Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel’s focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin.
Breaking VMWare’s Virtual Printing
The inclusion of 3rd party components into large applications has become a common practice in modern software. Vendors would obviously benefit from the features they get without the need to invest costly engineering effort. However, leveraging 3rd party components for a quick functionality boost comes with security side effects that might not be understood by the vendor until it is too late. That’s exactly what happened with VMWare’s Virtual Printing.
Recently, in the ZDI, we started seeing an increase in VMWare submissions. These submissions were targeting VMWare’s Virtual Printing feature. This feature is based on a software component from ThinkPrint. Through out this presentation, we will be explaining how Virtual Printing works. We will also cover how the bugs that we received through our program were found. Finally, we’ll be explaining a faster way to fuzz and find bugs in VMWare’s virtual printing feature.