own Berlin 2025 using a heap-overflow vulnerability in the PVSCSI controller.
- Overcame Windows 11 Low Fragmentation Heap (LFH) mitigations by identifying a deterministic LFH state.
- Used two key objects (Shaders and URBs) for heap spraying and corruption to achieve memory manipulation primitives.
- Developed a timing side-channel attack to defeat LFH randomization, ensuring exploit success during live demonstration.
- Achieved arbitrary read, write, and code execution by leveraging controlled heap overflows and URB structure manipulation.
- Created a persistent arbitrary URB for stable exploitation, bypassing the need for further vulnerability triggers.
- Implemented a timing-based oracle to deduce the LFH state, overcoming unpredictable heap behavior.
- Demonstrated the exploit live at Pwn2Own, successfully escaping VMware Workstation on the first attempt.