vCenter Lost: How the DCERPC Vulnerabilities Changed the Fate of ESXi
Description
This presentation explores four critical vulnerabilities in VMware vCenter Server's DCERPC implementation, focusing on heap overflows and a novel privilege escalation logic flaw. Researchers demonstrate how to chain these bugs to achieve remote root access and compromise the underlying ESXi hypervisor infrastructure.
vCenter Lost: Chaining DCERPC Overflows for ESXi Takeover
Introduction
In the realm of enterprise virtualization, VMware vCenter Server stands as the 'crown jewels' of the infrastructure. As the centralized management platform for vSphere environments, a compromise of vCenter typically grants an attacker total dominion over every virtual machine and host in the data center. At Black Hat Asia 2025, researchers from the QI-ANXIN TianGong Team unveiled a sophisticated attack chain involving four critical vulnerabilities in vCenter’s DCERPC implementation. This post explores how these vulnerabilities—CVE-2024-37079, CVE-2024-37080, CVE-2024-38812, and CVE-2024-38813—can be chained to achieve unauthenticated remote root access and eventually control the underlying ESXi hypervisors.
Background & Context: The DCERPC Attack Surface
DCERPC (Distributed Computing Environment / Remote Procedure Call) is a foundational protocol used for communication between clients and servers in both Windows and Unix environments. In VMware vCenter, DCERPC is implemented in several key services, most notably vmdird (VMware Directory Service), which handles LDAP authentication and management on port 2012.
Because vmdird is exposed to the network and handles complex, structured data (Network Data Representation or NDR), it represents a high-value target for memory corruption research. Historically, memory corruption in network services is difficult to exploit due to modern mitigations like Address Space Layout Randomization (ASLR) and Position Independent Executables (PIE). However, logic flaws in how these services manage state and drop privileges can provide the necessary bridge to full system compromise.
Technical Deep Dive
Understanding the Vulnerabilities
The researchers identified three primary heap overflows. The most versatile of these, CVE-2024-38812, resides in the NDR array decoder. When vCenter receives a 'Call' request, it decodes array types using three parameters: max_count, offset, and actual_count. The logic defines lower and upper boundaries for the array elements. While the code checked if the total size was within limits, it failed to verify if the lower and upper indices themselves were valid. This oversight allowed for an arbitrary relative address write, a powerful primitive for any exploit developer.
In addition to the overflows, CVE-2024-38813 is a privilege escalation flaw. When vmdird starts, it attempts to bind to several ports (636, 389, 2012). If the bind fails for any port, the initialization sequence is interrupted. Crucially, the code that drops root privileges (setuid/setgid) occurs after the bind checks.
Step-by-Step Exploitation & Heap Feng Shui
Achieving Remote Code Execution (RCE) required overcoming the multi-threaded nature of vmdird. In Linux, the GLIBC allocator uses thread-specific arenas to reduce contention. This means an allocation in Thread A is physically separated from an allocation in Thread B, complicating heap grooming.
1. Heap Stabilization: The researchers used a cyclic allocation strategy. By flooding the server with a massive number of requests, they ensured that the thread arenas were predictably populated with 'fragbuf' objects, effectively cleaning up fragmented memory.
2. Bypassing ASLR (Information Leak): Without a direct leak bug, the team repurposed their relative write. They targeted a response object's buffer_length field. By extending this length, they forced the server to return more data than intended in a response, leaking adjacent heap memory. They targeted syslog objects which contain pointers to libc, successfully revealing the base address of the library.
3. Control Flow Hijack: With the address of libc known, the researchers used their arbitrary write to overwrite the __free_hook with the address of the system() function. By then sending a packet that triggers a free() on a buffer containing a malicious string (e.g., a reverse shell command), they achieved code execution.
The Two-Stage Privilege Escalation
Even with RCE, the initial shell runs with the limited privileges of the vmdird user. To gain root, the researchers utilized CVE-2024-38813 in a clever two-stage attack:
- First Stage: Use the initial RCE to spawn a persistent child process that keeps the file descriptors for ports 636 and 389 open. Because these sockets lacked the
FD_CLOEXECflag, the child process 'holds' the ports. - Trigger Restart: The researchers then crash or wait for a restart of the
vmdirdservice. - Second Stage: When the service restarts as root, it fails to bind to the occupied ports (636/389). The initialization stops before the
setuidcall is reached, but the service continues to listen on port 2012 as the root user. Re-exploiting the heap overflow now yields a root shell.
