YoVDO

A Retrospective Case Study of VMware Guest-to-Host Escape Vulnerabilities

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Cybersecurity Courses Shaders Courses

Course Description

Overview

Explore a comprehensive analysis of VMware virtual machine escape vulnerabilities in this 56-minute Black Hat conference talk. Delve into the intricacies of VMware Workstation attack surfaces, guest-to-host RPC mechanisms, and VM backdoors. Examine specific vulnerabilities, including out-of-bounds issues in drag-and-drop functionality, use-after-free bugs in virtual printing, and memory corruption in the SVGA II device. Learn about patch analysis techniques, fuzzing strategies, and the architecture of virtual GPUs. Gain insights into the history of security bugs in FIFO commands and the handling of shader bytecode. Witness demonstrations of SVGA memory corruption and discuss other potential security issues in VMware products. Enhance your understanding of virtualization security through this in-depth retrospective case study presented by Debasish Mandal and Yakun Zhang.

Syllabus

Intro
Why VMWare Patch Analysis?
VMWare Workstation Attack Surfaces
VM-Tools & VMWare RPC
Guest RPC Mechanism
VM Backdoor
RPC Packet Handling in Host
Sending Custom RPC Packets From Guest to Host
RPC Bug 1: OOB in Drag and Drop
Achieving OOB Read
Achieving OOB Write
Info. Leak Using OOB Write Over RPC
Bug 3: Use After Free
VMware Virtual Printer
Triggering the Print Preview
Double Free in EMR_SMALLTEXTOUTW (CVE-2016-7082)
Patch for CVE-2016-7082
Embedded EMFSPOOL (CVE-2016-7083)
Out of Bounds Write Vulnerability in JPEG2000 Decompression (CVE-2016-7084)
Patch for CVE-2016-7084
More Fuzzing
VMware SVGA II Device Architecture
SVGA FIFO Commands
History of Security Bugs in FIFO Commands: Cloudburst by Kostya Kortchinsky
What Are Shaders?
Life of a Shader
Shader inside VMware Workstation
Passing Shader bytecode from guest to host via 'SVGA3D' Protocol
Shader Bytecode handling in Host
Vulnerabilities in Virtual GPU
SVGA Patch 1(Workstation 12.5.4 - 12.5.5)
Heap OOB Write
Demo: SVGA Memory Corruption
Other SVGA Issues fixed in 12.5.5
Possible Security Issue fixed in SM1 'op_calli instruction parser in version 12.5.3?
Black Hat Sound Bytes
Other Works and Recommended Reads
Questions?


Taught by

Black Hat

Related Courses

Computer Security
Stanford University via Coursera Cryptography II
Stanford University via Coursera Malicious Software and its Underground Economy: Two Sides to Every Story
University of London International Programmes via Coursera Building an Information Risk Management Toolkit
University of Washington via Coursera Introduction to Cybersecurity
National Cybersecurity Institute at Excelsior College via Canvas Network