Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Advanced Exploitation of Simple Bugs
A Parallels Desktop Case Study (Pwn2Own2021)
Alisa Esage Zero Day Engineering Project
Livestream 2021
About me Offensive Vuln Research amp Advanced Exploits
Browsers Kernels Basebands Hypervisors Hard targets for profit Bug bounties for fun Vendor acknowledgements Microsoft Google
Mozilla Oraclehellip Phrack author
Pwn2Own 2021 Virtualization winner 984532 Parallels Desktop for Mac
Zero Day Engineering Project ndash Training amp Intelligence httpzerodayengineeringcom
Training amp mini-classes RampD
Agenda
Relevant Theory Hypervisor Threat Model Guest Services Protocols amp Tech
Parallels Desktop Architecture amp Internals Parallels Toolgate RE Guest Additions
The Bug The ExploitAll materials in this presentation are
based on the authorrsquos own independent work views and analysis
Part 1
Relevant Theory
Hypervisor Threat Model
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocols
UHCI OHCI xHCI eHCI
Classical models E1000 Virtio DEC
Hypercall handlers
VM escapesLocal EoP
DHCP TFPT PXE boot zero-conf
Synthetic models hypercall-based IO
Note on hardware virtualization support
MYTH ALERT
Technological m
ess
Attack surface
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocol
Guest services architecture (example GL)
VMM
Emulated and para devices
Guest services (backend)
Hypercall interface kernel module
GA 3d graphics
hooks
GA file system hooks
Userapp
SystemAPI
Hypervisor VMHW
GPU
Users
RPC protocols
Guest additions Virtualization tools
Part 2
Parallels Desktop
Parallels Desktop Architecture vs The Model
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocols
VM escapesLocal EoP
parallels_symbolizepy
Parallels research tip verbose debug logs
Parallels virtual hardware
init_devices
Parallels emulated devices
Parallels Toolgate
Parallels Tools amp Toolgate
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
About me Offensive Vuln Research amp Advanced Exploits
Browsers Kernels Basebands Hypervisors Hard targets for profit Bug bounties for fun Vendor acknowledgements Microsoft Google
Mozilla Oraclehellip Phrack author
Pwn2Own 2021 Virtualization winner 984532 Parallels Desktop for Mac
Zero Day Engineering Project ndash Training amp Intelligence httpzerodayengineeringcom
Training amp mini-classes RampD
Agenda
Relevant Theory Hypervisor Threat Model Guest Services Protocols amp Tech
Parallels Desktop Architecture amp Internals Parallels Toolgate RE Guest Additions
The Bug The ExploitAll materials in this presentation are
based on the authorrsquos own independent work views and analysis
Part 1
Relevant Theory
Hypervisor Threat Model
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocols
UHCI OHCI xHCI eHCI
Classical models E1000 Virtio DEC
Hypercall handlers
VM escapesLocal EoP
DHCP TFPT PXE boot zero-conf
Synthetic models hypercall-based IO
Note on hardware virtualization support
MYTH ALERT
Technological m
ess
Attack surface
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocol
Guest services architecture (example GL)
VMM
Emulated and para devices
Guest services (backend)
Hypercall interface kernel module
GA 3d graphics
hooks
GA file system hooks
Userapp
SystemAPI
Hypervisor VMHW
GPU
Users
RPC protocols
Guest additions Virtualization tools
Part 2
Parallels Desktop
Parallels Desktop Architecture vs The Model
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocols
VM escapesLocal EoP
parallels_symbolizepy
Parallels research tip verbose debug logs
Parallels virtual hardware
init_devices
Parallels emulated devices
Parallels Toolgate
Parallels Tools amp Toolgate
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
Agenda
Relevant Theory Hypervisor Threat Model Guest Services Protocols amp Tech
Parallels Desktop Architecture amp Internals Parallels Toolgate RE Guest Additions
The Bug The ExploitAll materials in this presentation are
based on the authorrsquos own independent work views and analysis
Part 1
Relevant Theory
Hypervisor Threat Model
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocols
UHCI OHCI xHCI eHCI
Classical models E1000 Virtio DEC
Hypercall handlers
VM escapesLocal EoP
DHCP TFPT PXE boot zero-conf
Synthetic models hypercall-based IO
Note on hardware virtualization support
MYTH ALERT
Technological m
ess
Attack surface
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocol
Guest services architecture (example GL)
VMM
Emulated and para devices
Guest services (backend)
Hypercall interface kernel module
GA 3d graphics
