Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel’s focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin.
Exploring VMware’s RPCI Attack Surface for fun and profit
Virtual machines play a crucial role in modern computing. They often are used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. The assumption being made is that by running in a virtual machine, the potentially harmful code cannot execute anywhere else. However, this is not foolproof, as a vulnerability in the virtual machine hypervisor can give access to the entire system.
In this talk we will be detailing the host <-> guest communications. Afterwards we will be covering the functionalities of the RPC interface. In this section of the presentation we will be talking about techniques that can be used to record or sniff the RPC requests sent from the Guest OS to the HostOS automatically. We will also learn how to write tools to query the RPC Interface in C++ and Python for fuzzing purposes.
Finally, we will be detailing how to exploit Use-After-Free vulnerabilities in VMware by walking through a patched vulnerability.