Post-Exploitation: Controlling ESXi
Once root access on vCenter is achieved, the researchers moved laterally to the ESXi hosts. vCenter manages ESXi via a high-privileged user called vpxuser. The password for this user is stored in the vCenter PostgreSQL database. While encrypted, the encryption keys are stored locally on the vCenter filesystem. By extracting the keys and querying the database, an attacker can decrypt the vpxuser credentials and gain full administrative control over the underlying hypervisors.
Mitigation & Defense
To defend against these attacks, organizations must apply the security patches provided by VMware (Broadcom) for vCenter 7.0 and 8.0.
- Detection: Monitor for unusual child processes spawning from
vmdirdand unexpected service restarts. - Network Segmentation: Restrict access to port 2012 (and other management ports) to only authorized administrative subnets.
- Hardening: Ensure all service file descriptors are opened with the
O_CLOEXECflag to prevent inheritance vulnerabilities.
Conclusion
This research demonstrates that even the most hardened virtualization platforms are susceptible to complex attack chains. By combining traditional memory corruption with subtle logic flaws in privilege management, the QI-ANXIN team showed how a network-level attacker can transition from a single unauthenticated packet to full control of a data center's physical infrastructure. The takeaway is clear: security depends not just on robust boundaries, but on the flawless execution of every step in the privilege-dropping process.
AI Summary
This presentation by the QI-ANXIN TianGong Team details original research into the security of VMware vCenter Server, specifically targeting the Distributed Computing Environment / Remote Procedure Call (DCERPC) service. The research led to the discovery of four critical vulnerabilities: three heap overflows (CVE-2024-37079, CVE-2024-37080, CVE-2024-38812) and one privilege escalation vulnerability (CVE-2024-38813). The presentation begins by introducing the DCERPC protocol, which is widely used for remote management and authentication in vCenter via processes like `vmdird`, `vmcad`, and `vmafdd`. The researchers focused on `vmdird`, which listens on port 2012 and handles LDAP authentication. They describe two vulnerabilities found in the 'Bind' phase of communication. The first (CVE-2024-37079) involves a heap overflow during the generation of a bind response when an attacker-controlled context element causes an integer underflow, leading to a massive write. The second (CVE-2024-37080) occurs during request parsing where a mismatch between the provided authentication length and actual data leads to another integer underflow and subsequent heap overflow during a `memcpy` operation. A third, 'high-quality' vulnerability (CVE-2024-38812) is identified within the NDR (Network Data Representation) array decoder used for 'Call' requests. The decoder fails to validate the boundaries of 'lower' and 'upper' indices for array elements, granting researchers an arbitrary relative address write primitive. The speaker explains the significant challenges of exploiting this in a modern environment protected by ASLR, PIE, and NX. They highlight the difficulty of 'Heap Feng Shui' in a multi-threaded environment where the GLIBC allocator assigns different 'arenas' to different threads. By using cyclic allocation patterns and flooding the server with requests, they managed to stabilize the heap layout. To bypass ASLR, the team converted their write primitive into a leak by modifying the `buffer_length` field of a response object, allowing them to read adjacent memory containing `syslog` objects and function pointers from `libc`. They achieved RCE by overwriting `__free_hook` with the address of `system`. The final part of the research focuses on privilege escalation and lateral movement. They discovered that if the `vmdird` process fails to bind to certain ports (like 636 or 389) because they are occupied by a child process (inherited via a lack of `FD_CLOEXEC`), the service fails to reach the code section that drops privileges via `setuid`, resulting in the service running as root. Finally, they demonstrated how a root user on vCenter can extract and decrypt the `vpxuser` credentials from the PostgreSQL database to gain full control over the ESXi hosts managed by the server.
More from this Playlist
Dismantling the SEOS Protocol