hooks
GA file system hooks
Userapp
SystemAPI
Hypervisor VMHW
GPU
Users
RPC protocols
Guest additions Virtualization tools
Part 2
Parallels Desktop
Parallels Desktop Architecture vs The Model
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocols
VM escapesLocal EoP
parallels_symbolizepy
Parallels research tip verbose debug logs
Parallels virtual hardware
init_devices
Parallels emulated devices
Parallels Toolgate
Parallels Tools amp Toolgate
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
Part 1
Relevant Theory
Hypervisor Threat Model
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocols
UHCI OHCI xHCI eHCI
Classical models E1000 Virtio DEC
Hypercall handlers
VM escapesLocal EoP
DHCP TFPT PXE boot zero-conf
Synthetic models hypercall-based IO
Note on hardware virtualization support
MYTH ALERT
Technological m
ess
Attack surface
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocol
Guest services architecture (example GL)
VMM
Emulated and para devices
Guest services (backend)
Hypercall interface kernel module
GA 3d graphics
hooks
GA file system hooks
Userapp
SystemAPI
Hypervisor VMHW
GPU
Users
RPC protocols
Guest additions Virtualization tools
Part 2
Parallels Desktop
Parallels Desktop Architecture vs The Model
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocols
VM escapesLocal EoP
parallels_symbolizepy
Parallels research tip verbose debug logs
Parallels virtual hardware
init_devices
Parallels emulated devices
Parallels Toolgate
Parallels Tools amp Toolgate
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
Hypervisor Threat Model
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocols
UHCI OHCI xHCI eHCI
Classical models E1000 Virtio DEC
Hypercall handlers
VM escapesLocal EoP
DHCP TFPT PXE boot zero-conf
Synthetic models hypercall-based IO
Note on hardware virtualization support
MYTH ALERT
Technological m
ess
Attack surface
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocol
Guest services architecture (example GL)
VMM
Emulated and para devices
Guest services (backend)
Hypercall interface kernel module
GA 3d graphics
hooks
GA file system hooks
Userapp
SystemAPI
Hypervisor VMHW
GPU
Users
RPC protocols
Guest additions Virtualization tools
Part 2
Parallels Desktop
Parallels Desktop Architecture vs The Model
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocols
VM escapesLocal EoP
parallels_symbolizepy
Parallels research tip verbose debug logs
Parallels virtual hardware
init_devices
Parallels emulated devices
Parallels Toolgate
Parallels Tools amp Toolgate
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
Attack surface
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocol
Guest services architecture (example GL)
VMM
Emulated and para devices
Guest services (backend)
Hypercall interface kernel module
GA 3d graphics
hooks
GA file system hooks
Userapp
SystemAPI
Hypervisor VMHW
GPU
Users
RPC protocols
Guest additions Virtualization tools
Part 2
Parallels Desktop
Parallels Desktop Architecture vs The Model
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocols
VM escapesLocal EoP
parallels_symbolizepy
Parallels research tip verbose debug logs
Parallels virtual hardware
init_devices
Parallels emulated devices
Parallels Toolgate
Parallels Tools amp Toolgate
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
Guest services architecture (example GL)
VMM
Emulated and para devices
Guest services (backend)
Hypercall interface kernel module
GA 3d graphics
hooks
GA file system hooks
Userapp
SystemAPI
Hypervisor VMHW
GPU
Users
RPC protocols
Guest additions Virtualization tools
Part 2
Parallels Desktop
Parallels Desktop Architecture vs The Model
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocols
VM escapesLocal EoP
parallels_symbolizepy
Parallels research tip verbose debug logs
Parallels virtual hardware
init_devices
Parallels emulated devices
Parallels Toolgate
Parallels Tools amp Toolgate
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
RPC protocols
Guest additions Virtualization tools
Part 2
Parallels Desktop
Parallels Desktop Architecture vs The Model
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocols
VM escapesLocal EoP
parallels_symbolizepy
Parallels research tip verbose debug logs
Parallels virtual hardware
init_devices
Parallels emulated devices
Parallels Toolgate
Parallels Tools amp Toolgate
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
Guest additions Virtualization tools
Part 2
Parallels Desktop
Parallels Desktop Architecture vs The Model
