From DCERPC Heap Overflows to Full ESXi Host Takeover

TLDR: Researchers at Black Hat Asia 2025 demonstrated how a chain of memory corruption vulnerabilities in VMware vCenter Server allows for remote code execution and privilege escalation. By exploiting heap overflows and integer underflows in the DCERPC service, an attacker can gain root access and subsequently extract credentials to compromise the underlying ESXi host. This research highlights the critical need to secure internal management services that are often overlooked during external-facing penetration tests.

Virtualization management platforms are the crown jewels of any modern data center. If you own the vCenter Server, you effectively own every virtual machine, every network segment, and every storage volume attached to the cluster. The research presented at Black Hat Asia 2025 on the DCERPC service within vCenter is a masterclass in how a series of seemingly isolated memory corruption bugs can be chained into a complete infrastructure compromise.

The Vulnerability Chain

The research focuses on the DCERPC service, specifically the vmdird process, which handles LDAP authentication and communication. The team identified four distinct vulnerabilities, including CVE-2024-37079 and CVE-2024-37080. These are classic heap overflows occurring during the bind phase of the DCERPC communication.

The core issue lies in how the service handles the auth_len and auth_trailer fields. When a client sends a specially crafted bind request, the server calculates the buffer size based on the provided auth_len. By manipulating the n_context_elements and the auth_trailer length, an attacker can trigger an integer underflow. This underflow results in an extremely large value being passed to memory allocation functions, leading to a heap overflow when the server attempts to copy the authentication data into the undersized buffer.

Exploitation Challenges and Techniques

Exploiting vmdird is not a simple matter of firing a standard buffer overflow payload. The process is hardened with modern memory protections, including ASLR, PIE, and stack canaries. Furthermore, the multi-threaded nature of the service means that memory layout is non-deterministic, making traditional heap spraying unreliable.

The researchers employed a clever heap grooming technique. By flooding the service with a large number of concurrent requests, they forced the heap into a predictable state. They specifically targeted the syslog object, which contains function pointers. By overwriting these pointers through the heap overflow, they redirected execution flow.

The following logic illustrates the core of the integer underflow that leads to the overflow:

// Simplified representation of the underflow logic
auth_len = rpc_cn_large_frag_size - header_size;
// If header_size is manipulated, auth_len becomes massive
// leading to an integer underflow in subsequent calculations

Once they achieved remote code execution as the vmdird user, they faced the challenge of privilege escalation. They discovered that certain ports, specifically port 2012, were not properly configured with the FD_CLOEXEC flag. This meant that when the process spawned a child, the file descriptor for the port was inherited. By exploiting this, they could maintain a persistent connection and escalate privileges to root.

From vCenter to ESXi

The final stage of the attack is the most impactful. Once the attacker has root access on the vCenter Server, they can query the PostgreSQL database to retrieve the vpxuser credentials. This user is automatically created by vCenter to manage ESXi hosts.

The password for vpxuser is stored in the database, encrypted using OpenSSL. Because the encryption key is stored locally on the vCenter filesystem, it is trivial to decrypt the password. With the vpxuser credentials in hand, an attacker can authenticate directly to the ESXi host, bypassing all vCenter-level access controls. This is a Broken Access Control scenario where the trust relationship between the management server and the hypervisor is abused to gain total control over the host.

Defensive Considerations

Defending against this class of vulnerability requires a shift in how we view internal management traffic. These services are often treated as "trusted" because they reside on internal networks, but as this research proves, they are high-value targets for lateral movement.

Organizations must ensure that vCenter and ESXi management interfaces are strictly segmented and accessible only to authorized jump hosts. Patching is non-negotiable; the vulnerabilities discussed here were addressed in recent VMware Security Advisories. Beyond patching, monitoring for unusual DCERPC traffic patterns or unexpected child processes spawned by vmdird can provide early warning of an exploitation attempt.

For those of us on the offensive side, this research serves as a reminder that the most interesting bugs are often found in the complex, stateful protocols that bridge the gap between management layers. If you are auditing a virtualized environment, stop looking only at the web interface and start digging into the underlying RPC services. You might find that the path to root is shorter than you think.