Breaking Turtles All the Way Down: An Exploitation Chain to Break out of VMware ESXi


Hanqing Zhao, Chaitin Security Research Lab; Georgia Institute of Technology; Yanyu Zhang, Chaitin Security Research Lab; Kun Yang, Tsinghua University; Taesoo Kim, Georgia Institute of Technology


VMware ESXi is an enterprise-class, bare-metal hypervisor dedicated to providing the state-of-the-art private-cloud infrastructures. Accordingly, the design and implementation of ESXi is of our community’s interest, yet lacking a thorough evaluation of its security internals. In this paper, we give a comprehensive analysis of the guest-to-host attack surfaces of ESXi and its recent security mitigation (i.e., the vSphere sandbox). In particular, we introduce an effective and reliable approach to chain multiple vulnerabilities for exploitation and demonstrate our approach by leveraging two new bugs (i.e., uninitialized stack usages), namely, CVE-2018-6981 and CVE-2018-6982. Our exploit chain is the first public demonstration of a virtual machine escape against VMware ESXi.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {238580,
author = {Hanqing Zhao and Yanyu Zhang and Kun Yang and Taesoo Kim},
title = {Breaking Turtles All the Way Down: An Exploitation Chain to Break out of {VMware} {ESXi}},
booktitle = {13th USENIX Workshop on Offensive Technologies (WOOT 19)},
year = {2019},
address = {Santa Clara, CA},
url = {},
publisher = {USENIX Association},
month = aug,