A Retrospective Case Study of VMware Guest-to-Host Escape Vulnerabilities

A Retrospective Case Study of VMware Guest-to-Host Escape Vulnerabilities

Black Hat via YouTube Direct link

Out of Bounds Write Vulnerability in JPEG2000 Decompression (CVE-2016-7084)

19 of 38

19 of 38

Out of Bounds Write Vulnerability in JPEG2000 Decompression (CVE-2016-7084)

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

A Retrospective Case Study of VMware Guest-to-Host Escape Vulnerabilities

Automatically move to the next video in the Classroom when playback concludes

  1. 1 Intro
  2. 2 Why VMWare Patch Analysis?
  3. 3 VMWare Workstation Attack Surfaces
  4. 4 VM-Tools & VMWare RPC
  5. 5 Guest RPC Mechanism
  6. 6 VM Backdoor
  7. 7 RPC Packet Handling in Host
  8. 8 Sending Custom RPC Packets From Guest to Host
  9. 9 RPC Bug 1: OOB in Drag and Drop
  10. 10 Achieving OOB Read
  11. 11 Achieving OOB Write
  12. 12 Info. Leak Using OOB Write Over RPC
  13. 13 Bug 3: Use After Free
  14. 14 VMware Virtual Printer
  15. 15 Triggering the Print Preview
  16. 16 Double Free in EMR_SMALLTEXTOUTW (CVE-2016-7082)
  17. 17 Patch for CVE-2016-7082
  18. 18 Embedded EMFSPOOL (CVE-2016-7083)
  19. 19 Out of Bounds Write Vulnerability in JPEG2000 Decompression (CVE-2016-7084)
  20. 20 Patch for CVE-2016-7084
  21. 21 More Fuzzing
  22. 22 VMware SVGA II Device Architecture
  23. 23 SVGA FIFO Commands
  24. 24 History of Security Bugs in FIFO Commands: Cloudburst by Kostya Kortchinsky
  25. 25 What Are Shaders?
  26. 26 Life of a Shader
  27. 27 Shader inside VMware Workstation
  28. 28 Passing Shader bytecode from guest to host via 'SVGA3D' Protocol
  29. 29 Shader Bytecode handling in Host
  30. 30 Vulnerabilities in Virtual GPU
  31. 31 SVGA Patch 1(Workstation 12.5.4 - 12.5.5)
  32. 32 Heap OOB Write
  33. 33 Demo: SVGA Memory Corruption
  34. 34 Other SVGA Issues fixed in 12.5.5
  35. 35 Possible Security Issue fixed in SM1 'op_calli instruction parser in version 12.5.3?
  36. 36 Black Hat Sound Bytes
  37. 37 Other Works and Recommended Reads
  38. 38 Questions?

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.