Abdul-Aziz Hariri is a security researcher with the Zero Day Initiative program. In this role, Hariri analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which is the world’s largest vendor-agnostic bug bounty program. His focus includes performing root-cause analysis, fuzzing and exploit development.
Prior to joining ZDI, Hariri worked as an independent security researcher and threat analyst for Morgan Stanley emergency response team. During his time as an independent researcher, he was profiled by Wired magazine in their 2012 article, Portrait of a Full-Time Bug Hunter. In 2015, Abdul was part of the research team that submitted “Breaking Silent Mitigations – Gaining code execution on Isolated Heap and MemoryProtection hardened Internet Explorer” to the Microsoft bounty program. Their submission netted the highest payout to date from the Microsoft bounty program where the proceeds went to many STEM organizations. Twitter: @abdhariri
Exploring VMware’s RPCI Attack Surface for fun and profit
Virtual machines play a crucial role in modern computing. They often are used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. The assumption being made is that by running in a virtual machine, the potentially harmful code cannot execute anywhere else. However, this is not foolproof, as a vulnerability in the virtual machine hypervisor can give access to the entire system.
In this talk we will be detailing the host <-> guest communications. Afterwards we will be covering the functionalities of the RPC interface. In this section of the presentation we will be talking about techniques that can be used to record or sniff the RPC requests sent from the Guest OS to the HostOS automatically. We will also learn how to write tools to query the RPC Interface in C++ and Python for fuzzing purposes.
Finally, we will be detailing how to exploit Use-After-Free vulnerabilities in VMware by walking through a patched vulnerability.