vCenter Lost: How the DCERPC Vulnerabilities Changed the Fate of ESXi
Black Hat Asia 2025 · Day 2 · Briefings
In a compelling presentation at Black Hat Asia 2025, Zo from Tianin Tangun lab unveiled critical research titled "vCenter Lost: How the DCERPC Vulnerabilities Changed the Fate of ESXi." This talk delved into a series of newly discovered vulnerabilities within VMware vCenter’s **DCERPC (Distributed Computing Environment Remote Procedure Call)** service, detailing how these flaws could be chained to achieve **remote code execution (RCE)** with root privileges and ultimately gain full control over the underlying ESXi host. The research, a collaborative effort with Hau Yu, highlights the profound security implications of vulnerabilities in foundational services within virtualized environments.
AI review
This research from Tianin Tangun lab is a masterclass in vulnerability discovery and exploitation, presenting four novel DCERPC vulnerabilities in VMware vCenter, chained together to achieve remote code execution with root privileges and ultimately full control over ESXi hosts. The talk meticulously details sophisticated heap grooming techniques, an ingenious relative address write to information leak conversion, and a clever privilege escalation bypass via file descriptor inheritance. This isn't just theoretical; it exposes critical flaws in a foundational enterprise product with profound…