On the clock Escaping VMware Workstation at Pwn2Own Berlin 2...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.synacktiv.com/en/publications/on-the-clock-escaping-vmware-workstation-at-pwn2own-berlin-2025.html
• Blog Title: On the clock: Escaping VMware Workstation at Pwn2Own Berlin 2025
• Suggested Section: 🎯 Binary Exploitation -> (new) Virtualization / Hypervisor Escapes -> VMware Workstation (vmware-vmx) PVSCSI heap overflow (CVE-2025-41238) and Windows 11 LFH Ping-Pong heap shaping; or 🪟 Windows Local Privilege Escalation / Windows Exploiting -> Windows Heap (LFH) exploitation techniques (allocator determinism, checksum constraints) with a VMware-vmx case study

🎯 Content Summary

Post context / target
Synacktiv details a guest-to-host escape exploit demonstrated at Pwn2Own Berlin 2025 against VMware Workstation. The bug is in the guest device emulation process vmware-vmx (tested on a Windows 11 host) and is a single heap overflow in the PVSCSI (Paravirtualized SCSI) controller: CVE-2025-41238 (VMSA-2025-0013). The exploitation complexity is dominated by the fact that the vulnerable allocations are forced into the Win...

🔧 Technical Details

Device-emulation heap overflow via fixed-size realloc (CVE-2025-41238): When a guest supplies >512 PVSCSI scatter/gather entries, VMware switches from a 512-entry static buffer (0x2000) to heap allocations and then reallocates on every iteration. Because the realloc size is always 0x4000 instead of growing, supplying >1024 entries causes 16-byte out-of-bounds writes past the end of the newly allocated 0x4000 buffer at each iteration. The guest controls addr and length, but because a 32-bit length is zero-extended to 64 bits, the last 4 bytes of each 16-byte overwritten element are always 0.

LFH Ping-Pong determinism using “Last Freed bucket first”: On Windows 11 LFH, 0x4000 allocations fall into buckets of 16 chunks with 16-byte metadata headers protected by secret-key checksums. To avoid crashing on checksum validation, corrupt a chunk header that will never be reallocated/freed. Achieve deterministic alternating allo...

🤖 Agent Actions

Summary:

• Added a detailed VMware Workstation PVSCSI LFH exploitation guide covering deterministic ping-pong heap shaping, coalescing-based arbitrary overwrite, hybrid URB infoleak, post-leak R/W/call primitives, and LFH timing side-channel.
• Linked the new advanced hypervisor-escape content from the Windows exploitation section for discoverability.

Testing:

• Not run (documentation changes only).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 945
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.synacktiv.com/en/publications/on-the-clock-escaping-vmware-workstation-at-pwn2own-berlin-2025.html

Content Categories: Based on the analysis, this content was categorized under "🎯 Binary Exploitation -> (new) Virtualization / Hypervisor Escapes -> VMware Workstation (vmware-vmx) PVSCSI heap overflow (CVE-2025-41238) and Windows 11 LFH Ping-Pong heap shaping; or 🪟 Windows Local Privilege Escalation / Windows Exploiting -> Windows Heap (LFH) exploitation techniques (allocator determinism, checksum constraints) with a VMware-vmx case study".

Repository Maintenance:

• MD Files Formatting: 945 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0