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocols
VM escapesLocal EoP
parallels_symbolizepy
Parallels research tip verbose debug logs
Parallels virtual hardware
init_devices
Parallels emulated devices
Parallels Toolgate
Parallels Tools amp Toolgate
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
Part 2
Parallels Desktop
Parallels Desktop Architecture vs The Model
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocols
VM escapesLocal EoP
parallels_symbolizepy
Parallels research tip verbose debug logs
Parallels virtual hardware
init_devices
Parallels emulated devices
Parallels Toolgate
Parallels Tools amp Toolgate
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
Parallels Desktop Architecture vs The Model
Host modules Guest services Virtualized devices VMM
Interfaces
MMU virtualization
Shadow PTE
Nested page tables
Buses
USB
PCI
Peripherals
Emulated devices
Paravirtualized
CPU virtualization
ISA emulation
vAPIC
Graphics
3D2D acceleration
Shaders
Rich functionality
Shared folders
Shared everything
Privileged drivers
Hypercall interface
Hardware VMX
Etc
Inter-VM networking
Printing services
Hypercall interface Extensions protocols
VM escapesLocal EoP
parallels_symbolizepy
Parallels research tip verbose debug logs
Parallels virtual hardware
init_devices
Parallels emulated devices
Parallels Toolgate
Parallels Tools amp Toolgate
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
parallels_symbolizepy
Parallels research tip verbose debug logs
Parallels virtual hardware
init_devices
Parallels emulated devices
Parallels Toolgate
Parallels Tools amp Toolgate
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
Parallels research tip verbose debug logs
Parallels virtual hardware
init_devices
Parallels emulated devices
Parallels Toolgate
Parallels Tools amp Toolgate
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
Parallels virtual hardware
init_devices
Parallels emulated devices
Parallels Toolgate
Parallels Tools amp Toolgate
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
init_devices
Parallels emulated devices
Parallels Toolgate
Parallels Tools amp Toolgate
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
Parallels emulated devices
Parallels Toolgate
Parallels Tools amp Toolgate
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
Parallels Toolgate
Parallels Tools amp Toolgate
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
Parallels Tools amp Toolgate
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
Toolgate protocol
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
Part 3
The Bug
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Reverse-Engineering Parallels Toolgate
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Toolgate Request Handlers
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Parallels Shared Folders
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Parsing SF hypercalls
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
The Bug
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
Part 4
The Exploit
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
prl_fs
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Prl_fs guest ltgt hypervisor
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
SF protocol
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Reaching the bug
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Not so easyhellip
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
prl_pwn kernel module
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
prl_pwn kernel module (imports)
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Reverse-engineering the protocol
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
prl_pwnpy
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash user side
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Toolgate protocol primitives ndash hypervisor side
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Talking to the hypervisor
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Emulating the protocol
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Execute payload
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses
MultiByteToWideChar() API Path sanitization is bypassed
by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo
CVE-2008-0923 directory traversal 2
Improperly patched CVE-2007-1744
Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo
Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom
zero
daye
ngin
eering
com
Thank youTwitter alisaesageEmail contactzerodayengineeringcom